The Solution

The solution provides the automated management of Entra ID (formerly Azure Active Directory) or Active Directory (AD) accounts based upon a supported HR system as the Authoritative Source. It provides a platform for future extension and expansion, including integrating and managing other applications and services. UNIFYConnect can optionally manage accounts for self-service in the HR system if your HR system supports it.

Functionality

Using your supported HR system as the Authoritative Source or Point of Truth, the following functionality will be implemented.

Automated On-Boarding

Entra ID or Active Directory Account Creation

Accounts are automatically created in Active Directory based upon employment records in your HR system and nominated information synchronised to the Entra ID (formerly Azure Active Directory) or Active Directory relevant account.

The account creation includes updating manager and direct reports relationships in your directory based upon the Employee’s position.

The exact schema of data can depend on your HR system, so please read the FAQ for more information.

Microsoft Exchange 2010 Mailbox Creation

UNIFYConnect can optionally provision Microsoft Exchange 2010 or later mailboxes in one mailbox store, using an algorithm for generating e-mail addresses.

Office 365 License assignment

UNIFYConnect can provide Entra ID (formerly Azure Active Directory) with enough information to allow for automatic assignment of Office 365 licenses. Please read the FAQ

Automated Day-To-Day Management

Entra ID and Active Directory Account Information

Changes to any Employee attributes in the HR system will result in the relevant account attribute being updated automatically for that Identity - see FAQ for sync frequency.

No changes are to be made to the Account Name.

Change to Employee Position

A change for the Employee of their Position will result in “Manager” and “Direct Reports” updated to reflect the Organisational change for the Identity in the directory.

Automated Off-Boarding

Entra ID and Active Directory Account

Entra ID (formerly Azure Active Directory) or Active Directory accounts will be automatically disabled upon a termination event in your HR system.

If required, this can also result in the disabled account being moved to a “Terminated” container.

This guide is all you need to know about UNIFYConnect/ELMO.

Solution objectives

  • Creating and disabling Active Directory/Entra ID (formerly Azure Active Directory) Accounts based on ELMO Talent HR data.
  • Keeps account attributes up to date.
  • Maintains Manager and Direct Reports relationships.

Compatibility

UNIFYConnect/ELMO is compatible with:

  • ELMO Talent HR, with API integration
  • Microsoft Active Directory or Microsoft Entra ID (formerly Azure Active Directory)

Connectivity

ELMO Talent connectivity

The UNIFYConnect/ELMO connector uses the ELMO User APIs. UNIFYConnect will need the ELMO API security keys to access the APIs.

Microsoft Active Directory

UNIFYConnect uses LDAP/SSL to communicate with Microsoft Active Directory. See Networking about how this is secured.

Microsoft Entra ID

UNIFYConnect uses the GRAPH APIs to communicate with Entra ID (formerly Azure Active Directory).

Networking

UNIFYConnect will only use secure channels to communicate.

  • TLS 1.3 or higher connections are preferred.
  • If we need to communicate within your network, there are two options:
    • Virtual Private Network (VPN). There are some limitations to this, contact us to discuss.
    • A UNIFYConnect agent. This can be run on a server inside your network, and can be firewalled to only contact those services needed.

Cloud only

flowchart LR UNIFYConnect ELMO AAD[Entra ID] UNIFYConnect-->|ELMO User API|ELMO UNIFYConnect-->|GRAPH|AAD

Active Directory with VPN

flowchart LR UNIFYConnect ELMO subgraph Enterprise VPN AD[Active Directory] end UNIFYConnect-->|ELMO User API|ELMO UNIFYConnect-->|LDAPS|VPN VPN-->|LDAPS|AD

Active Directory with Agent

flowchart LR UNIFYConnect ELMO subgraph Enterprise Firewall UAAgent[UNIFYConnect Agent] AD[Active Directory] end UNIFYConnect-->|ELMO User API|ELMO UAAgent-->|REST|Firewall Firewall-->|REST|UNIFYConnect UAAgent-->|LDAPS|AD

There are other combinations available, just contact us to find out how we can connect.

Security

Find out more about how we handle security in the FAQ.

Functionality

Using ELMO as the Authoritative Source or “Point of Truth”, the following functionality is offered:

  • Automated On-Boarding and Off-Boarding
  • Active Directory/Entra ID (formerly Azure Active Directory) Account Creation
  • Account automatically created in Active Directory based upon employee creation in ELMO and nominated ELMO information synchronised to the relevant Active Directory/Entra ID (formerly Azure Active Directory) account. (Includes updating Manager and Direct Reports relationships in Active Directory based upon the Employee’s Position.)

Schema

erDiagram ELMOUser ||--|| UNIFYConnect_Person : syncs ELMODepartment ||--|| UNIFYConnect_Person : syncs ELMOPosition ||--|| UNIFYConnect_Person : syncs ELMOLocation ||--|| UNIFYConnect_Person : syncs AD_User ||--|| UNIFYConnect_Person : syncs ELMOUser { string id string identifier string firstName string lastName string username email email boolean active string employeeNumber string manager date startDate date endDate date expiryDate string country string state link position link location link department } ELMODepartment { string id string title string departmentId string description link parent boolean deleted } ELMOPosition { string id string title string positionId string description link parent boolean deleted } ELMOLocation { string id string title string locationId string description string addressline1 string addresslin2 string suburb string state string postcode string country link parent boolean deleted } AD_User { guid objectGuid date accountExpires string cn string company string department string displayName string ActiveDirectoryPersonDn string employeeID string employeeNumber string givenName string initials AD_User manager string ActiveDirectoryPersonObjectClass string physicalDeliveryOfficeName string sAMAccountName string sn string title string userPrincipalName email mail }

Lifecycle Management

sequenceDiagram UNIFYConnect->>ELMO User API: Query ELMO User API->>UNIFYConnect: Query results opt Employee Started UNIFYConnect->>AD/Entra ID: Create account end opt Employee Changed UNIFYConnect->>AD/Entra ID: Update account end opt Employee Terminated UNIFYConnect->>AD/Entra ID: Disable account end UNIFYConnect->>AD/Entra ID: Query AD/Entra ID->>UNIFYConnect: Query results opt Contact details changed UNIFYConnect->>ELMO User API: Update User end

Customisations

This is limited to

  • Additional fields can be read from ELMO. These fields can be written directly to a field on Active Directory objects with no transformations.
  • Additional fields can be written to ELMO, provided these fields already exist in objects above. Refer to your ELMO documentation for which fields are included in those API calls.
  • Additional fields can be read/written from Active Directory/Entra ID (formerly Azure Active Directory), provided they are on the user object, and either available through AD LDAP or Entra ID GRAPH.

Any customisations outside of this may either be made by a short engagement or by using UNIFYConnect instead. Please contact us to discuss.

Requirements Checklist

Software

  • Directories:
    • Microsoft Active Directory 2008 or later; or
    • Microsoft Entra ID (formerly Azure Active Directory)
  • ELMO Talent HR
    • User API activated

Configuration

ELMO User API

Your API Key and a Personal Access token must be supplied.

Correlation IDs

The UNIFYConnect/ELMO service will provision a new AD account for an ELMO employee record on synchronisation if an existing AD account cannot first be matched to that employee record. This match requires the use of a correlation ID or breadcrumb on the AD account, such as the employeeID AD user property recommended by UNIFY. This property must already exist in AD and contain the unique ELMO UserID for every employee record that must be matched to an existing AD account.

Please contact UNIFY for your options should this not be already set up.

Directories

Choose which of the two directory options suits you best.

Active Directory

This section is for those that are connecting the service to Active Directory.

UNIFYConnect must have an account on Active Directory with permissions to create, modify and disable accounts. It must also be aware of the SSL certificate used by the LDAPS end-point on the nominated Active Directory server.

  • An Active Directory account with appropriate permissions has been created for use by UNIFYConnect/ELMO
  • Connectivity must be arranged for the Active Directory. The two preferred options are a VPN, or the UNIFYConnect agent.
  • UNIFYConnect must have a valid certificate chain. Therefore, either the Active Directory end-point SSL certificate is from a Windows Trusted Certificate Authority, or UNIFY Solutions must be supplied with a public Certificate Authority root certificate.

Entra ID

To connect to your Entra ID (formerly Azure Active Directory), you will need to create an App Registration with a ClientID and ClientSecret. The permissions granted to this App Registration are User.ReadWrite.All and Group.ReadWrite.All, or Directory.ReadWrite.All.

Dependencies

Active Directory

In any enterprise Active Directory installation, attribute values maintained on user objects are usually used to drive enterprise policy. This may include but not be limited to the following:

  • Use of automation (e.g. in login scripts) to map user home drives and user profile paths to managed network resources/file shares;
  • Use in dynamic distribution lists (e.g. Exchange Dynamic Lists) to leverage user attributes to address emails to collections of users;
  • Use in other policy to drive membership of other AD groups, such as security groups or groups; and
  • Calculation of license (CAL) counts based on the number of active employee records, for example.

With the implementation of synchronisation rules in UNIFYConnect, some of the properties used in policy such as the above will now be mastered (authoritative) in ELMO Talent HR. This implies that any downstream dependencies must be in alignment with the new data source for all mapped and synchronised properties, and that attempts to alter the synchronised attributes directly in AD post implementation may be undone in subsequent synchronisation cycles.

Additionally, in order for UNIFYConnect to provision new AD accounts that meet various uniqueness, GAL visibility and security policy criteria, rules have been built into the solution to initialise the following special attributes:

  • Email address
  • Windows Login Name (pre Windows 2000 format)
  • User Principal Name
  • Common Name
  • Display Name

Given that there will always be scenarios where name clashes occur in an environment which cannot be resolved without some form of human intervention, the synchronisation model is designed to allow these specific values to be changed manually directly in AD post provisioning, and for these to persist despite future synchronisation cycles. The initial values set by the solution are determined according to UNIFY’s accumulated best practice and experience, and that this model has been adopted for this solution to deliver the best, most manageable outcome within budget.

ELMO

A typical ELMO deployment will incorporate policy, in the form of workflow, based on employee attribute values changing. One example might be the changing/setting of an email address resulting in a notification being sent to that target.

Any ELMO workflows which may be initiated as a result of email updates must be understood and adjusted if required to avoid the initiation of unwanted emails, particularly when these occur for large numbers of updates which may occur in the initial synchronisation steps following deployment.

Disaster Recovery

We are pretty confident in our solution. It has run large enterprises identity systems for years. However, it is always a good idea to plan for the slight risk of something going wrong.

For both your directory and your ELMO, you need to make sure you have valid disaster recovery plans that work. We will check with you before we complete the installation.