Aim
In this how-to, we'll show you how to replace your existing local users with Microsoft Entra users.
Implementation
Initial situation
The following example is used for illustration:
The local user Aron Jones (email: Aron@cmsqa1microsoft.com) (middle arrow in illus.) is a member of the local group (right arrow in illus.) Development (left arrow in illus.).
In addition, Aron Jones is a Microsoft Entra ID user and a member of the Development Entra group (arrow in illus.).
Aron Jones is to be imported from Microsoft Entra ID into the Cortado administration portal. The existing local user Aron Jones is to be replaced.
Prerequisites
A prerequisite for the successful replacement of your local users with your Entra users is that the email addresses stored in the Cortado Administration Portal (example in illus.):
match the user principal names (UPN) of the users stored in Microsoft Entra ID (example in illus.). Only if this requirement is met can a user be successfully replaced.
Implementation – Replacing the existing account
- First, connect Microsoft Entra ID to the Cortado administration portal. Do this as described in our help article Connect Microsoft Entra ID for group import.
- Then select Administration→ Settings→ Directory Services→ Settings (arrow in illus.).
- Enable the Replace existing accounts checkbox (arrow in illus.)
- Now import Microsoft Entra groups. Proceed as described in our help article Import groups from Microsoft Entra ID.
Note! If you have already imported Entra groups before, simply click the Synchronize button under Settings→ Directory Services (see above) instead.
Results
The Entra group Development was successfully imported into the Administration Portal in the last step. The local user in the example was successfully replaced with the Entra user (arrow in illus.).
Aron Jones is now a member of the Entra group Development and still a member of the local group Development.
All apps, profiles, policies, managed configurations, etc. that were previously assigned directly to local users are automatically transferred to the Entra account when the local account is replaced. The situation is different for configurations that were assigned to local groups. These remain with the local groups and must be manually assigned to the new Entra groups afterwards.
Our user Aron Jones originally had two apps. He was assigned the ezeep app directly (top arrow in illus.) and the Keynote app was assigned to the local Development group (bottom arrow in illus.).
After replacing the local user with the Entra user Aron Jones, the ezeep app is still directly assigned to the user. Nothing has changed in the assignment of the Keynote app to the Development local group. Assigning the Keynote app to the Development Entra group must be done manually afterwards.
Finishing the groups
Before the local group Development can be deleted by you, all existing assignments must be manually transferred from the local group to the Entra group.
- To do this, select the new Entra group (left arrow in the image) and then click Transfer Settings (right arrow in illus.).
- Then select all features (Policies, Profiles, Apps).
Note! Managed configurations are not included here. These must be assigned separately.
- Then select the old local group from which you want to get settings (arrow in illus.).
The Keynote app from our example was successfully transferred to the new Development Entra group.
Finally, check whether managed configurations were assigned to your local group (example in illus.). If this is the case, you must now also assign them to the new Entra group.
- To do this, select the new Entra group in the group management (left arrow in the image) and click Assign in the Apps tab under Managed configurations (right arrow in illus.).
- Then select all managed configurations that you want to assign to the new Entra group.
Once all settings have been transferred from the old local group to the new Entra group, you can delete the old local group.