You have subscribed to the new Enterprise plan and would like to connect your Microsoft Azure AD to the Cortado administration portal. But you have already created local Cortado users with Cortado accounts?
Aim
In this how-to, we'll show you how to replace your existing local users with Azure AD users.
Implementation
Initial situation
The following example is used for illustration:
The local user Aron Jones (email: Aron@cmsqa1microsoft.com) (middle arrow in illus.) is a member of the local group (right arrow in illus.) Development (left arrow in illus.).
In addition, Aron Jones is a user in Azure AD and a member of the Development AD group (arrow in illus.).
Aron Jones soll aus dem AD ins Cortado Verwaltungsportal importiert werden. Dabei soll der vorhandene lokale Nutzer Aron Jones ersetzt werden.
Prerequisites
A prerequisite for the successful replacement of your local users with your AD users is that the email addresses stored in the Cortado Administration Portal (example in illus.):
match the user principal names (UPN) of the users stored in Azure AD (example in illus.). Only if this requirement is met can a user be successfully replaced.
Implementation – Replacing the existing account
- First, connect your Azure AD to the Cortado administration portal. Do this as described in our help article Connect Azure Active Directory for group import.
- Then select Administration→ Settings→ Directory Services→ Settings (arrow in illus.).
- Enable the Replace existing accounts checkbox (arrow in illus.)
- Now import your Azure AD groups. Proceed as described in our help article Import groups from Azure Active Directory.
Note! If you have already imported your Azure AD groups before, simply click the Synchronize button under Settings→ Directory Services (see above) instead.
Results
The AD group Development was successfully imported into the Administration Portal in the last step. The local user in the example was successfully replaced with the Azure AD user (arrow in illus.).
Aron Jones is now a member of the Azure AD group Development and still a member of the local group Development.
All apps, profiles, policies, managed configurations, etc. that were previously assigned directly to local users are automatically transferred to the Azure AD account when the local account is replaced. The situation is different for configurations that were assigned to local groups. These remain with the local groups and must be manually assigned to the new AD groups afterwards.
Our user Aron Jones originally had two apps. He was assigned the ezeep app directly (top arrow in illus.) and the Keynote app was assigned to the local Development group (bottom arrow in illus.).
After replacing the local user with the AD user Aron Jones, the ezeep app is still directly assigned to the user. Nothing has changed in the assignment of the Keynote app to the Development local group. Assigning the Keynote app to the Development AD group must be done manually afterwards.
Finishing the groups
Before the local group Development can be deleted by you, all existing assignments must be manually transferred from the local group to the AD group.
- To do this, select the new AD group (left arrow in the image) and then click Transfer Settings (right arrow in illus.).
- Then select all features (Policies, Profiles, Apps).
Note! Managed configurations are not included here. These must be assigned separately.
- Then select the old local group from which you want to get settings (arrow in illus.).
The Keynote app from our example was successfully transferred to the new Development AD group.
Finally, check whether managed configurations were assigned to your local group (example in illus.). If this is the case, you must now also assign them to the new AD group.
- To do this, select the new AD group in the group management (left arrow in the image) and click Assign in the Apps tab under Managed configurations (right arrow in illus.).
- Then select all managed configurations that you want to assign to the new AD group.
Once all settings have been transferred from the old local group to the new AD group, you can delete the old local group.