Your Users in BrainStation can be imported or synced from your Microsoft 365 tenant using the Bigger Brains integration with Entra ID. There are two methods for syncing Microsoft Users to BrainStation. Both methods are available through the Team Management Portal.

1. OAuth
2. Enterprise App

OAuth:

• Enter the Team Management Portal.
• Select Members from the left-side menu.
• Click Azure Entra Sync from the drop-down list.
• Select Connect Microsoft OAuth.

• Choose the Microsoft account you with to use for the sync from the Microsoft Authenticator Window.
• Select Accept when asked to accept the permissions requested from the BrainStation UMS (User Management System).

• When you return to the Azure Entra Sync page, you should see a large green checkmark next to the Connect OAuth button.

• Select the Sync Group drop-down field to choose which Entra ID Group you want to sync to the Team.
• A Sync Users field will appear.

• By default this field will select All Users, but you can click the drop-down to see all Users and their sync status.

• How you proceed depends on what you want to accomplish:
  • If you want to import certain Users, select them here and choose Save, and then Sync. All selected Users will be added to your Team.
  • If you want to import all Users from the Group leave All Users selected. 
• You will be returned to the Azure Entra Sync page.
• From here, there are two checkboxes you can select that will turn this import into a daily sync.

• Auto Sync:
  • If this box is checked, Users will be automatically added to the BrainStation Team anytime a member is added to the selected Entra ID Group.
• Allow Deletion:
  • If this box is checked, Users will be automatically deleted from the BrainStation Team anytime a member does not exist in the Entra ID Group.

Enterprise App:

Create an Enterprise App:

• Log into the Entra ID portal for your Microsoft 365 tenant.
• Click into the search bar.
• Search for Enterprise Applications.

• Select New Application.

• Click Create Your Own Application.

• You can give the application a name of your choice. We chose to use BiggerBrainsUsers.
• Select Register an application to integrate with Azure AD (App you're developing).

• Protect access to this application by choosing Accounts in this organizational directory only (single tenant).
• You do not need to change anything in the Redirect URI section.
• Select Register.

• The steps up until this point created an Enterprise Application.

App Registration:

• Next, we will configure the application to say what it should do. 
  • In Entra ID terms, this is known as App Registration.
• In the search bar at the top of the screen, search for App Registration and select it from the search menu.

• You should see the application BiggerBrainsUsers under the Owned Applications tab.
• Select the application.

• Click on API Permissions from the Manage menu on the left-side of the screen.
• Here, we can choose the access level this application will have.

• To choose and add permissions, click on Add a permission.

• From the pop-out screen, select Microsoft Graph.

• In the next screen, choose Application permissions.

• In the Select Permissions list that appears, search for User in the search bar.

• Open the drop-down list under User to select the options below.
  • User.Read.All: This will permit the application to read all User information.
  • User.Export.All: This will permit the application to export all User information.

• Allow access to Group information by searching for Group in the search bar.
• Open the drop-down list under Group and select Group.Read.All.

• Allow access to Group Member information by searching for GroupMember in the search bar.
• Open the drop-down list under GroupMember and select GroupMember.Read.All.
• When complete, click App Permissions to add all the previously selected permissions to this application.

• Ensure the application can access the configured permissions by checking the Status column.
• When checking the Status column, you may see a warning message indicating that consent is needed to grant access.

• To grant access you can click on Grand admin consent for <Application Name>.
  • (<Application Name> is the placeholder here)
• A pop-up box will ask for confirmation of this action. Select Yes.
• Upon granting access, the Status column should inform you that access has been granted.

Add a Scope:

• Now a scope needs to be added to restrict access to data and functionality protected by the API.
• Click on Expose an API from the Manage menu on the left-side of the screen.
• Select Add a Scope.
• You will be presented with an Application ID URI from a pop-out menu,
• Select Save and Continue and proceed.

• Give the scope a name, as programmatically this name will be presented to the client internally.
• For easier reference, you can use:
  • BiggerBrainsUsers.Read as a scope name.
  • BiggerBrainsUsers as an Admin consent display name.
  • Allow BiggerBrainsUsers Read access as an Admin consent description.
• Select Add scope to enable these restrictions.

• We are now almost ready with the configuration.
• For this to work, we need the ID of the application, which can be obtained from the Overview tab in the left-side menu.

Add a Client Application:

• Click on Expose an API from the Manage menu on the left-side of the screen.
• Select Add a client application.

• Paste the Application (client) ID and select the Authorized scope.
• Select Add application.

Add a Client Secret:

• These are the final few steps to configuring a certificate and associating it with the application.
  • This will ensure the connections are securely established.
• Click on Certificates and Secrets in the Manage menu on the left-side of the screen.
• Select New client secret.

• A pop out menu will open.
• Enter a Client secret name in the Description field.
  • In this case we are using BiggerBrainsUsers Certificate.
• Choose the Expiry date to be the maximum possible days/months, so you don't have to renew it often.
  • In most cases, this will be the 730 days (24 months) option.
• Select Add from the bottom left.

• Upon creating the certificate secret, it will display a Secret ID.
  • Copy the Secret ID into a safe location, as you will need this value to be entered in the Team Management Portal to import Users.
• Click the Copy to clipboard icon next to the Secret ID.

Importing Users into the Team Management Portal:

• Enter the Team Management Portal.
• Click Azure Entra Sync from the drop-down list.
• Select the Create your own enterprise app box.

• Enter the following values in their corresponding fields and select Load Groups.
  • Tenant ID
  • Client ID
  • Client Secret Value

• Choose the Sync Group drop-down to choose which Entra Group you wish to sync or import.

• Once a group is selected, a Sync Users field will appear.

• By default this field will select All Users, but you can click the drop-down to see all Users and their sync status.

• How you proceed depends on what you want to accomplish:
  • If you want to import certain Users, select them here and choose Save, and then Sync. All selected Users will be added to your Team.
  • If you want to import all Users from the Group leave All Users selected. 
• You will be returned to the Azure Entra Sync page.
• From here, there are two checkboxes you can select that will turn this import into a daily sync.

• Auto Sync:
  • If this box is checked, Users will be automatically added to the BrainStation Team anytime a member is added to the selected Entra ID Group.
• Allow Deletion:
  • If this box is checked, Users will be automatically deleted from the BrainStation Team anytime a member does not exist in the Entra ID Group.

Automate the Enterprise App Process with PowerShell Scripts:

Bigger Brains provides the PowerShell script below as a way to automate the Azure App creation process. This PowerShell script is provided as a 'beta; feature with no warranty, so proceed with caution, however is has worked well in our internal testing.

The basic flow is simple:

1. Run the PowerShell script.
2. Enter your Tenant ID if prompted.
3. Enter a name for the Enterprise App.
4. The script will do everything else outlined in the Enterprise App section above.

• Download this PowerShell script.
• Save the script to your hard drive in an easy-to-remember path.

• Run PowerShell on your Windows computer.
• For PowerShell on other platforms, see this page.

• Set the PowerShell Execution Policy to run unsigned apps.
• Do this by typing this command in PowerShell: Set- ExecutionPolicy - ExcecutionPolicy Bypass
• Run the script by typing the path and file name.
• The script will now run.

• When prompted, enter a name for your Enterprise App.
  • We recommend something descriptive like Bigger Brains Entra Import App.
• The script will try to detect your Entra Tenant ID if you are logged in.
  • If a Tenant ID is detected, it will prompt you to confirm it is correct.
  • If it is unable to detect a Tenant ID, it will prompt you for yours.

• To find your Tenant ID, log in to Microsoft Entra ID.
• Search for Tenant Properties, and on that page, you will find your Tenant ID
• The script will continue running after the Tenant ID is entered.
  • Various progress or error messages may appear.
• When the script completes successfully, you will find the three key credentials needed for the Entra ID Import displayed in green.

• Copy the three key credentials and store them in a safe place.
• At this point, the script is completed, and PowerShell may be closed.
• Now you can proceed with Importing Users into the Team Management Portal.