Directory Implementation Guide

 

 

1   Introduction and Overview

Directory enables organizations to automatically identify and populate missing information in directories, quickly and easily. Utilizing next generation technologies, Directory automates the process of keeping Active Directory and Office 365 Profile ^[a]Information fresh and relevant. Using Directory, organizations can be more effective by saving time, reducing IT Support overhead, and improving the speed of business communications.

In online deployments, Directory connects directly to Azure Active Directory to scan for the quality of user profile information.

For any implementation scenario utilizing an on-premises Active Directory system (on-premises or hybrid), Directory scans for the absence of user profile information using a locally installed agent (hereinafter referred to as the Directory Agent).

This implementation guide is intended to be an instruction set for systems administrators to implement Directory and install the necessary components successfully.

 

2   Online Implementation

The following section pertains to online-only deployment scenarios. Use the following steps to implement Directory if the target Active Directory instance exists solely in Azure Active Directory.

2.1   Online Planning

For online deployments, you will need Office 365 credentials designated to become the initial Directory administrator account as well as an Office 365 account with Global Administrator privileges.

The initial Directory administrator can be any account in your Office 365 tenant. This account does not require any Office 365 administrative privileges, and can be your day-to-day account.

2.2   Online Deployment

Step 1: Open a web browser

• Use the licensing link provided by Hyperfish to sign-in to the Directory web application for the first time

Step 2: Choose your implementation method

• You will be given three experience options -- select ‘Analyze.’
• Select the ‘Cloud Only’ option for your Active Directory location.
• Click the ‘Accept’ button to grant Directory permissions to the directory. The Directory application is a verified application through Microsoft. You will notice a check next to the Hyperfish name on the grant request as seen below.    
  

Step 3: Confirm Active Directory instance

• If the directory instance is correct, click ‘Yes, Let’s Go!’ and ‘Continue.’
• Click ‘Go to Dashboard’ to start the scan and view your dashboard.

You are now ready to start an analysis of your Active Directory using Hyperfish.

 

2.3   Confirming Online Deployment Functionality

Navigate to Settings -> General 

• Review and verify connection details for your online Azure AD instance from the ‘Directory Details’ section
• Click the time under ‘Daily Full Scan’ to set the next run time
• Click ‘SAVE’
• Navigate back to the Home screen using the navigation menu on the left

Once the scheduled analysis has completed, the page will display a summary of the collected results.

After reviewing the results, designate some administrators to approve changes and gather a list of users that you would like to participate in Pilot mode.

 

3   Hybrid Implementation

3.1   Hybrid Planning

For Hybrid deployments, you will need your Office 365 account credentials along with the on-premises requirements. The Office 365 account will be the designated initial Directory administrator and does not require any administrative permissions.

Prepare the following on-premises requirements for your hybrid deployment:

Step 1: Choosing an Agent Host

Choose a domain-joined machine to host the local Directory Agent. This machine should meet or exceed the following requirements:

• Supported Operating Systems: Windows Server 2012 R2 or above
• Microsoft .NET Framework 4.5.2 (The installer will prompt to install if not currently installed)
• Processor: 2 GHz
• Memory: 4 GB

Step 2: Choosing a service account  

Choose or create a service account to run the Hyperfish service.

The service account needs read/write permissions to Active Directory. Directory encourages a least-privilege approach, granting granular permissions for the Active Directory object that you would like the account to modify.

Note: While the least-privilege approach is considered best practice, please be aware that in this configuration, the Hyperfish service will not be able to make changes to any user accounts that are a member of Domain Admins, Enterprise Admins, or Schema Admins groups in Active Directory.

This is because MS Active Directory considers Domain Admins, Enterprise Admins, and Schema Admins groups as “Protected Groups” and switches the user object inheritance flag to disable inheritance from the parent object, rendering the delegated permissions useless.

Even if the user object is manually set to inherit from the parent, the SDProp job runs every hour to scan for objects that are considered “protected” and resets the inheritance flag. Please refer to the SDProp section in this TechNet article: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory

 To delegate permissions for the service account:

• Right click on the AD container and select ‘Delegate Control’:

• Select your designated Directory service account:

 

• Choose ‘create a custom task’:

 

• Select to Delegate control of ‘Only the following objects…’ and select ‘User objects’:

• Select the following general permissions, then Click ‘Next’ and then ‘Finish’:

• Read and write phone and mail options
• Read and write general information
• Read and write personal information
• Read and write public information
• Read and write web information

Step 3: Open Required Outbound Ports

The following outbound ports are required:

• 443 - HTTPS for API calls -- used to authenticate the installation, check licenses, download configuration from our cloud service.
• 5671 - AMQPS (TLS) for the Hyperfish queue service
  

Domains*:

AUS	*.hyperfish.com.au
UK-WEU	*.hyperfish.co.uk
US	*.hyperfish.com

*If you have a requirement to restrict egress traffic from Directory agent, using outbound network or FDQN rules.

3.2   Hybrid Deployment

Use the following steps to implement Hyperfish if your organization has a hybrid configuration where both on-premises Active Directory and Azure Active Directory are used.

 

Step 1: Open a web browser 

• Use the licensing link provided by Hyperfish to sign-in to the Hyperfish web application for the first time. This link can only be used once.

 

Step 2: Choose your implementation method

• Select ‘Analyze’ as your initial experience option (this is the only one available)
• Select the ‘Hybrid’ option for your Active Directory location

 

Step 3: Download the Directory Agent

• Copy the ten-character registration code from the page
• Click ‘Download’ to download the installer for the Hyperfish Agent
• Re-locate the installer to the server specified during the planning section of this guide

 

Step 4: Install the Directory Agent 

• Right-click the Agent installer and select ‘Run as Administrator’ and click ‘Next’
• Enter the ten-character code shown on the Hyperfish web application and click ‘Next’
• Specify a location to install the Hyperfish application
• Review the terms and conditions; check the box to agree and click ‘Next.’
• Click ‘Install’ to start the installation process.
• When the installation is complete, click ‘Finish.’

 

Step 5: Configure the Directory service

• From the host machine’s start menu or run dialog, type “services.msc”
• Open the Microsoft Windows Services console
• Right-click the Directory service and select ‘Properties’ from the context menu
• From the ‘Log On’ tab, select the ‘This Account’
• Enter the login credentials for the service account specified during the planning section
• Click ‘Apply’ and ‘OK’, then Start the Directory Service

 Additional steps for AU and UK deployments

When deploying to the UK or AU deployments of Directory there is one additional step that needs to be taken for the service to connect to the web application.

By default, when deploying Hyperfish, the API call being made is trying to reach

"https://api.hyperfish.com"

This is trying to make a call to the Directory web application in our US deployment. This setting can be found in the servicesettings.json file. Which can be found on the server the agent is installed on. Navigate to C:/Users/Hyperfish SVC Acct/AppData/Local/Hyperfish.

Your team will still want to start the service, as this generates these .json files. Expect the first attempt to fail. Once this has failed, navigate to the path above, open the servicesettings.json file and update the line highlighted below to fit your deployment location.

For AU deployment-"https://api.hyperfish.com.au"

For UK deployment-"https://api.hyperfish.co.uk"

Once updated to reflect the correct deployment region, save the servicesettings.json file. Then restart the Directory service. This attempt should be successful.

Step 6: Finish configuration from the web application

•  The Directory web application should progress to the analysis stage
• Review the default settings summary; Click ‘Continue’
• Click ‘Go to Dashboard’ to start the scan and view your dashboard

 

You are now ready to start an analysis of your Active Directory using Hyperfish.

 

3.3   Confirming Hybrid Deployment Functionality

Confirm the functionality of Hyperfish by completing your first directory analysis:

Navigate to Settings -> General 

• Review and verify connection details for your on-premises AD instance from the ‘Directory Details’ section
• Set the ‘Daily Full Scan’ time to the time you wish for Hyperfish daily audits to run
• Click ‘SAVE’
• Navigate back to the Home screen using the navigation menu on the left

 

Once the scheduled analysis has completed, the page will display a summary of the collected results.

After reviewing the results, designate some administrators to approve changes and gather a list of users that you would like to participate in Pilot mode.

4   Moving to Pilot and Run Modes

Step 1:   Add Pilot Participants, additional Administrators, and Approvers

• Add pilot participants by navigating to Settings -> General, and expanding the ‘Pilot Participants’ section under ‘Hyperfish Mode’
• Add additional administrators in the Hyperfish Administrators section in Settings -> General
• Add Hyperfish approvers in the ‘Approvers’ section in Settings -> Approval

Step 2: Navigate to Settings -> Hyperbot

• By default, Hyperbot should be toggled to ‘On’
• Set the Hyperbot name and email address (Note: changing the address may result in Hyperbot emails being filtered by your email settings)
• Set the ‘Personality’ slider from ‘Relaxed,’ ‘Standard,’ or ‘Formal,’ to best fit your company culture. Optionally, configure the language in your email templates in the ‘Email Templates’ section.
• Use the ‘Tenacity’ options to set the number of attempts and frequency at which you would like users to hear from Hyperbot.
• Add email addresses that should never hear from Hyperbot to the ‘do not disturb’ list
• Click the ‘SAVE’ button

Step 3:  Navigate to Settings -> Attributes 

• Edit Directory Attributes
• Set attributes you want to be required as ‘Must Contain a Value’.  Users will be notified if a required field set to ‘Hyperbot and Editable’.
• Set fields to ‘Editable’ if you want users to be able to edit a field, but do not want Hyperbot to send notifications about it.
• Set fields to ‘Read Only’ if you don’t want to allow users to edit those fields (job title is a common example).^[b]

Step 4:  Navigate to Settings -> Approval

• Set any fields you do not want approvals on for by toggling Auto Approve ‘on’ for that property
• Use the ‘Timing’ settings to adjust how soon approvers should be notified of pending changes
• Click the ‘SAVE’ button
  

Step 5:  Navigate to Settings -> General

• Set the slider to Pilot mode
• Click the ‘SAVE’ button
  

While in Pilot mode, consider any configuration changes that may need to be made. After the pilot program has been deemed successful, navigate to Settings -> General and move the mode slider to ‘Run’.