investigate connecting to Active Directory to query user's membership

[NicoledeGreef]

OP timer

https://openplus.monday.com/boards/4092908516/pulses/6401490141

---

To support mapping Active Directory membership to Organizations in drupal

• raise at standup
• connect with @chrislaick

The idea being that IDIR users can login and automatically be assigned to be a member of an Organization rather than administrator intervention being required.

For example:

Organization Name	maps to Distribution List Name
Consumer Taxation Audit Branch	FIN REV CTAB All Staff
Finance Reporting & Enhanced Data Analysis	FIN FREDA
Income Taxation Branch	FIN REV ITB All Staff
Information Management Branch	FIN IMB All Staff
Property Taxation Branch	FIN REV PTB - Property Taxation Branch Staff

[NicoledeGreef]

If we can do this, and we proceed, we may need to add Organizations in the future. To do this we will add them to the taxonomy but we will need to be able to specify the AD group/list mappings for those as well.

[CraigClark]

@NicoledeGreef I met with the team about this at stand-up today. How we do it depends on how you are set up on you end. If you are using Office 365, there is a module that can connect, then pull all sorts of metadata for use in Drupal. See https://www.drupal.org/project/o365. Currently we are using OpenID connect

The next step would be to meet with @chrislaick to discuss. We can set up a meeting and invite Liam, myself and Stephen. Stephen has done this before. I told him we would add him to the invite so he has the time blocked off and I'll call him in if we need his input.

[mjmcclung]

Question: does this mean any person from one of those organizations becomes an editor? Do we want all staff from a given org having editor permissions, or only designated editor roles/staff?

[CraigClark]

@mjmcclung no, permission to edit is a combination of a role (assigned in Drupal) and an org, which is what we are looking at here. If you only have the edit role, you cannot do anything because you don't have an org. If you only have an org, you can't do anything because you need edit role. You need both to work with content.

[NicoledeGreef]

@NicoledeGreef to find out the status of our O365 adoption, chat with @chrislaick, and set up a meeting with OP.

[NicoledeGreef]

@CraigClark can you explore if Azure AD is a requirement or is on prem AD fine for the drupal MS 365 connector?

[chrislaick]

@CraigClark just putting the OpenID Connect Microsoft Azure Active Directory client module out there in case it is helpful. It's a client that plugs into the openid_connect module, which is already installed.

[NicoledeGreef]

We are in the process of discovering more about the evolving state of the AD landscape here and have reached out to an internal contact . Through him we have learned that there is an Azure AD portal (MS Entra) and via that interface we can query users and from from there, query their group memberships. Query results attached. Seems to be a mix of Cloud and AD Server groups- so looks to be part, if not all the way there? We are seeking more info internally as to where this is going.

Azure_portal_queries.pdf

[NicoledeGreef]

I do believe we are all “O 365” ready; we have on prem AD and the Azure AD portal sync. Our office apps are all MS 365.

“Microsoft 365” is also one of several Group type labels; whether or not a Groups is typed as “Microsoft 365” does not have much to do with being able to figure out that a user belongs to a specific group, as I had speculated in my previous comment.

[CraigClark]

@NicoledeGreef lets meet tomorrow to go over a few things. Planning this will be part of it.

[NicoledeGreef]

fed into #443