Adds support for TeamViewer user group sync

AD groups and the membership of its users can be synchronized
into TeamViewer user groups.

README.md

@@ -34,12 +34,12 @@ automatically asks for elevated rights (if required).
 
 ### Available Configuration Parameters
 
-* Parameter `ApiToken`:
+- Parameter `ApiToken`:
 
   The TeamViewer API access token that is used for accessing the
   TeamViewer company user directory. For more information on how to
   create such a token please visit:
-  https://www.teamviewer.com/en/for-developers/teamviewer-api/
+  [https://www.teamviewer.com/en/for-developers/teamviewer-api/](https://www.teamviewer.com/en/for-developers/teamviewer-api/)
 
   The TeamViewer API token requires the following access permissions:
 
@@ -49,106 +49,118 @@ automatically asks for elevated rights (if required).
   - (optional) _Account management_: _View full profile_
     (corresponds to the WebAPI permissions
      `Account.Read`, `Account.ReadEmail`.
-     Used to skip possible deactivation of API token owner.)
+    Used to skip possible deactivation of API token owner.)
   - (optional) _Group management_: _View, create, delete, edit and share groups_
-     Required when conditional access synchronization is enabled.
+    Required when conditional access synchronization is enabled.
+  - (optional) _User Group management_: _View, create, delete and edit groups_
+    Required when user group synchronization is enabled.
 
-* Parameter `ActiveDirectoryGroups`:
+- Parameter `ActiveDirectoryGroups`:
 
   The LDAP identifiers (without the leading `LDAP://` protocol scheme)
   of the AD groups used for the synchronization.
 
-* Parameter `UserLanguage`:
+- Parameter `UserLanguage`:
 
   The two-letter language identifier used as default language for newly
   created TeamViewer users. For example it is used to localize the
   "Welcome" email.
 
-* Parameter `UseDefaultPassword`:
+- Parameter `UseDefaultPassword`:
 
   If set to `true` TeamViewer users will be created with the initial
   password specified by the `DefaultPassword` parameter.
   This parameter cannot be used in conjunction with the
   `UseSsoCustomerId` or `UseGeneratedPassword` parameters.
 
-* Parameter `DefaultPassword`:
+- Parameter `DefaultPassword`:
 
   The initial password used for newly created TeamViewer users.
 
-* Parameter `UseSsoCustomerId`:
+- Parameter `UseSsoCustomerId`:
 
   If set to `true` TeamViewer users will be created having Single
   Sign-On already activated. Therefore a customer ID needs to be
   specified in the `SsoCustomerId` parameter.
   This parameter cannot be used in conjunction with the
   `UseDefaultPassword` or `UseGeneratedPassword` parameters.
 
-* Parameter `SsoCustomerId`:
+- Parameter `SsoCustomerId`:
 
   The TeamViewer Single Sign-On customer identifier.
 
-* Parameter `UseGeneratedPassword`:
+- Parameter `UseGeneratedPassword`:
 
   If set to `true` TeamViewer users will be created with a generated
   password. The users will receive an email for resetting their
   password.
 
-* Parameter `TestRun`:
+- Parameter `TestRun`:
 
   If set to `true` the synchronization will **not** modify any
   TeamViewer user resources but instead only log the actions that would
   have been executed.
 
-* Parameter `DeactivateUsers`:
+- Parameter `DeactivateUsers`:
 
   If set to `true` TeamViewer users that are not member of the selected
   AD group will be disabled.
 
-* Parameter `RecursiveGroups`:
+- Parameter `RecursiveGroups`:
 
   If set to `true` users of nested AD groups will be included.
 
-* Parameter `UseSecondaryEmails`:
+- Parameter `UseSecondaryEmails`:
 
   If set to `true` the secondary email addresses configured for an AD
   user will also be taken into account when trying to map to a
   TeamViewer user.
 
-* Parameter `EnableConditionalAccessSync`:
+- Parameter `EnableConditionalAccessSync`:
 
-  If set to `true` the script attempts to synchronise the given AD groups and
+  If set to `true` the script attempts to synchronize the given AD groups and
   their respective users with the directory groups for _conditional access_ in
   TeamViewer. Those groups can then be used to restrict/allow TeamViewer
   functionality for certain users.
   The conditional access synchronization step runs after the user sync.
   This option requires the API token to have additional permissions.
   See point `ApiToken` above.
 
+- Parameter `EnableUserGroupsSync`:
+
+  If set to `true` the script attempts to synchronize the given AD groups and
+  their respective users with the TeamViewer user groups. Those user groups can
+  then be used to configure TeamViewer functionality, for example: Single
+  Sign-On ownership or exclusions.
+  The user groups synchronization step runs after the user sync and after the
+  optionally enabled conditional access group sync.
+  This option requires the API token to have additiona permissions:
+  See point `ApiToken` above.
 
 ### Scheduled Task
 
 The scheduled task will be created with the specified interval as:
-```
+
+```powershell
 \TeamViewer\TeamViewer AD Connector
 ```
 
 Output of the scheduled task is redirected to the specified log file
 location.
 
-
 ## User Synchronization Logic
 
 The actual synchronization is done by the `Invoke-Sync.ps1` script in
 the `TeamViewerADConnector` directory using the following logic:
 
-* Users of the configured AD group that are not yet part of the
+- Users of the configured AD group that are not yet part of the
   configured TeamViewer company (identified by the API token) will be
   created with the specified initial password.
-* Users of the configured AD group that are already part of the
+- Users of the configured AD group that are already part of the
   configured TeamViewer company will be activated and/or updated if the
   name of the user has been changed or the TeamViewer user is
   deactivated.
-* If configured, users of the TeamViewer company that are not present in
+- If configured, users of the TeamViewer company that are not present in
   the configured AD group will be deactivated.
 
 Identification of users is done based on the email addresses.
@@ -157,6 +169,10 @@ into account for the mapping between AD users and TeamViewer users.
 
 ## Changelog
 
+### [1.4.0]
+
+- Added optional synchronization of TeamViewer user groups.
+
 ### [1.3.2]
 
 - Fixed bulking of CA group member requests.
@@ -170,16 +186,19 @@ into account for the mapping between AD users and TeamViewer users.
 - Added synchronization for TeamViewer Conditional Access directory groups.
 
 ### [1.2.2]
+
 - Added hint to options that require TeamViewer Tensor license.
 - Fixed escaping of spaces in script path of scheduled task.
 - Fixed handling of global catalog names, starting with `GC://`.
 
 ### [1.2.1]
+
 - Fixed handling of trailing whitespace in secondary email addresses.
 - Fixed possible timeouts in update/deactivate user calls to the
   TeamViewer Web API on some versions of PowerShell.
 
 ### [1.2.0]
+
 - Added configuration field `UseGeneratedPassword` to create user
   accounts with a generated password. Such users will receive an email
   to reset their password.
@@ -193,6 +212,7 @@ into account for the mapping between AD users and TeamViewer users.
 - Fixed sorting of account language list.
 
 ### [1.1.0]
+
 - Added option `UseSecondaryEmails` to additionally use the user's
   secondary email addresses for the synchronization.
 - Added configuration field `SsoCustomerId` to create user accounts that

TeamViewerADConnector/Internal/Configuration.ps1

@@ -17,6 +17,7 @@ function Import-Configuration($filename) {
         RecursiveGroups             = $true
         UseSecondaryEmails          = $true
         EnableConditionalAccessSync = $false
+        EnableUserGroupsSync        = $false
     }
     if (Test-Path $filename) {
         $configuration = (Get-Content $filename | Out-String | ConvertFrom-Json)

TeamViewerADConnector/Internal/Forms/MainWindow.xaml

@@ -3,9 +3,9 @@
 Copyright (c) 2018-2021 TeamViewer Germany GmbH
 See file LICENSE
 -->
-<Window xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" 
-    xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" 
-    xmlns:d="http://schemas.microsoft.com/expression/blend/2008" 
+<Window xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
+    xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
+    xmlns:d="http://schemas.microsoft.com/expression/blend/2008"
     xmlns:scm="clr-namespace:System.ComponentModel;assembly=WindowsBase" Width="620" MinWidth="620" MinHeight="770" WindowStartupLocation="CenterScreen" SizeToContent="Height">
     <Window.Title>
         <MultiBinding StringFormat="{}{0} {1}">
@@ -140,13 +140,14 @@ See file LICENSE
                             </StackPanel>
                         </Grid>
                     </TabItem>
-                    <TabItem Header="{Binding L.TabHeaderConditionalAccess}">
+                    <TabItem Header="{Binding L.TabHeaderGroups}">
                         <Grid>
                             <Grid.RowDefinitions>
                                 <RowDefinition SharedSizeGroup="ConfigurationTabHeight" />
                             </Grid.RowDefinitions>
                             <StackPanel Margin="10">
                                 <CheckBox VerticalAlignment="Top" Margin="5" Content="{Binding L.EnableConditionalAccessSync}" IsChecked="{Binding ConfigurationData.EnableConditionalAccessSync}" />
+                                <CheckBox VerticalAlignment="Top" Margin="5" Content="{Binding L.EnableUserGroupsSync}" IsChecked="{Binding ConfigurationData.EnableUserGroupsSync}" />
                             </StackPanel>
                         </Grid>
                     </TabItem>

TeamViewerADConnector/Internal/Localization/GraphicalUserInterface.de.json

@@ -11,8 +11,8 @@
     "Install": "Installieren",
     "InstallError": "Geplante Aufgabe konnte nicht eingerichtet werden!",
     "IntervalUnit": "Stunden",
-    "LabelAccountType": "Kontotyp:",
     "LabelADGroups": "AD Gruppen:",
+    "LabelAccountType": "Kontotyp:",
     "LabelApiToken": "API Token:",
     "LabelCustomerId": "Customer ID:",
     "LabelDefaultPassword": "Init. Passwort:",
@@ -40,9 +40,11 @@
     "SyncError": "Synchronisierung der Benutzer fehlgeschlagen!",
     "SyncGetActiveDirectoryGroupMembers": "Mitglieder der Active Directory Gruppen werden abgerufen",
     "SyncGetTeamViewerConditionalAccess": "TeamViewer Conditional Access Gruppen werden abgerufen",
+    "SyncGetTeamViewerUserGroups": "TeamViewer User Gruppen werden abgerufen",
     "SyncGetTeamViewerUsers": "Benutzer der TeamViewer Company werden abgerufen",
+    "SyncUserGroups": "Synchronisiere TeamViewer User Gruppen",
     "TabHeaderAccounts": "TeamViewer Konten",
-    "TabHeaderConditionalAccess": "Conditional Access",
+    "TabHeaderGroups": "Gruppen",
     "TabHeaderSynchronization": "Synchronisierung",
     "TestRun": "Testlauf",
     "TestToken": "Token prüfen",
@@ -51,6 +53,7 @@
     "Title": "TeamViewer AD Connector",
     "Uninstall": "Entfernen",
     "UninstallError": "Geplante Aufgabe konnte nicht entfernt werden!",
+    "UseSecondaryEmails": "Sekundäre E-Mail-Adressen ebenfalls berücksichtigen",
     "UserLanguage_bg": "Bulgarisch (bg)",
     "UserLanguage_cs": "Tschechisch (cs)",
     "UserLanguage_da": "Dänisch (da)",
@@ -81,6 +84,5 @@
     "UserLanguage_uk": "Ukrainisch (uk)",
     "UserLanguage_vi": "Vietnamesisch (vi)",
     "UserLanguage_zh_CN": "Vereinfachtes Chinesisch (zh_CN)",
-    "UserLanguage_zh_TW": "Traditionelles Chinesisch (zh_TW)",
-    "UseSecondaryEmails": "Sekundäre E-Mail-Adressen ebenfalls berücksichtigen"
+    "UserLanguage_zh_TW": "Traditionelles Chinesisch (zh_TW)"
 }

TeamViewerADConnector/Internal/Localization/GraphicalUserInterface.en.json

@@ -7,12 +7,13 @@
     "Cancel": "Cancel",
     "DeactivateUsers": "Deactivate TeamViewer users that are not member of the AD group",
     "EnableConditionalAccessSync": "Enable TeamViewer Conditional Access group synchronization",
+    "EnableUserGroupsSync": "Enable TeamViewer user groups synchronization",
     "FilterLogFiles": "Log files (*.log)|*.log|All files (*.*)|*.*",
     "Install": "Install",
     "InstallError": "Failed to install scheduled task!",
     "IntervalUnit": "hours",
-    "LabelAccountType": "Account Type:",
     "LabelADGroups": "AD groups:",
+    "LabelAccountType": "Account Type:",
     "LabelApiToken": "API token:",
     "LabelCustomerId": "Customer Identifier:",
     "LabelInterval": "Interval:",
@@ -39,9 +40,11 @@
     "SyncError": "User synchronization was not successful!",
     "SyncGetActiveDirectoryGroupMembers": "Fetching members of Active Directory groups",
     "SyncGetTeamViewerConditionalAccess": "Fetching TeamViewer conditional access groups",
+    "SyncGetTeamViewerUserGroups": "Fetching TeamViewer user groups",
     "SyncGetTeamViewerUsers": "Fetching TeamViewer company users",
+    "SyncUserGroups": "Synchronizing TeamViewer user groups",
     "TabHeaderAccounts": "TeamViewer Accounts",
-    "TabHeaderConditionalAccess": "Conditional Access",
+    "TabHeaderGroups": "Groups",
     "TabHeaderSynchronization": "Synchronization",
     "TestRun": "Test run",
     "TestToken": "Test token",
@@ -50,6 +53,7 @@
     "Title": "TeamViewer AD Connector",
     "Uninstall": "Uninstall",
     "UninstallError": "Failed to uninstall scheduled task!",
+    "UseSecondaryEmails": "Include secondary email addresses for synchronization",
     "UserLanguage_bg": "Bulgarian (bg)",
     "UserLanguage_cs": "Czech (cs)",
     "UserLanguage_da": "Danish (da)",
@@ -80,6 +84,5 @@
     "UserLanguage_uk": "Ukrainian (uk)",
     "UserLanguage_vi": "Vietnamese (vi)",
     "UserLanguage_zh_CN": "Simple Chinese (zh_CN)",
-    "UserLanguage_zh_TW": "Traditional Chinese (zh_TW)",
-    "UseSecondaryEmails": "Include secondary email addresses for synchronization"
+    "UserLanguage_zh_TW": "Traditional Chinese (zh_TW)"
 }