Sync Users from Azure Active Directory
Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security
To sync users from Azure Active Directory (AD), you must add an Azure AD external identity and create one or more group syncs.
In AuthPoint, the Azure AD external identity represents your external user database. It connects to Azure Active Directory to get user account information and validate passwords. The group syncs you add to an external identity specify which users to sync from Azure AD to AuthPoint.
When you configure a group sync to sync users from Azure AD, you can select the Create new synchronized groups check box to create new groups in AuthPoint based on the Azure AD groups that you sync users from. Users sync to the new groups based on group membership in Azure AD, in addition to the selected AuthPoint group. To add synced Azure AD users to multiple groups, we recommend that you use this feature.
Azure AD external identities do not require the AuthPoint Gateway. If you have an on-premise Active Directory server with Azure AD Connect, you can configure an Azure AD external identity to sync and authenticate users without the AuthPoint Gateway.
Because of a Microsoft limitation, Microsoft 365 only supports AuthPoint MFA for Azure AD users if they are synced with a local AD server (it does not support MFA for users that only exist in Azure AD). For more information, see this Knowledge Base article.
If Azure AD users get an error message that says “MFA did not authorize” when they authenticate to protected resources, this message usually comes from Azure Active Directory and indicates that AuthPoint could not validate the user credentials. For more information, see this Knowledge Base article.
Configure Azure Active Directory
Before you can configure AuthPoint, you must configure Azure AD.
To configure Azure AD:
- Log in to the Microsoft Azure Portal.
- Select the Azure Active Directory service.
- From the navigation menu, select App registrations.
- Click New Registration.
The Register an application page appears. - Type a name for the application.
- For Supported account types, select the types of user accounts that can use this application to log in. Your selection should represent the users that you sync to AuthPoint.
- Click Register.
A page appears that shows the details for your app. - Copy the Application (client) ID value. You need this value to create the Azure AD external identity in AuthPoint.
- From the navigation menu, select Manifest.
- Select the Microsoft Graph App Manifest tab, and in the manifest editor, set the isFallbackPublicClient property to true. This property was previously called allowPublicClient.
- Click Save.
- From the navigation menu, select API permissions.
- Click Add a permission.
- Select Microsoft Graph.
- Select Application permissions.
- Select the Group.Read.All and User.Read.All application permissions.
- Select Delegated permissions.
- Select the User.Read permission.
- Click Add permissions. The permissions you add require Administrator approval. If you see the status message "Not granted for <name>", click Grant admin consent for <name>.
- From the navigation menu, select Certificates and Secrets.
- Click New client secret.
- (Optional) Type a description of the client secret.
- Select when the secret expires.
- Click Add.
Details of the new client secret. appear - Copy the Value of the client secret. You need this value to create the Azure AD external identity in AuthPoint.
You need the Value of the client secret. This is different from the client secret ID.
Configure AuthPoint
In the AuthPoint management UI, you must add an Azure AD external identity and create one or more group syncs.
Add an External Identity
To add an external identity in the AuthPoint management UI:
- From the AuthPoint navigation menu, select External Identities.
- Click Add External Identity.
The Add External Identity page opens.
- From the Type drop-down list, select Azure AD.
Additional fields are shown.
- In the Name text box, type a descriptive name for the external identity.
- In the Application ID text box, type the Application (client) ID value from Azure AD.
- In the Domain text box, type the domain name for your Azure AD. If you have not created custom domain names, the default format is example.onmicrosoft.com.
- In the Client Secret text box, type the client secret that you copied from Azure AD.
- From the Synchronization Interval drop-down list, specify how often you want to synchronize users from Azure AD. If you select Every 24 hours, you must also specify what time the synchronization starts each day.
For Azure AD external identities that you configure to sync once every 24 hours, the Synchronization Interval time is in UTC. For example, if someone in Seattle Washington (PST) configures their Azure AD external identity to sync every 24 hours at 10:00 PM, the sync occurs at 2:00 PM PST (UTC -8).
- Click Save.
Test the Connection to the External Identity
To test the connection to your external identity:
- From the navigation menu, select External Identities.
- Next to the external identity you added for your Azure AD database, click and select Check Connection.
A message appears that indicates if AuthPoint can communicate with Azure AD.
Sync Your Users
After you create an external identity for your Azure AD, you must add a group sync to specify:
- The Azure AD groups to sync users from
- The AuthPoint group to add the users to
- Whether to create new groups in AuthPoint based on the Azure AD groups that you sync users from
- Whether to have AuthPoint create a mobile token for the synced users and send an email to the synced users to activate their mobile token
In most cases, we recommend that you assign a token to users and send them the Token Activation email. User accounts need a token to authenticate with AuthPoint. You might choose not to do this for users that use hardware tokens for authentication, or for service accounts that bypass MFA with basic authentication.
After you add a group sync, AuthPoint syncs with your Azure AD database at the next synchronization interval and creates an AuthPoint user account for each user identified by the group sync. If the group sync returns more users than you have available AuthPoint licenses, the sync only creates as many users as your license supports.
We recommend that you do not add the same LDAP group to multiple group syncs or create multiple group syncs that include the same LDAP user.
Users that do not have a first name, user name, and email address in Azure AD are not included in the synchronization.
Before you sync users, make sure that each user account has a valid email address. If the email address for a user account is not correct, the user cannot receive the email message to activate a token. If a user identified by your query has the same email address as a different, existing AuthPoint user account, AuthPoint does not sync the external user.
To create a group sync for Azure AD groups:
- Select External Identities.
- Next to your external identity, click and select Group Sync.
- On the Group Sync page, click Add New Azure Group to Sync.
- In the Add Azure AD Group Sync window, from the Select Azure AD Groups drop-down list, select the Azure groups you want to sync users from. You can select multiple groups.
- To create new groups in AuthPoint based on the Azure Active Directory groups that you sync users from, enable the Create new synchronized groups option toggle. If you enable this option, users sync to the new groups based on group membership in Azure Active Directory, in addition to the selected AuthPoint group.
The option to create new synchronized groups in AuthPoint does not include Azure AD groups that are not specified in the group sync. If a synced user is a member of an Azure AD group that is not specified in the group sync, that Azure AD group will not be created in AuthPoint.
To add Azure users to multiple groups in AuthPoint, enable the Create new synchronized groups toggle in your group sync and use your Azure Active Directory group structure to manage your users.
- From the Select the AuthPoint Group drop-down list, select the AuthPoint group to add the users to.
For each group sync, all users are added to the same AuthPoint group. To add Azure AD users to multiple groups, we recommend that you enable the Create new synchronized groups toggle and use your Active Directory group structure to manage your users.
-
If you do not want AuthPoint to create mobile tokens for these user accounts or send an email to the users to activate their mobile tokens, clear the Automatically assign a mobile token to the synced users and Automatically send the activation email for the synced users check boxes.
You cannot change these settings after you sync the user accounts. To assign a token to a user that does not have these options selected, you must resend the Token Activation email. For more information, go to Resend Activation Email.
- Click Save.
The Add Group Sync window closes.
AuthPoint syncs with your Azure AD database at the next synchronization interval and creates an AuthPoint user account for each user identified by the group sync.
To start a sync immediately, on the External Identities page, next to the external identity, click and select Start Synchronization.
The newly created AuthPoint user accounts appear on the Users page with a green Activated status icon next to the user name. The Activated status icon indicates that the user has been created and is currently active (not blocked). You can identify users synced from an external identity by the Azure AD label in the Type column in the list of users.
Each user receives an email that they use to activate their token in the AuthPoint mobile app. When a user activates their token, you can see their token in the Token column with a green Activated status icon next to the token.
If a user does receive the token activation email, you can send the user a new activation email so that they can activate their token. If you chose not to automatically assign a mobile token to a user, you can use this option to create a token for them and send them the token activation email. For detailed steps to resend the activation email, see Resend Activation Email.
If you enabled the Create new synchronized groups toggle, the synced groups are created in AuthPoint. The newly created groups appear on the Groups page. You can identify synced groups in the Groups list by the Azure AD label in the Type column.
If you change the name of a synced group in Azure Active Directory, the synced group in AuthPoint will automatically update to match. You cannot edit the synced groups in AuthPoint.
If you delete a group in Azure Active Directory, or if you delete the group sync, the synced group is not deleted in AuthPoint. You must manually delete the synced group in AuthPoint.
Test the Connection to an External Identity