This guide will help you setup an application in Microsoft Azure/Entra AD that allows RESPONSUM to get User information from the AD and create User accounts for those users within RESPONSUM. This sync can be configured and can be done automatically on a set interval or manually from within the AD sync sub-menu.
NOTE: This sync flow only works with Azure/Entra AD setups. On-premise Active Directory installations are not supported by RESPONSUM.
NOTE: If no filter/filter type is set in RESPONSUM, this integration will import all users that are known in your Active Directory, including external accounts that have access through your services and thus are known by your AD. Be careful using this integration as it can import more users then you anticipated, check with your IT administrator beforehand.
NOTE: RESPONSUM will archive users earlier added by AD sync upon the next AD sync taking place if they are no longer found within the Active Directory.
See it in action
Pre-requisites to get started
- Permissions on the “User Management” or “AD sync configuration” specific sub-module as accountable
- Knowledge of your Azure/Entra ID environment and an account with elevated rights to allow you to make an “App registration”
- An idea of what users/groups you want to import to RESPONSUM to limit the set of users to those required for login with RESPONSUM.
Fast-track to Brilliance
- Select the “Settings” menu in the main menu bar (Gear icon)
- Hover over the sub-section “User management”
- Select “AD sync configuration”
- Give your configuration a name
- Set a filter type either “Users” (Graph filters applied on the users endpoint) or “Groups” (Graph filters applied on the groups endpoint)
- Note: You do not have to include any “$select” statement in the query
- Set a filter statement using the Microsoft Graph filter structure (More info here)
- Select if you want to schedule or manually trigger the AD sync runs
- Create an app registration with Microsoft Entra to gain the necessary details (More details on the app creation below)
- Fill out the Client ID, Client Secret and Directory (Tenant) ID you got from the registered app
- Start mapping properties from Azure/Entra AD users to “User” fields within RESPONSUM
- You can append as many rows for mapping as needed to map all details
- You can select any custom property in AD by selecting “Set Custom field” in the left AD column
- You can create custom fields within RESPONSUM to map properties to by using the “+” button in the Right RESPONSUM fields column
- Set the initial properties
- If in the initial properties you set the users should not be added as “Guest users”, they will become “Promoted users”. In the next section you will be able to define “Default permissions” to assign to all users added via this AD sync configuration.
- Save the configuration
- If you selected a schedule, the AD configuration will now run on the set interval, in case of “Manual”, press the “Start a manual sync” to sync the users to RESPONSUM.
Step-by-step guidance
Setup of the Azure/Entra AD “App registration”
- Create a new Active Directory Application via the “App registration” portion of the Azure Portal or Entra Portal (The steps will be similar, Azure portal reflected in the screenshots below)
- This application can be named however you like (e.g. “RESPONSUM AD Sync”). Select the “Accounts in this organizational directory only” option for the “Supported account types” and “Register” the application.
- On the overview page of the newly created application, you will see following two parameters:
- Application (Client) ID
- Directory (Tenant) ID
- Note these down or keep track of their location as you will need to input these into RESPONSUM later on.
- Next thing to be created is a Client Secret that RESPONSUM can use to access the API and get user/group info. This can be done from the same overview page by clicking “Add a certificate or secret”. On the newly opened “Certificates & Secrets” page, select “New Client Secret” to create the new secret. Give the secret a description (e.g. “RESPONSUM App secret”) and keep the default expiration date or choose your own.
- NOTE: Keep in mind to renew this secret based on the expiration date you set for the sync to stay operational
- Copy and temporarily store this secret somewhere as it will only be shown once after it’s creation. It needs to be inputted into RESPONSUM later.
- Next step is to give RESPONSUM the correct permissions to use the API to get User/Group information from your AD. This can be done in the API Permissions sub-section of your created application. By default, the Microsoft Graph API, “User.Read” permission will be present.
- This permission should be extended with the “User.Read.All” and “Group.Read.All” permissions. These can be added by pressing “Add a permission” followed by “Microsoft Graph” >> “Application permissions”. Then you can search for “User” and afterwards “Group” to find the user and group specific permissions:
- Once the permissions are set, you need to Grant admin consent for your organization for us to be able to use the new permissions. This can be done by pressing “Grant Admin consent for <Organization name>”:
- NOTE: Make sure that you use an account with sufficient permissions to be able to grant this access.
Configure the “AD sync configuration” within the RESPONSUM UI
- Select the “Settings” menu in the main menu bar (Gear icon)
- Hover over the sub-section “User management”
- Select “AD sync configuration”
- Give your configuration a name (This can be the same name as your application in Azure/Entra AD)
- Set a filter type either “Users” (Graph filters applied on the users endpoint) or “Groups” (Graph filters applied on the groups endpoint)
- Note: You do not have to include any “$select” statement in the query
- Set a filter statement using the Microsoft Graph filter structure (More info here)
- Select if you want to schedule or manually trigger the AD sync runs
- Fill out the Client ID, Client Secret and Directory (Tenant) ID you got from the registered app with Azure/Entra AD (See previous step)
- Start mapping properties from Azure/Entra AD users to “User” fields within RESPONSUM
- You can append as many rows for mapping as needed to map all details
- You can select any custom property in AD by selecting “Set Custom field” in the left AD column
- You can create custom fields within RESPONSUM to map properties to by using the “+” button in the Right RESPONSUM fields column
- Set the initial properties
- If in the initial properties you set the users should not be added as “Guest users”, they will become “Promoted users”. In the next section you will be able to define “Default permissions” to assign to all users added via this AD sync configuration.
- Save the configuration
- If you selected a schedule, the AD configuration will now run on the set interval, in case of “Manual”, press the “Start a manual sync” to sync the users to RESPONSUM.
If you have any questions related this guide or way of working, please reach out to support@responsum.eu for assistance.