Knowledgebase
Azure Active Directory Sync

**Please note: These steps have been updated based for the current version of Azure**

Customers hosted on Office 365 may prefer to use Azure Active Directory to sync users and groups to Proofpoint Essentials. This will allow you to import:

• Active users (including both primary email address and user aliases)
• Distribution Groups
• Security groups

To proceed you will first need to create a custom application on your Microsoft Azure portal.

Azure


To create a custom application on Microsoft Azure:

  1. Login to your Microsoft Azure portal as an admin user through https://aad.portal.azure.com
  2. Click on Azure Active Directory in the side panel
  3. Click on App Registrations
  4. Click on + New Application Registration
  5. Enter a name for the application (i.e. Proofpoint Essentials)
  6. Enter the appropriate Proofpoint Essentials interface URL into the Sign-on url field (i.e. https://us1.proofpointessentials.com)
  7. Click on the Create button - you will be able to view this app from the App Registrations view
  8. Edit the newly created app by clicking on its display name
  9. Take note of the Application ID - this will be the CLIENT ID in Proofpoint Essentials
  10. Click on Required Permissions on the right side panel
  11. Click on Windows Azure Active Directory
  12. Ensure the following permissions are checked:
    • App Permissions:
      • Read Directory Data
    • Delegated Permissions:
      • Read all users' basic profiles
      • Read all groups
      • Read directory data 
  13. Click the Save option
  14. *IMPORTANT* Go back to the Windows Azure Active Directory section and press the Grant Permissions button just above it
  15. Navigate back to the App Edit page
  16. Click on Keys on the right side panel
  17. Enter a Key Description 
  18. From the Expires dropdown menu, choose a duration e.g. 1 year
  19. Click on the Save option
  20. *IMPORTANT* The Key value will be displayed when you save the changes. Copy down the key value, as you will NOT be able to retrieve it after leaving the page. 
    • Note: If you forget to copy the key value, delete the key and re-do steps 16 onwards

Proofpoint

To configure Azure Active Directory connection settings within the Proofpoint console:

  1. Navigate to the appropriate Proofpoint Essentials interface URL e.g. https://us1.proofpointessentials.com 
  2. Login using your email address and password
  3. From this view, click on Company Settings (note: the default view post-login usually includes Company Settings)
  4. Under Company Settings, click Import Users
  5. From this view, you will see multiple options. Click on Azure Active Directory
  6. Set the Default New User Role to either End User or Silent User
    • End Users: can login to the Proofpoint Admin Console and receive Quarantine Digests
    • Silent Users: do not have access to the Proofpoint Essentials Admin console, nor do they receive Quarantine Digests
  7. Enter the Primary Domain associated with your Office 365 organization custom Azure web application
  8. Enter the Client ID - the unique identifier which is generated with the creation of the web application
  9. Enter the Key - the unique value which is generated with the creation of the web application
  10. Choose What to Sync by checking/unchecking the following fields:
    • Active Users
    • Distribution Groups
    • Security Groups
  11. Choose How to Sync by checking/unchecking the following fields:
    • Add Users - Creates new user accounts for newly synced active users
    • Update Users - Updates existing user accounts for previously synced mailboxes
    • Add Groups - Creates new groups/functional accounts for newly synced groups
    • Update Groups - Updates existing groups for previously synced groups
    • Remove Deleted Users - Removes user accounts for mailboxes that no longer exist
    • Remove Deleted Groups - Removes groups/functional accounts for groups that no longer exist
  12. Choose When to Sync by selecting from the options under the Sync Frequency dropdown menu
    • 1 hour
    • 3 hours
    • 6 hours 
    • 12 hours
    • 24 hours 
  13. Click the Save button at the bottom of the page. The page will refresh and a prompt will confirm that the settings have been saved. 

Once you complete this step Proofpoint Essentials will connect and sync data from your Office 365 environment based on the frequency you chose. You may want to execute a manual sync to validate the data being returned.

To perform an ad-hoc/manual Azure Active Directory sync:

  1. On the Proofpoint Essentials Admin Console, navigate to Company Settings -> Users & Groups
  2. Click on Azure Active Directory Sync
  3. Choose What to Sync (same as above)
  4. Choose How to Sync (same as above)
  5. Click on the Search button
    •  The results of the sync will be organized into categories. You should review the results and uncheck any changes you do not want to take effect.
    • Note:  the automatic sync does not allow manual intervention to take place.Make sure the preferences defined on the Azure Active Directory page are accurate.
  6. Click on Execute

Azure Sync error : Insufficient privileges to complete the operation

If required permissions aren’t enabled Azure sync is going to throw an error like the one provided below:

[Authorization_RequestDenied] Insufficient privileges to complete the operation

Ensure that the user role within Azure is correct (Global/Company Admin). Also ensure that the application has the correct permissions within Azure management portal

Application Permissions : Read Directory Data

Delegated Permissions : Read all users' basic profiles

Delegated Permissions : Read all groups

Delegated Permissions : Read directory data

How to modify permissions within Azure :

 Log into Azure Active Directory Admin centre

  1. Click All settings
  2. Click ‘Required permissions’ then click ‘Windows Azure AD’
  3. Set appropriate permissions under ‘APPLICATION PERMISSIONS’ and ‘DELEGATED PERMISSIONS’ (ones shown in sync error)
  4. Additionally make sure the option : ‘Sign in and read user profile’ under the ‘DELEGATED PERMISSIONS’ is set to ‘No’.
  5. Click save under ‘Enable Access’ then immediately click grant permissions
(16 vote(s))
This article was helpful
This article was not helpful

Comments (0)