黑料海角91入口

Help Center Home > M365/Azure AD > Microsoft 365 / Entra ID Directory Sync

Microsoft 365 / Entra ID Directory Sync

The Microsoft 365 (M365)/Entra ID Cloud Directory sync integration allows for secure and persistent connectivity between 黑料海角91入口 and M365/Entra ID. The integration allows you to automatically, in real-time, provision new 黑料海角91入口 user accounts into M365/Entra ID, continuously synchronize specified user attributes from 黑料海角91入口 to M365/Entra ID, manage security groups, and take over management of existing user accounts and security groups in M365/Entra ID from 黑料海角91入口. In addition, admins can import users from M365/Entra ID into 黑料海角91入口 through the M365/ Entra ID Directory Sync or import and continuously synchronize user attributes using an Entra ID SCIM integration.

Important Considerations

  • You will need to reactivate the sync integration if any of the following occur:
    • The token has expired
    • The token has become invalid
    • The global admin account used to authorize the integration is disabled/has sign-in blocked
    • The person who configured the integration has left the organization or has changed roles 
  • Reactivating an integration does not disconnect users or groups from the M365/Entra ID integration. It creates a new access token for the integration

Adding and authorizing an M365/Entra ID Sync Integration

Creating an integration between 黑料海角91入口 and M365/Entra ID starts with adding the M365/Entra ID integration in the Cloud Directories page of the Admin Portal. Once added, you authorize M365/Entra ID Directory synchronization. After you authorize sync, you must validate your password expiration setting in Microsoft.

Warning:

Don鈥檛 authorize the same M365/Entra ID domain in multiple M365/Entra ID directory sync instances. If you do, users that are given access to multiple M356/Entra ID directory instances that are connected to the same domain could be suspended if you remove access听from one of the instances. You can avoid this by deactivating sync for all but one M365/Entra ID directory sync instances for a single domain. Be aware that after you deactivate sync for an M365/Entra ID directory instance, that sync integration is permanently deleted and cannot be recovered.

To add and authorize M365 Sync integration in 黑料海角91入口

  1. Log in to the .
  2. Go to Directory Integrations > Cloud Directories.
  3. Click ( + ).
  4. Select M365/Azure AD. 
  5. Give the directory a unique name.

Important:

You鈥檒l receive an error and won鈥檛 be able to proceed if:

  • You use invalid characters.
  • You don鈥檛 specify a unique name for the directory.
  • The name is more than 255 characters.
  • The name only contains whitespace.
  1. Click authorize sync.
  2. 黑料海角91入口 opens a session for you to log in to Microsoft Online - log in with an administrator account.听
  3. Optionally, choose whether to stay signed in. Click No or Yes
  4. Microsoft shows the items 黑料海角91入口 needs permissions to access. Click Accept.

Validating the Password Expiration Setting in Microsoft

After account synchronization is established between 黑料海角91入口 and M365/Entra ID, perform the following steps to make sure 黑料海角91入口 is the authority for password expiration for users in M365/Entra ID.

To check Microsoft’s password expiration setting

  1. In the M365 admin center, navigate to听Settings听&驳迟;听OrgSettings >听Security & privacy.
  2. Select Password expiration policy.
  3. Ensure that Set passwords to never expire (recommended) is selected.
  1. Click Save.

Importing M365 Users

After you authorize sync with Microsoft, a modal opens with a list of existing active Microsoft user accounts.

You can close this tab to import accounts at a later time, or you can continue importing accounts now.

For more information and instructions for manually importing users, see Sync Users and Groups to Microsoft 365 / Entra ID

For more information about importing and syncing users from M365/Entra ID in real-time using a SCIM integration, see Configure Real-time User Provisioning from Entra ID.

M365/Entra ID Synchronization Configuration and Maintenance

There are a few more steps to complete the M365/Entra ID Cloud Directory Synchronization Integration setup. 

Enabling Management of Security Groups and Memberships

Simplify access control using group management from 黑料海角91入口. Create and update group names and membership in M365/Entra ID from 黑料海角91入口.

To enable security groups and membership management

  1. Log in to the .
  2. Go to Cloud Directories.
  3. Click the M365/Entra ID directory instance in which you want to create and manage the group(s).
  4. Check the box for Enable management of Security Groups and memberships in M365/Azure AD.
  5. Click save.
  6. From the User Groups tab, select the groups you want to manage.
  7. Click save.

To disable security groups and membership management

  1. Log in to the .
  2. Go to Cloud Directories.
  3. Click the M365/Entra ID directory instance in which you want to create and manage the group(s).
  4. Uncheck the box for Enable management of Security Groups and memberships in M365/Azure AD.
  5. In the confirmation modal, click continue
  6. Click save.

Note:

Disabling group management will leave the groups as-is in M365/Entra ID and stops managing membership.

Managing Domain(s)

Specify one or more domains as part of the integration configuration to have more granular control over which user accounts sync and how the translation rule for the email to User Principal Name (UPN) mapping is applied. There are three (3) possible configurations: no domains, a list of one or more domains but no default, and a list of one or more domains with one of those domains used as a default for the UPN translation rule. Each configuration is described in more detail below.

  • If no domains are configured, the user鈥檚 mapped email (company or alternate) is not checked and sent as is.听The user syncs as long as their email domain matches one of the verified domains in the M365/Entra ID instance
  • If one or more domains is configured and No default. Only users with matching domains sync is selected, the user鈥檚 mapped email default (company or alternate) is checked against the domains listed. Only users with matching email domains are synced
  • If one or more domains is configured and one of the domains is selected to Use as default, the user鈥檚 mapped email default (company or alternate) is checked against the domains listed:
    • If the domain matches one of the domains in the list, the email address is sent as is
    • If the domain does not match one of the domains in the list, the email value sent as the UPN wll be the username portion of the source email address (Company or Alternate Email) and the default domain

Examples of how domains are used by the integration.

Domains Configuration Source email(黑料海角91入口 Company Email) Sync results Primary Email value sent to Cloud Directory
No domains [email protected] Synced [email protected]
[email protected] Synced [email protected]
[email protected] Sync failed [email protected]
Domains list = (mydomain.com, alternatedomain.com )&no default selected [email protected] Synced [email protected]
[email protected] Synced [email protected]
[email protected] N/A - user skipped N/A
Domains list = (mydomain.com, alternatedomain.com )&mydomain.com selected to use as default [email protected] Synced [email protected]
[email protected] Synced [email protected]
[email protected] Synced [email protected]

To add domains

  1. Log in to the .
  2. Go to Cloud Directories.
  3. Click the M365/Entra ID directory instance.
  4. Click +Add Domain.
  5. Click the dropdown menu.
  6. Select one of the domains from the list.

Note:

The list is pulled dynamically from M365/Entra ID and only includes verified domains. The domain noted with (default), is the domain specified as the default in M365/Entra ID which is separate from the 鈥楿se ad default鈥 option within the integration configuration in 黑料海角91入口.

  1. Repeat steps 4-6 to add additional domains.
  2. Click the radio button next to one of the domains to use that domain for the UserPrincipalName translation rule.
  3. Click save.

To set one of the domains as the default for the integration

  1. Log in to the .
  2. Go to Cloud Directories.
  3. Click the M365/Entra ID directory instance.
  4. Click Edit Domains.
  5. Click the radio button next to one of the domains to use that domain for the UserPrincipalName translation rule.
  6. Click save.

To edit the domains list

  1. Log in to the .
  2. Go to Cloud Directories.
  3. Click the M365/Entra ID directory instance in which you want to create and manage the group(s).
  4. Click Edit Domains
  5. Click the radio button next to one of the domains to use that domain for the UserPrincipalName translation rule
  6. Click save.

To change which domain is used as the default for the integration

  1. Log in to the .
  2. Go to Cloud Directories.
  3. Click the M365/Entra ID directory instance.
  4. Click Edit Domains
  5. Click the domain name t and make a new selection
  6. Click Click +Add Domain
  7. Click the dropdown menu
  8. Select one of the domains from the list
  9. Repeat steps 5-8 until all changes have been made
  10. Click save.

To remove domains from the list

  1. Log in to the .
  2. Go to Cloud Directories.
  3. Click the M365/Entra ID directory instance in which you want to create and manage the group(s).
  4. Click Edit Domains
  5. Click the trash icon next to the domain you want to remove from the list
  6. Click save.

To change from using a default to not specifying a default domain

  1. Log in to the .
  2. Go to Cloud Directories.
  3. Click the M365/Entra ID directory instance.
  4. Click Edit Domains
  5. Click the radio button next to No default. Only users with matching domains sync.
  6. Click save.

Configuring Attribute Mapping and Settings

You can control which attributes sync from the Attribute mapping and settings. For more information, see听Sync User Attributes to M365.

Giving 黑料海角91入口 Users Access to M365

After you authorize sync for a M365 directory, complete the configuration, and, optionally, import users, you can specify users to manage by associating 黑料海角91入口 users and groups to the M365 directory instance.听

Considerations

  • M365/Entra ID group management is only supported for security groups at this time

To connect individual users to an M365 directory

  1. Log in to the .
  2. Go to User Management > Users.
  3. Select the Directories tab.
  4. Select the M365 directory you want to connect the user to.
  5. Click save user.
  6. Synchronization is initiated.

Note:

This will cause users to be logged out of all 365 apps.

Sync Behavior

  • If the user didn鈥檛 previously exist in Microsoft, and their email matches the M365 directory domain, a new, active user account is provisioned to Microsoft
  • If the user resets their 黑料海角91入口 password, it鈥檚 synced to Microsoft. When set, existing Microsoft sessions expire and the user must log in again

After you connect a user to an M365 directory, the flow differs slightly for new and active users:

Active user flow
  • An active user is a user in an 鈥渁ctive鈥 user state, has a password, and that password status is 鈥榓ctive鈥. After an admin binds an active user to an external directory, the user receives an email that tells them the directory they鈥檝e been added to and to synchronize their password by logging into their User Portal
New user flow
  • A new user is a user in an 鈥渁ctive鈥 user state with a password status of 鈥減assword pending.鈥 After an admin binds a new user without a password to an external directory, the user receives a Welcome to 黑料海角91入口 (activation) email that tells them how to register their account

Connecting User Groups to an M365 Directory

To connect user groups to an M365 directory as security groups:

  1. Log in to the .
  2. Go to User Management > User Groups.
  3. Select a group to view its details.
  4. Select the Directories tab.
  5. Select the M365 directory you want to connect the group to.
  6. Click save group. Synchronization is initiated.

Note:

This will cause users to be logged out of all 365 apps.

Sync Behavior

  • See the Connecting Individual Users to an M365 Directory Sync Behavior section above for details about how members of the user group sync
  • If the Enable management of Security Groups and memberships in M365/Azure AD option is checked, groups will sync as follows:
    • If a group with the same name exists in M365/Entra ID, 黑料海角91入口 takes over the group
    • If a group with the same name does not exist in M365/Entra ID, a group is created in M365/Entra ID
    • If there is more than one group with the same name in M365/Entra ID, a third group is created in M365/Entra ID
    • At this time, M365/Entra ID group management is only supported for security groups

M365/Entra ID Synchronization Integration Maintenance

After synchronization with a M365 directory, you can perform these maintenance tasks:

Renaming a M365 Directory

You can rename a M365 directory at any time in the Admin Portal.听

To rename a M365听directory

  1. Log in to the .
  2. Go to DIRECTORY INTEGRATIONS > Cloud Directories
  3. Select the M365 directory you want to rename.
  4. Click the Pencil icon to edit the directory name.
  5. Enter a new unique name for the directory.
  6. Click outside of the name field to save the new name.

Reactivating M365 Sync

Important:

If the integration has stopped syncing, check the following.  If any of these situations occur, you will need to reactivate the integration. Reactivating the integration does not disconnect users or groups from the integration. You will need to reactivate the sync integration if any of the following occur:

  • The token has expired
  • The token has become invalid
  • The global admin account used to authorize the integration is disabled/has sign-in blocked
  • The person who configured the integration has left the organization or has changed roles

To reactivate sync for a听M365 domain

  1. Log in to the .
  2. Go to DIRECTORY INTEGRATIONS > Cloud Directories.
  3. Select the M365 directory where you want to reactivate sync.
  4. Click Reactivate Sync.
  1. Follow Microsoft's prompts to authorize 黑料海角91入口.

Deactivating M365 Sync

If you no longer want to sync a听M365 directory with 黑料海角91入口, you can deactivate sync for it. Deactivation breaks sync for a M365 directory and unbinds all connected users and groups. Only deactivate sync for an M365 directory if you no longer need it to sync with 黑料海角91入口.

Important:

After you deactivate sync for an M365 directory:

  • The following information is听permanently听deleted for the M365 directory, and isn't recovered by reactivating sync:
    • Name
    • Configuration
    • Connections to users, groups, and resources
    • This specific instance of M365/Entra ID in 黑料海角91入口
  • Sync ceases between 黑料海角91入口 and the M365 directory.听
  • User attribute changes are no longer propagated from 黑料海角91入口 to M365
  • All users are removed / unbound from the M365 directory in 黑料海角91入口.
  • Users will not be effected and will retain access to their respective Microsoft applications.

To deactivate sync for an听M365 domain

  1. Log in to the .
  2. Go to DIRECTORY INTEGRATIONS > Cloud Directories.
  3. Select the M365 directory where you want to deactivate sync.
  4. Click Deactivate Sync.
  1. Click Deactivate Sync again. Users or groups that are bound to this directory are unbound from the directory and the 黑料海角91入口 instance is removed.

Disabling M365/Entra ID Accounts from 黑料海角91入口

For details about disabling accounts in M365/Entra ID from 黑料海角91入口, see Sync Users and Groups to Microsoft 365/Entra ID.

Back to Top

List IconIn this Article

Notebook IconLearn More

M365 Directory Integration Overview

Sync User Attributes with M365

FAQ: M365 Directory Integration

Sync User and Groups from 黑料海角91入口 to M365/Entra ID

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case