Azure Active Directory Sync Guide – New API Version

Situation – You want to integrate Azure Active Directory with Spambrella/Proofpoint to sync your user base.

Solution – Following the steps outlined below will allow you to configure and integrate Azure Active Directory:

  • Creating the custom Application in Azure.

  • Configuring Azure within Spambrella/Proofpoint interface.

Azure Active Directory Sync

Please note:

  • These steps have been updated based on the current version of Azure.

  • The account creating the credentials must be a Global Administrator.

  • Keep in mind the Legacy API at the bottom of the New Registration page also works.

Customers hosted on Office 365 may prefer to use Azure Active Directory to sync users and groups. This will allow you to import:

  • Active users (including both primary email address and user aliases)
  • Distribution Groups
  • Security groups

Spambrella only allows connection to one AD at a time. Multiple sources cannot be managed at this time.

Step 1: Creating The Custom Application In Azure

  1. Login to your Microsoft Azure portal as an admin user through https://aad.portal.azure.com
  2. Navigate to Azure Active Directory > App Registrations > + New Registration>
  3. Enter a name for the application (i.e. Spambrella Azure Sync).
  4. Under Supported account types leave the default of Accounts in this organizational directory only (COMPANY NAME).
  5. Under the Redirect URI (optional)
    1. Leave the default of Web.
    2. Enter the appropriate Spambrella interface URL into the Sign-on url field (i.e. https://spambrella.cloud-protect.net). Contact support@spambrella.com if unsure.
  6. Click Register.

    You will now be able to view this app from the App Registrations view.

  7. Copy your Application ID for future use. This will be the Application ID in Spambrella.

Permissions

Azure Active Directory Graph under Supported Legacy APIs can work with existing setups. For new setups, or if your old setup is on the Azure AD Graph, you should use the Microsoft Graph API. This is the Microsoft Graph API at the top of the page. If your credentials stop working, or you get the error, “Failed to connect. Please check your Azure Credential” it could be you are pointed to the older legacy API (Azure Active Directory Graph). In this case you will need to setup the Microsoft API Graph.

Additionally, If you get the credentials error- “We have come across a problem, and cannot continue. Please contact support quoting ‘code displayed here’ if this problem persists.” Please create a new Azure App on the Azure admin area and then add the credentials into the portal under “Administration- User ManagementImport & SyncAzure Directory Sync. Once entered click Save. Sync can then be run without error.

End of life for the Azure Active Directory Graph is June 30th, 2022. Click here for more details.

  1. In the Application ID just created, click on API Permissions > Add a permission > Microsoft API Graph.

    requestAPIpermission.PNG

 

  1. Ensure the following permissions are checked:

    You will want to click Add Permissions once more and choose Application Permissions.

    • Delegated Permissions:
      • Directory
        • Directory.Read.All
      • Group
        • Group.Read.All
      • User
        • User.ReadBasic.All
    • Application Permissions:
      • Directory
        • Directory.Read.All
  1. Select Add Permissions (at the bottom).
  2. Select Grant Admin Consent for <Company Name>.
  3. Select Yes at the top.

Key (Secret)

  1. Navigate to Certificates and Secrets > + New Client Secret.
  2. Enter a Key Description.
  3. Choose a duration.
  4. Click Add.

clipboard_e1b20e7fd91abbde1e5bcea136902072e.png

The Value will be displayed when you save the changes. Copy down the Value field, as you will NOT be able to retrieve it after leaving the page. The Value (in Azure AD page) will be put into the Client Secret Key field in Spambrella/Proofpoint Azure Sync page. You will get the Application ID needed to complete the credentials in the Spambrella/Proofpoint field Application (client) ID from the Overview area inside the connection.

clipboard_e3986d0e77a58d7b4e997da4d163c7596.png

– This Key WILL EXPIRE at the end of the selected duration period. After that period of time, A NEW SECRET KEY needs to be generated again.

– In Azure AD- sign-in must be enabled for accounts to be active and mail to flow.

– White-label customers may need to do an approval/consent of applications. They would be asked to give consent via cloud-protect.net. If using standard Proofpoint settings this may not be an issue. You can contact support@spambrella.com for assistance where necessary.

Step 2: Configuring Azure Within Spambrella Interface

After logging into your interface:

  1. Navigate to Administration > User Management > Import & Sync > Azure Active Directory.
  2. Set the Default New User Role to either End User or Silent User:
    – End Users Can login to the Console and receive Quarantine Digests.
    – Silent Users Do not have access to the Admin console, nor do they receive Quarantine Digests by default, but can enabled.
  3. Enter the below information:
    Primary Domain – The Primary Domain associated with your Office 365 organization custom Azure web application.
    Application (Client) ID – The unique identifier which is generated with the creation of the web application.
    Client Secret ID – The secret value which is generated with the creation of the secret key.
  4. Choose What to Sync by checking/unchecking the following fields:
    • Active Users
    • Distribution Groups
    • Security Groups
  5. Choose How to Sync by checking/unchecking the following fields:
    Add Users – Creates new user accounts for newly synced active users.
    Update Users – Updates existing user accounts for previously synced mailboxes.
    Add Groups – Creates new groups/functional accounts for newly synced groups.
    Update Groups – Updates existing groups for previously synced groups.
    Remove Deleted – Users Removes user accounts for mailboxes that no longer exist.
    Remove Deleted Groups – Removes groups/functional accounts for groups that no longer exist.
  6. Choose When to Syncby selecting from the options under the Sync Frequencydropdown menu.
    • 1 hour
    • 3 hours
    • 6 hours
    • 12 hours
    • 24 hours

If there is no Tech Contact defined in your Spambrella Dashboard (Administration- Account Management- Profile-Tech Contact) eventually the system will change the Azure Active Sync Frequency back to the Never setting automatically.

There will be a report that is sent daily called the Azure AD Summary report that cannot be disabled. This is due to notify that the service is running and is a system audit. The only way to stop these is to set the frequency of the sync to never.

7. Click Save at the bottom of the page. The page will refresh and a prompt will confirm that the settings have been saved.

Press Save Button

Do not press the Search Now immediately. Ensure that all your settings are saved first and save it. After it has saved, proceed with the Manual Sync below.

Manual Sync

  • Proxy Address
    Accounts with no proxyAddresses assigned will not be detected by the Proofpoint Essentials Azure pull. If you do not find the email in the ProofPoint side, please check Azure to ensure at least 1 proxyAddress has been assigned.

Once you complete the above steps, Spambrella will connect and sync data from your Office 365 environment based on the frequency you chose. You may want to execute a manual sync to validate the data being returned.

To perform an ad-hoc/manual Azure Active Directory sync:

  1. Navigate to Administration > User Management > Import & Sync > Azure Active Directory.
  2. Choose What to Sync(same as above).
  3. Choose How to Sync(same as above).
  4. Click Search Now.

The results of the sync will be organized into categories. You should review the results and uncheck any changes you do not want to take effect.

The automatic sync does not allow manual intervention to take place. Make sure the preferences defined on the Azure Active Directory page are accurate.

  1. Click Sync Active Directory.

If you try to manually sync and encounter an error, check out our article Azure AD Permissions Error.

How To Log In With A Microsoft Account

Prerequisites:

  • You must have user with valid email Microsoft credentials.
  • A matching email/alias account in the Spambrella interface.
  • Enable Microsoft account login, ensure Disable login with Microsoft credentials is disabled under Administration > User Management > Import & Sync > Azure Active Directory

clipboard_e9423925fa47b83e5a1b0d0cd2bf30c0f.png

Logging In With Microsoft 365 

  1. Go to your Spambrella account login page.
  2. Enter your Username (email address) and click Login.
  3. You will be redirected to a Microsoft account login page.
  4. Enter your Microsoft credentials.
  5. If successful, login will redirect you back to Spambrella and you will be automatically signed into your account.

Enabling this feature will direct all users (including administrators) to login using their Microsoft account. If Microsoft is unavailable, users will be redirect to the Spambrella account login page and asked to login with their Spambrella credentials.

If there is a problem with the Microsoft SSO, a custom parameter can be passed to utilize standard authorization.

Manual Login With Microsoft Account 

We will continue to allow users to manually authenticate using their Microsoft account.

  1. Go to your Spambrella account login page.
  2. Enter your Username (email address) and click Login.
  3. Click Sign in with Microsoft.
  4. You will be redirect to a Microsoft account login page.
  5. Enter your Microsoft credentials.
  6. If successful, login will redirect you back to Spambrella and you will be automatically signed into your account.

O365 Auth

How to log in with an Office 365 Account