Azure AD Sync

Knowledge Base Team Plan
1

Overview

Syncro’s Azure AD integration feature enables Managed Service Providers (MSPs) to streamline their operations and provide better service to their clients by syncing data from Azure Active Directory (AD) Users to Syncro Contacts.

Benefits

  • Streamlined Contact Information: Keep all client contact information perfectly synced ensuring accurate and up-to-date records.
  • Automated Client Billing: Automate client billing based on their Microsoft License type using the Customer Contact.
  • Saving Clients Money: Lower your clients’ Microsoft bills by finding unused Microsoft licenses.
  • Audit Client Security: Quickly find clients who have low Microsoft Secure Scores or don’t have MFA turned on.

:bangbang: Before You Start :bangbang:

Before getting started, it’s very important to make sure that your Azure AD database is up to date. Syncro treats Azure AD as the source of truth, so the integration will overwrite data stored in Syncro with the data stored in Azure AD. If the field in Azure AD has no value, no overwrite will take place.

How it Works

  1. Connect Azure AD to Syncro: Easily link a Syncro Customer to their Azure AD instance, allowing seamless data transfer between the two platforms.
  2. Map Contacts to Azure AD Users: Effortlessly map Azure AD Users to corresponding Syncro Contacts, ensuring accurate data alignment. The feature maps Azure AD Users to corresponding Syncro Contacts based on unique email addresses, considering fields such as email address, name, phone number, and job title for automatic mapping.
  3. Sync Data from Azure AD to Syncro: Maintain Azure AD as the source of truth for Contact Information. Any changes made to fields like email addresses or names in Azure AD will automatically update in Syncro. Sync custom fields between Azure AD User and Syncro Contact for streamlined data synchronization.

Installation and Configuration

Detailed steps for installation of the integration are:

  1. Go to the Azure AD App Card.
  2. Click “Add a Syncro API Key for your Azure Integration”.
  3. Enter your subdomain and API Key. If you haven’t created an API Key yet, go to Admin > API Tokens, click “New Token” and create an API Token with the following permissions: Contacts All, Customers All, Documentation All.
  4. For each Customer, you’ll need access to their Azure portal. Log into it and navigate to Microsoft Azure and copy the Tenant ID to clipboard.
  5. In the table in the App Card, click “Connect Azure AD” for the Customer you want to connect to Azure AD.
  6. Paste the Tenant ID and authenticate with Azure AD.
  7. Repeat steps 4-6 for each Customer you want to connect to Azure AD.

The following Custom Fields are automatically created when setting up the integration:

  • Customer Custom Fields:
    • microsoft_secure_score (text)
    • azure_licensed_user_count (text)
    • azure_active_user_count (text)
  • Contact Custom Fields:
    • azure_license (dropdown) with answers:
      • Microsoft 365 Business Basic
      • Microsoft 365 Apps for Business
      • Microsoft 365 Business Standard
      • Microsoft 365 Business Premium
    • azure_mfa_status
      • Denotes whether MFA is enabled or disabled
    • azure_mfa_methods
      • Indicates what type of MFA is enabled
    • azure_last_activity
      • Displays the last time this Azure User used their account (logged in, used Excel, etc)

You can manually trigger a sync by clicking “Modify Connection” for that Customer and clicking “Run Jobs”. Otherwise, it will automatically sync daily between midnight and 2AM pacific time.

The system maps Azure AD Users to Syncro Contacts by unique email address. If you change the email address in one place or the other, it will break the mapping for that Contact. If a Contact does not exist in Syncro for an Azure AD User, one will be automatically created.

The following fields are synced from Azure AD to Syncro Contacts:

  • Name
  • Address1
  • Address2
  • City
  • State
  • Zip
  • Business Phone
  • Mobile Phone
  • Job Title

If they exist in an Azure AD User they will overwrite what is in a Syncro Contact and be kept up to date going forward. If they are blank in the Azure AD User, but exist in a Syncro Contact, it will not overwrite what’s in Syncro.

Microsoft License Type and Billing

The integration creates a dropdown Custom Field on the Contact called “azure_license” which pulls the license type from the Azure AD User. It can have one of the four values that follow:

  1. Microsoft 365 Business Basic
  2. Microsoft 365 Apps for Business
  3. Microsoft 365 Business Standard
  4. Microsoft 365 Business Premium

If the Azure AD User has more than one of these licenses, the one with the higher number will be displayed.

By having this field, MSPs can automatically bill based on how many licenses a client has using the Contact Custom Field dynamic line item counter in Syncro’s Recurring Invoice module.

Additionally, the integration syncs over Customer Custom Fields for azure_licensed_user_count and azure_active_user_count. By viewing any discrepancy between these two fields, MSPs can save money for their clients by removing unused Azure licenses.

Security Audits

The integration fetches Microsoft Secure Score from Azure AD, giving MSPs an idea of how secure their client’s Azure instance is and indicating whether they need to implement new security policies.

Required API Key Permissions for Azure AD Token

  • Customers - All
  • Contacts - All
  • Documentation - All

Q & A

  • The ‘azure_mfa_status’, ‘azure_mfa_methods’, and ‘azure_last_activity’ fields aren’t populating. What causes this?
    • There are multiple potential causes of this. Follow each of these steps to ensure that these fields populate:
      1. Enable access to these fields by changing a setting in the Azure Instance for the client, per these instructions: Microsoft 365 reports show anonymous instead of actual user names - Microsoft 365 | Microsoft Learn
      2. Make sure the contact’s endpoint has a license for either Entra P1 or Entra P2. Without this license, access to the fields cannot work. This license appears in the ‘azure_license’ field on the contact page. For more information about which Microsoft licenses include Entra P1 or P2, please consult Microsoft’s documentation: https://go.microsoft.com/fwlink/?linkid=2139145&clcid=0x409&culture=en-us&country=us
      3. Make sure your Enterprise application has granted permissions to Syncro for AuditLog.Read.All. If you do not see it applied, click ‘Grant Admin Consent’ on the permissions page of the Enterprise Application and it will add any missing permissions it can add.
2

Is there any way to scope the users synced to Syncro to users who are members of a specific Azure AD security group rather than automatically pull in all tenant users?

1 Like
3

Lots of questions about this.

  1. How are office 365 users that are either disabled or deleted handled? Clearly this needs to be reflected in Syncro. In many of our clients we do not delete their users. Instead, they are converted to shared mailboxes. How is the status going to be handled?
  2. How are all the other license types handled? This doesn’t seem well implemented. We have a lot of clients with E5 licenses for instance.
4 Likes
4

Hello,
I don’t have the Azure AD app card in Syncro App Center
Where can I find?

regards
Eric

6

You need to subscribe to the Syncro advanced plan.

7

Yes, when you are setting up the sync you can specify fields to include or exclude. We use the Department field in our situation.

8

Are you saying that a Syncro admin with can choose the AzureAD field that is used by Syncro to filter users that get synchronized into Syncro? I set the Azure AD integration up in our Syncro portal and we only have the Department field to use for filtering (Ignoring/Including) which users are synchronized.

9

Sorry for the confusion. For clarification we choose the departments from the Department field. I do not believe there is currently the ability to include/exclude by other fields.

10

It appears the instructions and video are outdated.
There is no longer a “Run Job” option when modifying a connection. How do you manually run a sync?

The instructions above do not mention the Include or Exclude Departments fields. If I leave include blank and populate exclude, will it include every field not added to exclude?

If I populate the include field and leave exclude blank, will it exclude all departments not listed in the include field?

11

I am also wondering how other license types are handled. Were the licenses above set as examples?

12

I wish I knew. Not really looked at this feature much lately as it is mostly useless to us without having other license types that our clients frequently use. Best I can tell it only picks up three licensed types including M E5, business premium, and business standard. It does not pick up F licenses of any kind nor the office versions of E3 and E5.

It also does not seem to update some of the other fields like mfa status either.

13

This also Maps UPIN to email address. So if your client does not login to 365 with their Email address, then when they email in a ticket it will not match the contact in syncro. Also if you have multiple email addresses it will create multiple Contacts under the client. Even if everything else matches. So it appears to match UPIN to Email address only. Since email is apparently the primary key in Syncro if you have multiple email addresses in 365, it will create multiple “Contacts” in syncro. They need to have a mapping per client in this feature, or at least give you some control over how they match and map “Contacts”. We enabled this feature and on our 320 users ended up with over 850 “Contacts” which also did not match to email address when tickets came in. Also There is no way to bulk delete contacts in Syncro, not even support can apparently. This feature is not ready!

14

Did you ever got an answer for this question? I found out if an user had a licensed and you remove it from O365, it doesn’t seem to change it in Syncro. Causing issues with license counts.

15

At this point we only use it to bring users in automatically to Syncro to make it easy for connecting them to tickets but we do not use it for anything else. It is just not usable.

On my task list that is about 1000 deep now I have an idea to write a script that will properly synchronize this for us. I already have a framework for it but just not time in the day.