Synchronize users from Microsoft Entra ID
You can synchronize users from an organization's Microsoft Entra ID (AD) into STA or SAS PCE. The users can either be locally created in Microsoft Entra ID or synchronized from an external source, such as another AD.
You must have a valid Microsoft Entra ID subscription to complete the associated procedures.
Enable Microsoft Entra ID domain services
The procedure to enable Microsoft Entra ID domain services is described at https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-getting-started.
The following are important considerations with respect to using Microsoft Entra ID domain services:
-
The domain name must contain a maximum of 15 characters (excluding the .com extension).
-
The domain services must be created in the same region as your AD.
-
A virtual network must be created to host the domain; create a virtual machine for hosting the SafeNet Synchronization Agent in this network.
-
A group titled Microsoft Entra ID DC Administrators is automatically created to manage the domain.
-
Update the DNS server settings.
-
Regenerate the password HASH values.
Add an LDAP administrator
The SafeNet Synchronization Agent connects to Microsoft Entra ID using an LDAP interface. This connection requires an account with read privileges on Microsoft Entra ID. It is recommended that you create a separate account for that purpose. Configure the account as described in LDAP credentials.
Create a virtual machine
To synchronize users from Microsoft Entra ID to STA or SAS PCE, you must operate the SafeNet Synchronization Agent from a virtual machine (VM).
If you don't already have one, you can create a Windows Server VM as described at https://docs.microsoft.com/en-ca/azure/active-directory-domain-services/active-directory-ds-admin-guide-join-windows-vm-portal.
Create the VM in the same virtual network as the Microsoft Entra ID domain. Then install the latest version of SafeNet Synchronization Agent.
You can optionally join this VM to the domain, to access the Microsoft Entra ID and manage the domain with SafeNet Synchronization Agent, as described at https://docs.microsoft.com/en-ca/azure/active-directory-domain-services/active-directory-ds-admin-guide-administer-domain.
Enable secure LDAP
To enable the SafeNet Synchronization Agent to read user information on Microsoft Entra ID, you must enable secure LDAP.
The procedure to enable secure LDAP is described at https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap. If you install SafeNet Synchronization Agent in the same virtual network, then instead of configuring access to the managed domain from the internet, simply generate a self-signed certificate following the script in the Microsoft documentation.
Configure SafeNet Synchronization Agent
After secure LDAP is enabled, configure SafeNet Synchronization Agent as described in Configure the LDAP sync server and synchronize the Microsoft Entra ID users into STA or SAS PCE.
It is not possible to synchronize Microsoft Entra ID passwords into STA or SAS PCE using the SafeNet Synchronization Agent.
When setting the user source configuration, use the following parameters (described in Configure SafeNet Synchronization Agent for LDAP):
-
LDAP Configuration
- Host Name or IP Address—the IP address of the Microsoft Entra ID domain services (DS) domain controller
-
LDAP Credentials{ldap-credentials}
(for the user described in Add an LDAP administrator)
-
User DN—the username of the LDAP Administrator in the format user@domain
-
Base DN—DC=AD_DS_Domain_Name,DC=com (for example, DC=syncagentdemo,DC=com)
-
Append Base DN to User DN—unchecked
-
Password—the LDAP Administrator's password
-
-
LDAP Schema: Enable password synchronization—unchecked
Synchronize the user's email address
When a user is created in Microsoft Entra ID the User Name is provided in the form of an email address, for example, user@domain. However, Microsoft Entra ID does not populate the mail attribute in the Microsoft Entra ID user record, which can only be synchronized from an external AD or Microsoft 365.
To obtain the user's email address so that it can be synchronized with STA or SAS PCE, you can customize the LDAP schema of SafeNet Synchronization Agent so that it uses the userPrincipalName (UPN) attribute as the Email Address. See the figures that follow.
Default schema
Custom Schema with UPN as the E-mail Address
The schema changes affect all users that are synchronized from Microsoft Entra ID, not only those with an empty mail attribute.
The following are important considerations:
-
The mailNickname attribute must not be used as an email replacement. It is a username alias that is assigned by Microsoft Entra ID.
-
The mail attribute in Microsoft Entra ID can be set by the Microsoft 365 Exchange application that is linked to Microsoft Entra ID. It can then be synchronized with STA or SAS PCE without schema changes.
-
If a user is synchronized with Microsoft Entra ID from an external (on-premise) AD, then the email attribute is copied from the external Microsoft Entra ID and can be synchronized with STA or SAS PCE without schema changes.
Password hashes
Microsoft Entra ID domains are managed by Microsoft. The domain administrative privileges are not given to the cloud users and administrators. Therefore it is not possible for the SafeNet Synchronization Agent to synchronize Microsoft Entra ID users' password hashes.
Synchronizing using AD Connect
When using AD Connect to synchronize an Microsoft Entra ID server to Microsoft Entra ID, the domain name of the Microsoft Entra ID server and Microsoft Entra ID must match. Otherwise, the AD server user's UPN will be overwritten with Microsoft Entra ID's domain name.