Description
Azure Active Directory Synchronization feature allows you to manage users inside the MPaware portal with ease. Add,
Modify, or Deactivate users as soon as they’re in your client’s system so they can get up to speed on cybersecurity.
Important: Once Azure Active Directory is activated; you will not be able to add users to the portal outside of this method. The portal will sync once every hour, which may cause a delay for your users to be updated.
Requirements
You will need admin access to:
- Admin access to MPaware Portal
- Global Admin Credentials to Microsoft 365 Admin Portal (if you do not have credentials, go to 2. Without Global Admin Credentials)
The Process
There are two ways to verify via the Azure Active Directory Sync:
1. The first is the easier option which requires you to have a Global Admin account.
2. The second is if you do not have Global Admin credentials to the tenancy, you can do so via option two.
1. With a Global Admin account in the tenant you are syncing
With Global Admin Credentials, the Simple Setup syncing feature will be quicker and will verify counts and groups, then sync users within minutes.
Steps:
In Microsoft 365:
1. Log in to Azure Active Directory (Now called Entra Admin Center)
2. Groups
3. All Groups
4. Create Azure AD Sync Security Groups to define the portal access for each employee. The following two groups MUST be created: (5 and 6)
BSN-Employees
Defines the users that will be enrolled in the portal as standard employees under that client.
*Create the Employees first
BSN-Managers
Defines users in the manager role, supersedes BSN-Employees.
(Managers get access to reporting and employee data inside the MPaware Portal)
Note: When entering the above security groups, DO NOT include any spaces before, after, or within the string.
Optional Group:BSN-ManagerAdmins
Add the BSN-ManagerAdmins group to give select managers the ability to manage phishing campaigns as well as the bulk manage user functionality. Standard manager accounts do NOT have this functionality.
7. Assign users to the group
Be sure to assign every user (even non-users) as part of the BSN-Employees group. This will create the portal accounts.
If you assign users to this group and to the BSN-Manager group, the manager role will take precedence.
Important: For those using On-Premise along with Azure Sync to synchronize with the free tier or Azure AD: Nested group memberships are not supported for group-based assignment at this time
8. Optional - If you wish to create Tag Groups.
Tags are used for creating specific groups, typically to separate users by department, to create groups you’d like to send specific phishing emails to, or to simplify tracking in the portal.
Follow Steps 1-4, but ensure the Group Name is: BSN-TAG-<tagname>
For example: BSN-TAG-Executive Team, BSN-TAG-Accounts, etc.
9. Click Create.
MPaware Portal - With Global Admin Credentials:
10. Log in to the MPaware Portal
11. Once logged in select “Manage Clients” to and select the customer
12. Select the “Directory Sync” tab
13. Use the Sync Type drop-down selector to select “Azure Active Directory”
14. click the “Enable” button to begin
15. Select which option you would like to use as Portal Logon. We recommend you use “Email”
16. When ready, select the “Authorize Directory Access” button
17. You will be taken to the Microsoft sign on page. You MUST select/sign in with an account that is Global Admin within the client’s tenant.
18. After signing into your Global Admin account within the tenant, you will be requested to accept the permissions required for this sync
19. Review the permissions then click “Accept”
20. A verification process will occur quickly to ensure that your account has the required access
21. If successful, a “Verified Successfully!” notification will appear below the Azure Active Directory sync.
22. Before Authorizing Directory Access, we recommend configuring your Welcome Message options.
“Send Welcome Messages” = will send the welcome message to newly added employees during the sync.
“Use Custom Message” = will enable welcome messages to be customized. Without this option checked, the standard messages will be sent based off the Global Messages in the Partner Profile.
Clicking “Welcome Message” or “Welcome Back Message” = will allow you to adjust the default message
Note:
Welcome Message: Email sent to new users added to the platform
Welcome Back Message: Email sent to reactivated users
23. Select the “Verify Setup” button – this will return the number of users within the Azure tenant and will confirm the sync groups used within the tenant
24. When you are ready, click the “Sync Azure Now” button. You will receive a confirmation at the bottom of the page that the sync has been run successfully.
Note: If your sync is in progress, you can’t queue up multiple syncs. Please wait 15 minutes then retry if no users appear
2. Without Global Admin Account
For Partners without access to a Global Admin account in the tenancy, the Classic Azure AD Sync will be your best
option. Powershell script options will be provided but initial syncs will take up to 4 hours. No instant verification of set up is available.
Follow Steps 1 - 9:
10. In the Microsoft 365 Azure Admin Portal, Go to Properties.
(Overview > Properties)
11. Copy the Tenant ID and paste it in a notepad. You will need this shortly.
12. Select Roles and Admins
13. Search for the Security Reader Role
14. Select the role
15. click "Assignments"
16. Assign the role to a user that has global admin privileges
Important: The Security Reader Role must be assigned to at lease one user otherwise step 31 will produce errors
MPaware Portal - Without Global Admin Credentials:
17. Log in to the MPaware Portal
18. Once logged in select “Manage Clients” to and select the customer
19. Select the “Directory Sync” tab
20. Use the Sync Type drop-down selector to select “Azure Active Directory”
21. Click the “Enable Manual Setup” button then click the “Enable” button
22. Click the “Create Powershell” button
23. Configure the welcome messages.
“Send Welcome Messages” = will send the welcome message to newly added employees during the sync.
“Use Custom Message” = will enable welcome messages to be customized. Without this option checked, the standard messages will be sent based off the Global Messages in the Partner Profile.
Clicking “Welcome Message” or “Welcome Back Message” = will allow you to adjust the default message
Note:
Welcome Message: Email sent to new users added to the platform
Welcome Back Message: Email sent to reactivated users
24. Paste the Azure Directory ID into the text box under “Azure AD Identifier”.
25. Click the “Use as Portal Logon” dropdown to choose between Email and UserPrincipalName as the user logon
Username. (We recommed using Email)
Important: Once Azure Active Directory is activated; you will not be able to add users to the portal outside of this method. Our portal will sync once every hour, which may cause a delay for your users to be updated.
26. Click “Download” to download the powershell script
27. Click “Show in Folder” to open your File Explorer and note the file path.
28. Run Windows Powershell as an Administrator
29. Navigate to the directory where the script is located as noted in step 27.
30. Install AzureAD Module and set execution policy to unrestricted. Then, execute the AADSync.ps1 Powershell script.
Enter “R” to Run once
31. You will be prompted to sign into the Azure Account you are configuring Application Authentication for.
32. Copy down the information displayed when the script has completed running: AppID, Certificate thumbprint, and Cert location.
Go back to the MPaware Portal.
33. Copy the Application ID and Certificate Thumbprint from the script and paste them into the “Enter Application ID” and “Enter Certificate Thumbprint” fields, respectively.
34. Click “Attachment” under the Upload Certificate section and paste the Certificate location file path in the“File Name” field in the file explorer and click “Open”
35. Click “Save” to save your changes.
Repeat steps 1-35 for each customer
Note: Without G.A Credentials, the initial sync may take between 3 to 5 hours before users appear in your portal. After the initial sync, updates are processed hourly.