Syncing Users and Groups from Active Directory

Situation – EMP Cloud Active Directory Sync Tool allows organizations using AD to import and/or synchronize users and functional accounts

Summary – See below article for information on:

• EMP Cloud AD Sync Tool
• Active Directory Sync Summary
• Sync Exemptions

About Active Directory

Active Directory is Microsoft’s cloud-based directory and identity management service.
For more information please see: https://docs.microsoft.com/en-us/windows/desktop/ad/about-active-directory-domain-services

About EMP Cloud AD Sync Tool

EMP Cloud AD Sync Tool allows organizations using Active Directory to import and/or synchronize users and groups from Office 365 directly to their account.

Prerequisites

In order to configure Active Directory and EMP Cloud you will need the following:

• Active Directory URL or IP Address (This URL or IP has to be externally accessible)
• Read-only Account for access (username, password) The character limit for the password is 23 characters – we do not allow maths characters +-=*^/%
• What port to use
• Base DN value

You may need to open firewall ports to accept incoming LDAP requests. Please refer to Connection Details for a complete list of external IP addresses.

CONFIGURE EMP Cloud

• Sign-in to the EMP Cloud user interface.
• Navigate to ‘Administration‘ and click User Management > Import Users > Active Directory.
• Choose the desired default role from the dropdown.

A silent user will receive a quarantine digest report but will be unable to login to the user interface.

An end user will receive a quarantine digest report and will receive a welcome email from EMP Cloud to login to the user interface.

• Enter the Active Directory URL.
• Enter the Username and Password of the read-only user account EMP Cloud will use to connect to your environment.
• Choose the Port that should be used to establish a connection (Port 636 is recommended).
• Enter the Base DN value to query your Active Directory forest.
• Choose What to Sync
  • Active Users
  • Disabled Accounts
  • Functional Accounts
  • Security Groups
  • Include items hidden from the GAL (Global Address List)
• Choose How to sync accounts.
  • Add
    • Create new user accounts and groups
  • Sync Updated Accounts
    • update existing user accounts and groups
  • Delete Removed Accounts
    • Remove accounts from EMP Cloud that are no longer found in Active Directory
• Choose When to Sync accounts.
  • You can choose to sync never (which you would need to run manually) or every 1, 3, 6, 12 or 24 hours
• Click Save.
• Click Search Now.
• Verify the user and group objects that were identified in your Active Directory account.
• Click Sync Active Directory

Active Directory Sync Summary

The Active Directory Sync summary page allows you to view all changes related to your current EMP Cloud account and your Active Directory account. You can use this summary page to:

• Verify user and group sync connection.
• Verify user and group sync counts.
• Identify accounts for sync exemption.

Section	Description
Adding	This table will display all user objects that will be added to your EMP Cloud account.
Updating	This table will display all user objects that will be updated on your EMP Cloud account.
Disabling	This table will display all user objects that will be disabled on your EMP Cloud account.
Deleting	This table will display all user objects that will be deleted from your EMP Cloud account.
Exempt from sync	This table will display all user objects that have been identified as exempt from changes due to a sync

Sync Exemption

You may need to identify a user or functional account to be exempt from sync.

For example: You may wish to convert a user account to a functional account in EMP Cloud. Yet, when you perform the sync, AD will force it back to a user account. You can choose to exempt these accounts from the sync process and therefore preserve the EMP Cloud setting.

Not properly exempting users/accounts could result in billing/licensing numbers being higher than expected

ADDING A USER ACCOUNT FOR EXEMPTION

• While on the Active Directory Sync Summary page, expand the Adding or Updating table.
• Check the checkbox next to the object(s) you wish to exempt.
• Click Exempt Selected.
• Click Sync Active Directory

The object will be removed from the selected table and be moved to Exempt from sync table. It will no longer be subject to AD changes.

REMOVING A USER ACCOUNT FROM EXEMPTION

• While on the Active Directory Sync Summary page, expand the Exempt from sync table.
• Identify the object you wish to remove from exemption.
• Click Add to Sync.
• Click Sync Active Directory