The CanIPhish Microsoft Entra ID Integration enables you to synchronise your Entra ID groups and users to your CanIPhish account. When an employee is added to an Entra ID group, that employee will automatically be synchronised to the relevant CanIPhish employee listing every 24 hours.
Important Note: This guide should only be followed if you've set up white-labeling. If you haven't, please follow this setup guide. Additionally, please ensure you're accessing CanIPhish through your white-labelled domain (there is server-side logic which determines which directory sync integration to present, based on the domain in-use).
Table of Contents
- Step 1. Create An App Registration In Microsoft
- Step 2. Configure Directory Synchronisation In CanIPhish
- Appendix: Setup A Directory Synced Employee List
- Appendix: Additional Information on Microsoft API Scopes
Step 1. Create An App Registration In Microsoft
1.1. Login to the Microsoft Azure account linked to your Microsoft 365 Tenant: https://portal.azure.com/
1.2. In the search bar at the top of the page, search for "App registrations" and click on the corresponding Service.
1.3. Click "New Registration" to create a new App Registration:
1.4. Provide the app with a unique and distinguishable name (e.g. CanIPhish Entra ID Connector), leave the other options on their default setting (as shown below) and then click the Register button:
1.5. While on the Overview page, copy the Application ID and Tenant ID values to your clipboard or a text editor as you'll need them later:
1.6. Click on the "Manage" > "API permissions" tab on the left:
1.7. Click the "Add a permission" button:
1.8. Click the "Microsoft Graph" API:
1.9. Click "Application permissions":
1.10. In the search box type in: "Directory.Read.All" and then expand the "Directory" permission, selecting the "Directory.Read.All" permission.
1.11. Now, change the search to look for: "User.Read.All" and then expand the "User" permission, selecting the "User.Read.All" permission.
1.12. Click the "Add permissions" at the bottom of the page to add the two permissions we've selected:
1.13. Confirm that both the permissions appear in the API Permissions table:
1.14. You'll notice that a warning dialog appears next to each permission which is indicating that admin consent hasn't yet been granted. This is required to allow these permissions to work effectively. Click the "Grant admin consent..." button directly above the table. After, you'll notice the Status will indicate access has been granted.
1.15. Now change to the "Manage" > "Certificates & secrets" tab:
1.16. Click the "New client secret" button:
1.17. In the dialog that appears on the right of your screen, provide the secret with a descriptive name (e.g. "CanIPhish Entra ID Connector Secret") and an expiration date - we recommend the maximum of 730 days (upon expiration you need to provision a new secret). Then click "Add":
1.18. Your secret will now appear in the Client secrets table. Copy the Value of your newly created secret to your clipboard or text editor:
Step 2. Configure Directory Synchronisation In CanIPhish
2.1. Login to your CanIPhish account and traverse to the Employees page.
2.2. Click on the Directory Sync button:
2.3. In the popup that appears, enter the following values and then click Save:
- Directory Name: Provide a unique and distinguishable name for this directory (e.g. "Entra ID Connector")
- Application ID: Paste the value that you copied in Step 1.5.
- Tenant ID: Paste the value that you copied in Step 1.5.
- Client Secret: Paste the value that you copied in Step 1.18.
2.4. The newly created Integration should now appear in the Directory table. You're all done!
Appendix: Setup A Directory Synced Employee List
1. To setup your a directory synced employee list, go to the Employees page and click the New Employee List button.
2. Specify an Employee List Name
3. Click on Import From Directory
4. Select the Directory you'd like to sync (It may take up to 30 seconds for the Directory Groups to load).
5. Select one or more Groups for CanIPhish to sync.
6. Click Sync Directory Employees.
7. Click Save.
Appendix: Additional Information on Microsoft API Scopes
We'll be accessing APIs that allow us to read information relating to directory groups, group members and individual employees. The below table outlines the required scopes and what they're used for:
directory.read.all
Provides CanIPhish with access to read directory data such as groups, employees and employee information.
user.read.all
Provides CanIPhish with access to read user profile information so we can gather data such as first names, last names, job titles, and company names, which are all used to support phishing and training campaigns.
Comments
0 comments
Please sign in to leave a comment.