Azure Active Directory (AD) Employee Directory Integration enables you to synchronise your Azure AD directories to your CanIPhish account. When an employee is added to an AD group, that individual will automatically be synchronised to the relevant CanIPhish employee listings every 24 hours. This article describes how to synchronise Azure AD groups to CanIPhish. This will automate the process of adding or removing employees from simulated phishing and security awareness training campaigns.
Integrating with CanIPhish
To integrate your Azure AD Directory with CanIPhish, log in to your account and navigate to Employees > Directory Sync.
Make sure Azure AD is selected and then input a unique Directory Name. Once provided, click Sign in with Microsoft.
If your browser doesn't already have an active Microsoft/Azure AD session, you'll be prompted to login via the Microsoft login portal. Once signed in, you'll be prompted to authorise the CanIPhish Azure Connector to access several APIs within your Microsoft/Azure AD account. Make sure all scopes are approved and then click 'Continue' to authorise the access.
Note: Access to all scopes is required to successfully setup the integration. Click here to understand in further detail what information we're accessing.
Once authorised, you'll be immediately redirected to the CanIPhish Employees page and notified on the status of the integration. You should observe a successful integration notification on the top right hand side of your screen, along with the directory being visible as 'Active'.
Once synchronised, you will be able to create a new employee listing that leverages groups within that directory. To setup your first employee listing, exit the directory synchronisation view and click on New Employee List.
Specify an Employee List Name, click on Import From Directory and select the Directory synced in the previous step. Wait up to 30 seconds for the Directory Groups to load and then select one or more Groups for CanIPhish to sync with and then click Sync Directory Employees.
Note: You can also optionally map the Directory Attributes to data points that CanIPhish will pull down for each user - by default CanIPhish will select this but you are free to customise.
Once synchronised your employees will appear in the table directly beneath the sync button. When happy that the required employees have been synchronised with CanIPhish, simply click Save.
All done!!! CanIPhish will synchronise any changes in your directory groups to your CanIPhish employee listing every 24 hours. To action changes earlier than that, simply manually update the employee listing and resynchronise the directory group across.
Appendix: Additional Information on Microsoft API Scopes
We'll be accessing APIs that allow us to read information relating to directory groups, group members and individual employees. Additionally, we'll read information from your Microsoft profile so we can determine what user has authorised the API access, which will then be readable within your CanIPhish tenant. The below table outlines the scopes we're accessing in detail:
Provides CanIPhish with access to read directory data such as groups, employees and employee information.
Provides CanIPhish with access to read the fprofile of the user authorising the CanIPhish client application. This is necessary for CanIPhish to understand who the authorising user is.
Allows CanIPhish to maintain readonly access to the mentioned scopes above. This is necessary so CanIPhish can periodically poll your Azure groups and understand if any new users have been added or if users have been removed.