Azure Active Directory (AD) Employee Directory Integration enables you to synchronise your Azure AD directories to your CanIPhish account. When an employee is added to an AD group, that individual will automatically be synchronised to the relevant CanIPhish employee listings every 24 hours. This article describes how to synchronise Azure AD groups to CanIPhish. This will automate the process of adding or removing employees from simulated phishing and security awareness training campaigns.
Note: It is required to have an Azure Active Directory tenant. You will also be required to have a group within Azure AD that contains all users that you would like to participate in your campaigns.
Integrating with CanIPhish
1. To integrate your Azure AD Directory with CanIPhish, log in to your account and navigate to Employees > Directory Sync.
2. Make sure Azure AD is selected and then input a unique Directory Name. Once provided, click Sign in with Microsoft.
3. If your browser doesn't already have an active Microsoft/Azure AD session, you'll be prompted to login via the Microsoft login portal. Once signed in, you'll be prompted to authorise the CanIPhish Azure Connector to access several APIs within your Microsoft/Azure AD account. Make you tick the 'Consent on behalf of your organization' option and then click 'Accept' to authorise the access.
Note: Access to all scopes is required to successfully setup the integration. Click here to understand in further detail what information we're accessing.
4. Once authorised, you'll be immediately redirected to the CanIPhish Employees page and notified on the status of the integration. You should observe a successful integration notification on the top right hand side of your screen, along with the directory being visible as 'Active'.
5. Once authorized, you'll be immediately redirected to the CanIPhish Employees page and notified on the status of the integration and that you now need to provide Admin Consent. From here you can choose one of two options.
- Automatically provide Admin Consent by authorizing a permissions upgrade in a similar dialog box to that shown in Step 3 (completing the setup).
- Proceed with Steps 6-10 to do this manually.
What is Admin Consent? With Microsoft there are two types of permissions: Delegate and Application. Delegate permissions are used when an application needs to act on behalf of a user. On the other hand, Application permissions are used when an application needs to access resources without a signed-in user. These permissions allow the application to act autonomously, accessing the specified resources at a broader level, with higher privileges than delegate permissions. By providing Admin Consent, the CanIPhish Azure Connector is upgraded from Delegate to Application Permissions, which is necessary to perform Directory Syncing.
6. Go to the Azure home page: https://portal.azure.com/
7. Click on or search for Enterprise Applications:
8. Click on the "CanIPhish Azure Connector" Application.
9. Click on the Permissions tab on the left
10. Click the "Grant admin consent for CanIPhish" button to upgrade the Directory.Read.All permission from Delegated to Application.
All Done! You can now setup your directory synced employee list by following the below steps:
11. To setup your first employee listing, click on New Employee List.
12. Specify an Employee List Name, click on Import From Directory and select the Directory synced in the previous step. Wait up to 30 seconds for the Directory Groups to load and then select one or more Groups for CanIPhish to sync with and then click Sync Directory Employees.
Note: You can also optionally map the Directory Attributes to data points that CanIPhish will pull down for each user - by default CanIPhish will select this but you are free to customise.
13. Once synchronised your employees will appear in the table directly beneath the sync button. When happy that the required employees have been synchronised with CanIPhish, simply click Save.
Congratulations! CanIPhish will synchronise any changes in your directory groups to your CanIPhish employee listing every 24 hours. To action changes earlier than that, simply manually update the employee listing and resynchronise the directory group across.
Appendix: Additional Information on Microsoft API Scopes
We'll be accessing APIs that allow us to read information relating to directory groups, group members and individual employees. Additionally, we'll read information from your Microsoft profile so we can determine what user has authorised the API access, which will then be readable within your CanIPhish tenant. The below table outlines the scopes we're accessing in detail:
directory.read.all
Provides CanIPhish with access to read directory data such as groups, employees and employee information.
user.read.all
Provides CanIPhish with access to read user profile information so we can gather data such as first names, last names, job titles, and company names, which are all used to support phishing and training campaigns.
user.read
Provides CanIPhish with access to read the profile of the user authorising the CanIPhish client application. This is necessary for CanIPhish to understand who the authorising user is.
offline_access
Allows CanIPhish to maintain readonly access to the mentioned scopes above. This is necessary so CanIPhish can periodically poll your Azure groups and understand if any new users have been added or if users have been removed.
Comments
0 comments
Please sign in to leave a comment.