Azure Active Directory (AD) Target Directory Integration enables you to synchronise your Azure AD directories to your CanIPhish account. When an individual is added to an AD security group, that individual will automatically be synchronised to the relevant CanIPhish target listings. This document describes how to synchronise Azure AD security groups to CanIPhish. This will automate the process of adding or removing users from phishing campaigns.
Note: It is required to have an Azure Active Directory tenant. You will also be required to have a security group within Azure AD that contains all users that you would like to participate in phishing simulations.
Integrating with CanIPhish
To integrate your Azure AD Directory with CanIPhish, log in to your account and navigate to Targets > Target Directory Sync.
Make sure Azure AD is selected and then input a unique Directory Name. Once provided, click Sign in with Microsoft.
If your browser doesn't already have an active Microsoft/Azure AD session, you'll be prompted to login via the Microsoft login portal. Once signed in, you'll be prompted to authorise the CanIPhish Azure Connector to access several APIs within your Microsoft/Azure AD account. Make sure all scopes are approved and then click 'Continue' to authorise the access.
Note: Access to all scopes is required to successfully setup the integration. Click here to understand in further detail what information we're accessing.
Once authorised, you'll be immediately redirected to the CanIPhish Target Users page and notified on the status of the integration. You should observe a successful notification on the top right hand side of your success, along with directory being visible as 'Active'.
Once synchronised, you will be able to create a new target listing that leverages security groups within that directory. To setup your first target listing, exit the directory synchronisation view and click on New Target List.
Specify a Target Name, click on Directory Import and select the Target Directory synced in the previous step. Wait up to 30 seconds for the Directory Groups to load and then select one or more Groups for CanIPhish to sync with and then click Sync Directory Targets.
Note: You can also optionally map the Directory Attributes to data points that CanIPhish will pull down for each user - by default CanIPhish will select this but you are free to customise.
Once synchronised your users will appear in the data table. When happy that the required users have been synchronised with CanIPhish, simply click Save.
All done!!! CanIPhish will synchronise any changes in your directory groups to your CanIPhish target listing every 24 hours. To action changes earlier than that, simply manually update the target listing and resynchronise the directory group across.
Appendix: Additional Information on Microsoft API Scopes
We'll be accessing APIs that allow us to read information relating to directory groups, group members and individual users. Additionally, we'll read information from your Microsoft profile so we can determine what user has authorised the API access, which will then be readable within your CanIPhish tenant. The below table outlines the scopes we're accessing in detail:
Provides CanIPhish with access to read directory data such as groups, users and user information.
Provides CanIPhish with access to read the fprofile of the user authorising the CanIPhish client application. This is necessary for CanIPhish to understand who the authorising user is.
Allows CanIPhish to maintain readonly access to the mentioned scopes above. This is necessary so CanIPhish can periodically poll your Azure groups and understand if any new users have been added or if users have been removed.