Configuring Azure AD and Microsoft 365 Sync

The Azure and Microsoft 365 (M365) sync allows you to store passwords and push password changes to Azure AD and Office 365 synced accounts. The tool will run as a service on the machine which it is installed, and periodically sync with the Passportal cloud.

You will only need to install the Azure AD M365 agent if you do not have these account linked to an existing local AD environment already. If the M365 accounts are linked already to a local AD account, then the standard AD agent is all that is required and will not interfere with that plugin. The Azure AD and M365 integration only needs to be deployed if you are working with cloud Azure AD M365.

Predominantly, this setup is used where the Blink product is also in use, allowing end-users to reset their own passwords in AzureAD/M365.

This is only a one-way push/sync - from Passportal to Azure AD and/or Microsoft 365. Any changes made directly in Azure AD or M365 would be overwritten with the current value in Passportal.

The Folder Path and Org Units Filter functions as described in the Active Directory Integration topic are not compatible with AzureAD due to the one-way sync nature of the integration.

Prerequisites

  • 64-bit OS
  • Supports TLS 1.2. More information on which versions of windows server support which TLS protocols can be found in this article
  • If not current or installed, the agent will also deploy C++ 2015 Redistributable (64-bit version) and .NET 4.5 or newer during the install
  • Port 7771 / 7777 must be open

Setup - The admin account that the Passportal Agent uses to connect must have the Credential Type permission Azure/M365 Admin within Passportal.

AD sync is set by default to update the password on Azure AD and M365, if it is changed in Passportal. However, this can be changed at the password level (individual passwords may have their own settings). The two modes are:

  • Report Mismatches: This mode is a passive monitoring mode. It will attempt to match username/password pairs in Passportal with their equivalent usernames and passwords on the server. If there are any discrepancies (such as the password being changed by the user or in Azure AD and/or M365) then the tool will flag that password entry. The flag will appear on the password, the client and on the dashboard prompting users to update the information accordingly within Passportal.
  • Enabled. This mode directly changes passwords on the Microsoft service. This is only a one-way push/sync - from Passportal to Azure AD and/or M365. Any changes made directly in Azure AD or M365 would be overwritten with the current value in Passportal.

Moving from Report Mismatches to Enabled would apply the password in Passportal to Azure AD and M365, so ensure that these changes are made prior to this switch.

General Functionality

  • Azure AD Agent can be installed on any computer, preferably a device that is online the majority of the time (offline computer means no sync). This is usually a domain controller.
  • Azure AD Agent is not supported when the partner has on premise AD as we only support one version of agent per client in Passportal.
  • If the partner has on premise AD and Azure, we would recommend the setup for on premise AD, and then rely on another sync method, such as Microsofts Azure AD Connect to handle the sync between local AD and AzureAD.
  • Since the Azure AD Sync is only one-way sync (Passportal to Azure) we do not recommend anyone sync their end user passwords into Passportal as those end users will no longer be able to change their passwords on Azure as Passportalwould overwrite the password in Azure as we did not receive the password change in Passportal.

AzureAD and Blink Usage Information

  • When you install the AzureAD agent on any system, and go to User Management > Blink User Setup you will see the AD Structure of the system (if it is a workgroup computer, you will see the default accounts, such as Administrator). At the bottom of the list you should then also see a list of email addresses - it is these which are specifically the Azure AD Email addresses.

  • You can create these Azure AD Accounts in Passportal as Blink Users, which does not mean that those passwords need to sync into Passportal, just simply that there is a connection between Blink, the Azure AD Agent and AzureAD.
  • When a user then clicks Reset Password on the Blink app, the request is sent to the Azure AD Agent, which then processes a password change and syncs that change to Azure AD
  • When the password has been changed and synced to Azure AD, the user then receives the new password in Blink on their phone.
  • They will then be able to sign into Azure AD, and will be able to change their password if required.
  • The MSP will not be able to sync these passwords into Passportal due to the one-way sync.

AD Setup

  1. Enable Windows Sync for the client

It is not possible to pull user Passwords from Azure AD and M365 to pre-seed data into Passportal. You will need to add accounts manually in Passportal, then enable Windows Sync.

  1. Install the Windows Agent on a device in the infrastructure
  2. Once the Windows Agent has been downloaded, transfer the installer to the Domain Controller and launch the installer using Setup.exe

  3. Click Next

  4. Read the License Agreement, click the I Agree radio button, and then click Next

  5. Accept the default target Install Folder or enter a preferred location. Leave the Everyone radio button selected. Click Next

  6. Select the Agent with AzureAD Integration radio button and then click Next

  7. Select the Do not auto install on any secondary DCs radio button and then click Next

    8. The AzureAD Integration communicates with the AzureAD instance automatically using the AzureAD credentials entered later in step 13.

  8. Enter the IP Address of the Primary DC

  9. Confirm the Install by clicking Next.

  10. The Windows Agent will now install. Once completed, you will be prompted to reboot the Domain Controller to enable 2-Way Password Sync. This does not need to be done immediately, and clicking OK will not cause a reboot to happen. Please ensure the Domain Controller is rebooted at a suitable time. Click Close in the main dialog, to close the installer.

  11. You are now prompted to install any missing components required for the integration to function. Launch is the option to install missing components. Follow on-screen prompts to complete these installs. Click Continue next to Run the Passportal Agent Config Utility to continue when ready.

  12. The Windows Agent application will launch to continue with its configuration - Enter the Agent Install Key for the Client and your Organization Keyand click Authenticate

    13. The account used for authentication needs to have the Permission Setup AD Sync in order to authenticate.

  13. A message advising you have Successfully Authenticated is displayed, along with the Passportal Client name - Click Continue
  14. Enter the credentials of an Admin Account for AzuseAD/M365, and click Continue.

  15. You are now prompted to enter the Windows Service Account which will be used to run the Passportal and PassportalUpdater services. This account needs to exist already in AzureAd/M365. Attempting to create one at this stage will generate errors. Enter the appropriate credentials and then click Save and Start Agent.

  16. Once the Windows Agent has been installed, we recommend you verify that the Passportal agent is working by going to services and ensuring the Passportal services are running.

  17. Repeat the install for each device where the Agent is required.
  18. Once all devices have the Agent installed, you can start adding Azure AD and M365 accounts into Passportal. Once the credentials are present in Passportal, you will need to enable Windows Sync for each one individually within the client:
    1. Click Edit Password in the Actions column of the Credentials List.
    2. Select Enabled in the Windows Sync drop-down menu (This option is only present when the client has Windows Sync enabled).
    3. Click Save.

      4. Alternatively, you can also elect to have passwords only alert you to an AD mismatch, by selecting Report Mismatches. Resolving these alerts is a manual update to the credential.

AD Setup

  1. Enable Windows Sync for the client

It is not possible to pull user Passwords from Azure AD and M365 to pre-seed data into Passportal. You will need to add accounts manually in Passportal, then enable Windows Sync.

  1. Install the Windows Agent on a device in the infrastructure
  2. Once the Windows Agent has been downloaded, transfer the installer to the Domain Controller and launch the installer using Setup.exe

  3. Click Next

  4. Read the License Agreement, click the I Agree radio button, and then click Next

  5. Accept the default target Install Folder or enter a preferred location. Leave the Everyone radio button selected. Click Next

  6. Select the Agent with AzureAD Integration radio button and then click Next

  7. Select the Do not auto install on any secondary DCs radio button and then click Next

    8. The AzureAD Integration communicates with the AzureAD instance automatically using the AzureAD credentials entered later in step 13.

  8. Confirm the Install by clicking Next.

  9. The Windows Agent will now install. Once completed, you will be prompted to reboot the Domain Controller to enable 2-Way Password Sync. This does not need to be done immediately, and clicking OK will not cause a reboot to happen. Please ensure the Domain Controller is rebooted at a suitable time. Click Close in the main dialog, to close the installer.

  10. You are now prompted to install any missing components required for the integration to function. Launch is the option to install missing components. Follow on-screen prompts to complete these installs. Click Continue next to Run the Passportal Agent Config Utility to continue when ready.

  11. The Windows Agent application will launch, to continue with its configuration. Authenticate with your Passportal login details. Once you have entered your details, you will see a message advising you have Successfully Authenticated. Click Refresh next client to populate the dropdown menu with the clients in Passportal and then select the appropriate client. Click Continue.

  12. The account used for authentication needs to have the Permission Setup AD Sync in order to authenticate.

  13. Enter the credentials of an Admin Account for AzuseAD/M365, and click Continue.

  14. You are now prompted to enter the Windows Service Account which will be used to run the Passportal and PassportalUpdater services. This account needs to exist already in AzureAd/M365. Attempting to create one at this stage will generate errors. Enter the appropriate credentials and then click Save and Start Agent.

  15. Once the Windows Agent has been installed, we recommend you verify that the Passportal agent is working by going to services and ensuring the Passportal services are running.

  16. Repeat the install for each device where the Agent is required.
  17. Once all devices have the Agent installed, you can start adding Azure AD and M365 accounts into Passportal. Once the credentials are present in Passportal, you will need to enable Windows Sync for each one individually within the client:
    1. Click Edit Password in the Actions column of the Credentials List.
    2. Select Enabled in the Windows Sync drop-down menu (This option is only present when the client has Windows Sync enabled).
    3. Click Save.

      4. Alternatively, you can also elect to have passwords only alert you to an AD mismatch, by selecting Report Mismatches. Resolving these alerts is a manual update to the credential.