Configuring Azure AD and Office 365 Sync

The Azure and O365 sync allows you to store passwords and push password changes to Azure AD and Office 365 synced accounts. The tool will run as a service on the machine which it is installed, and periodically sync with the Passportal cloud.

You will only need to install the Azure AD Office 365 agent if you do not have these account linked to an existing local AD environment already. If the Office 365 accounts are linked already to a local AD account, then the standard AD agent is all that is required and will not interfere with that plugin. The Azure AD and Office 365 integration only needs to be deployed if you are working with cloud Azure AD Office 365.

Predominantly, this setup is used where the Blink product is also in use, allowing end-users to reset their own passwords in AzureAD/Office365.

This is only a one-way push/sync - from Passportal to Azure AD and/or Office 365. Any changes made directly in Azure AD or Office 365 would be overwritten with the current value in Passportal.

The Folder Path and Org Units Filter functions as described in the Active Directory Integration topic are not compatible with AzureAD due to the one-way sync nature of the integration.

Prerequisites

  • 64-bit OS
  • Supports TLS 1.2. More information on which versions of windows server support which TLS protocols can be found in this article
  • If not current or installed, the agent will also deploy C++ and .NET 4.5 or newer during the install.

Setup - The admin account that the Passportal Agent uses to connect must have the Credential Type permission Azure/Office365 Admin within Passportal.

AD sync is set by default to update the password on Azure AD and Office 365, if it is changed in Passportal. However, this can be changed at the password level (individual passwords may have their own settings). The two modes are:

  • Report Mismatches: This mode is a passive monitoring mode. It will attempt to match username/password pairs in Passportal with their equivalent usernames and passwords on the server. If there are any discrepancies (such as the password being changed by the user or in Azure AD and/or Office 365) then the tool will flag that password entry. The flag will appear on the password, the client and on the dashboard prompting users to update the information accordingly within Passportal.
  • Enabled. This mode directly changes passwords on the Microsoft service. This is only a one-way push/sync - from Passportalto Azure AD and/or Office 365. Any changes made directly in Azure AD or Office 365 would be overwritten with the current value in Passportal.

Moving from Report Mismatches to Enabled would apply the password in Passportal to Azure AD and Office 365, so ensure that these changes are made prior to this switch.

AD Setup

  1. Enable Windows Sync for the client.

It is not possible to pull user Passwords from Azure AD and Office 365 to pre-seed data into Passportal. You will need to add accounts manually in Passportal, then enable Windows Sync.

  1. Install the Windows Agent on a device in the infrastrucure.
  2. Once the Windows Agent has been downloaded, transfer the installer to the Domain Controller and launch the installer using Setup.exe.

  3. Click Next.

  4. Read the License Agreement, click the I Agree radio button, and then click Next.

  5. Accept the default target Install Folder or enter a preferred location. Leave the Everyone radio button selected. Click Next.

  6. Select the Agent with AzureAD Integration radio button and then click Next.

  7. Enter the IP Address of the device being installed on as the Primary Domain Controller IP (and the Listener Port number if not using the default port 7771). Click Next.

    8. The AzureAD Integration communicates with the AzureAD instance automatically using the AzureAD credentials entered later in step 13. The local IP is needed in order for Passportal to communicate with the Agent.

  8. Confirm the Install by clicking Next.

  9. The Windows Agent will now install. Once completed, you will be prompted to reboot the Domain Controller to enable 2-Way Password Sync. This does not need to be done immediately, and clicking OK will not cause a reboot to happen. Please ensure the Domain Controller is rebooted at a suitable time. Click Close in the main dialog, to close the installer.

  10. You are now prompted to install any missing components required for the integration to function. Launch is the option to install missing components. Follow on-screen prompts to complete these installs. Click Continue next to Run the Passportal Agent Config Utility to continue when ready.

  11. The Windows Agent application will launch, to continue with its configuration. Authenticate with your Passportal login details. Once you have entered your details, you will see a message advising you have Successfully Authenticated. Click Refresh next client to populate the dropdown menu with the clients in Passportal and then select the appropriate client. Click Continue.

  12. The account used for authentication needs to have the Permission Setup AD Sync in order to authenticate.

  13. Enter the credentials of an Admin Account for AzuseAD/Office365, and click Continue.

  14. You are now prompted to enter the Windows Service Account which will be used to run the Passportal and PassportalUpdater services. This account needs to exist already in AzureAd/Office365. Attempting to create one at this stage will generate errors. Enter the appropriate credentials and then click Save and Start Agent.

  15. Once the Windows Agent has been installed, we recommend you verify that the Passportal agent is working by going to services and ensuring the Passportal services are running.

  16. Repeat the install for each device where the Agent is required.
  17. Once all devices have the Agent installed, you can start adding Azure AD and Office 365 accounts into Passportal. Once the credentials are present in Passportal, you will need to enable Windows Sync for each one individually within the client:
    1. Click Edit Password in the Actions column of the Credentials List.
    2. Select Enabled in the Windows Sync drop-down menu (This option is only present when the client has Windows Sync enabled).
    3. Click Save.

      4. Alternatively, you can also elect to have passwords only alert you to an AD mismatch, by selecting Report Mismatches. Resolving these alerts is a manual update to the credential.