Configuring Azure AD and Microsoft 365 Sync

The Azure and Microsoft 365 (M365) sync allows you to store passwords and push password changes to Azure AD and Office 365 synced accounts. The tool will run as a service on the machine which it is installed, and periodically sync with the Passportal cloud.

You will only need to install the Azure AD M365 agent if you do not have these account linked to an existing local AD environment already. If the M365 accounts are linked already to a local AD account, then the standard AD agent is all that is required and will not interfere with that plugin. The Azure AD and M365 integration only needs to be deployed if you are working with cloud Azure AD M365.

Predominantly, this setup is used where the Blink product is also in use, allowing end-users to reset their own passwords in AzureAD/M365.

This is only a one-way push/sync - from Passportal to Azure AD and/or Microsoft 365. Any changes made directly in Azure AD or M365 would be overwritten with the current value in Passportal.

The Folder Path and Org Units Filter functions as described in the Active Directory Integration topic are not compatible with AzureAD due to the one-way sync nature of the integration.

Prerequisites

  • 64-bit OS
  • Supports TLS 1.2. More information on which versions of windows server support which TLS protocols can be found in this article
  • If not current or installed, the agent will also deploy C++ and .NET 4.5 or newer during the install
  • Port 7771 / 7777 must be open

Setup - The admin account that the Passportal Agent uses to connect must have the Credential Type permission Azure/M365 Admin within Passportal.

AD sync is set by default to update the password on Azure AD and M365, if it is changed in Passportal. However, this can be changed at the password level (individual passwords may have their own settings). The two modes are:

  • Report Mismatches: This mode is a passive monitoring mode. It will attempt to match username/password pairs in Passportal with their equivalent usernames and passwords on the server. If there are any discrepancies (such as the password being changed by the user or in Azure AD and/or M365) then the tool will flag that password entry. The flag will appear on the password, the client and on the dashboard prompting users to update the information accordingly within Passportal.
  • Enabled. This mode directly changes passwords on the Microsoft service. This is only a one-way push/sync - from Passportal to Azure AD and/or M365. Any changes made directly in Azure AD or M365 would be overwritten with the current value in Passportal.

Moving from Report Mismatches to Enabled would apply the password in Passportal to Azure AD and M365, so ensure that these changes are made prior to this switch.

General Functionality

  • Azure AD Agent can be installed on any computer, preferably a device that is online the majority of the time (offline computer means no sync). This is usually a domain controller.
  • Azure AD Agent is not supported when the partner has on premise AD as we only support one version of agent per client in Passportal.
  • If the partner has on premise AD and Azure, we would recommend the setup for on premise AD, and then rely on another sync method, such as Microsofts Azure AD Connect to handle the sync between local AD and AzureAD.
  • Since the Azure AD Sync is only one-way sync (Passportal to Azure) we do not recommend anyone sync their end user passwords into Passportal as those end users will no longer be able to change their passwords on Azure as Passportalwould overwrite the password in Azure as we did not receive the password change in Passportal.

AzureAD and Blink Usage Information

  • When you install the AzureAD agent on any system, and go to User Management > Blink User Setup you will see the AD Structure of the system (if it is a workgroup computer, you will see the default accounts, such as Administrator). At the bottom of the list you should then also see a list of email addresses - it is these which are specifically the Azure AD Email addresses.
  • You can create these Azure AD Accounts in Passportal as Blink Users, which does not mean that those passwords need to sync into Passportal, just simply that there is a connection between Blink, the Azure AD Agent and AzureAD.
  • When a user then clicks Reset Password on the Blink app, the request is sent to the Azure AD Agent, which then processes a password change and syncs that change to Azure AD
  • When the password has been changed and synced to Azure AD, the user then receives the new password in Blink on their phone.
  • They will then be able to sign into Azure AD, and will be able to change their password if required.
  • The MSP will not be able to sync these passwords into Passportal due to the one-way sync.