Azure Active Directory Sync
Proofpoint Essentials DOES NOT support GCC High Azure or AD Setups.
Please note:
- These steps have been updated based on the current version of Azure
- The account creating the credentials must be a Global Administrator.
- Keep in mind the Legacy API at the bottom of the New Registration page also works.
- Proofpoint Essentials currently supports the Home and Business plans for Azure.
- Do not use AD Sync and Azure Sync together. (remove all configuration from AD Sync if migrating to Azure Sync)
Customers hosted on Office 365 may prefer to use Azure Active Directory to sync users and groups to Proofpoint Essentials. This will allow you to import:
• Active users (including both primary email address and user aliases)
• Distribution Groups
• Security groups
Proofpoint Essentials only allows connection to one AD at a time. Multiple sources cannot be managed at this time
Video Tutorial Available
We have a video tutorial that walks through all these steps. Take at look: https://youtu.be/4YfL-e33K2A
Step 1: Creating The Custom Application In Azure
- Login to your Microsoft Azure portal as an admin user through https://aad.portal.azure.com
- Navigate to Azure Active Directory > App Registrations > + New Registration>
- Enter a name for the application (i.e. Proofpoint Essentials Azure Sync).
- Under Supported account types leave the default of Accounts in this organizational directory only (COMPANY NAME).
- Under the Redirect URI (optional)
- Leave the default of Web.
- Enter the appropriate Proofpoint Essentials interface URL (US1, US2, US3, US4, US5, EU1) (i.e. https://us1.proofpointessentials.com or https://us3.proofpointessentials.com etc.)
- Click Register.
You will now be able to view this app from the App Registrations view.
- Copy your Application ID for future use. This will be the Application ID in Proofpoint Essentials.
Permissions
Azure Active Directory Graph under Supported Legacy APIs can work with existing setups. For new setups, or if your old setup is on the Azure AD Graph, you should use the Microsoft Graph API. This is the Microsoft Graph API at the top of the page. If your credentials stop working, or you get the error, "Failed to connect. Please check your Azure Credential" it could be you are pointed to the older legacy API (Azure Active Directory Graph). In this case you will need to setup the Microsoft API Graph.
Additionally, If you get the credentials error- "We have come across a problem, and cannot continue. Please contact support quoting 'code displayed here' if this problem persists." Please create a new Azure App on the Azure admin area and then add the credentials into the PPE portal under "Administration- User Management- Import & Sync- Azure Directory sync. Once entered click Save. Sync can then be run without error.
End of life for the Azure Active Directory Graph is June 30th, 2020. Click here for more details.
- In the Application ID just created, click on API Permissions > Add a permission > Microsoft API Graph.
- Ensure the following permissions are checked:
You will want to click Add Permissions once more and choose Application Permissions.
-
Delegated Permissions:
- Directory
- Directory.Read.All
- Group
- Group.Read.All
- User
- User.ReadBasic.All
- Directory
-
Application Permissions:
- Directory
- Directory.Read.All
- Directory
-
Delegated Permissions:
- Select Add Permissions (at the bottom).
- Select Grant Admin Consent for <Company Name>.
- Select Yes at the top.
Key (Secret)
- Navigate to Certificates and Secrets > + New Client Secret.
- Enter a Key Description. (***See IMPORTANT 'Value' note below***)
- Choose a duration.
- Click Add.
The Value will be displayed when you save the changes. Copy down the Value field, as you will NOT be able to retrieve it after leaving the page. The Value (in Azure AD page) will be put into the Client Secret Key field in Proofpoint Azure Sync page. You will get the Application ID needed to complete the credentials in the Proofpoint field Application (client) ID from the Overview area inside the connection.
This Key WILL EXPIRE at the end of the selected duration period. After that period of time A NEW SECRET KEY needs to be generated again.
In Azure AD- sign in must be enabled for accounts to be active and mail to flow.
White-label customers may need to do an approval/consent of applications. They would be asked to give consent via cloud-protect.net. If using standard Proofpoint Essentials settings this may not be an issue.
Step 2: Configuring Azure Within Proofpoint Essentials Interface
After logging into your Proofpoint Essentials interface (such as https://us1.proofpointessentials.com):
- Navigate to Administration > User Management > Import & Sync > Azure Active Directory.
- Set the Default New User Role to either End User or Silent User.
End Users Can login to the Proofpoint Admin Console and receive Quarantine Digests. Silent Users Do not have access to the Proofpoint Essentials Admin console, nor do they receive Quarantine Digests by default, but can enabled. - Enter the below information:
Primary Domain The Primary Domain associated with your Office 365 organization custom Azure web application. Client ID The unique identifier which is generated with the creation of the web application. Secret ID The secret value which is generated with the creation of the secret key. - Choose What to Sync by checking/unchecking the following fields:
- Active Users
- Distribution Groups
- Security Groups
- Choose How to Sync by checking/unchecking the following fields:
Add Users Creates new user accounts for newly synced active users. Update Users Updates existing user accounts for previously synced mailboxes. Add Groups Creates new groups/functional accounts for newly synced groups. Update Groups Updates existing groups for previously synced groups. Remove Deleted Users Removes user accounts for mailboxes that no longer exist. Remove Deleted Groups Removes groups/functional accounts for groups that no longer exist. - Choose When to Sync by selecting from the options under the Sync Frequency dropdown menu.
- 1 hour
- 3 hours
- 6 hours
- 12 hours
- 24 hours
If there is no Tech Contact defined in your Proofpoint Essentials Dashboard (Administration- Account Management- Profile-Tech Contact) eventually the system will change the Azure Active Sync Frequency back to the Never setting automatically.
There will be a report that is sent daily called the Azure AD Summary report that cannot be disabled. This is due to notify that the service is running and is a system audit. The only way to stop these is to set the frequency of the sync to never.
7. Click Save at the bottom of the page. The page will refresh and a prompt will confirm that the settings have been saved.
Press Save Button
Do not press the Search Now immediately. Ensure that all your settings are saved first and save it. After it has saved, proceed with the Manual Sync below.
Manual Sync
Proxy Address
Accounts with no proxyAddresses assigned will not be detected by the Proofpoint Essentials Azure pull. If you do not find the email in the ProofPoint side, please check Azure to ensure at least 1 proxyAddress has been assigned.
Once you complete the above steps, Proofpoint Essentials will connect and sync data from your Office 365 environment based on the frequency you chose. You may want to execute a manual sync to validate the data being returned.
To perform an ad-hoc/manual Azure Active Directory sync:
- Navigate to Administration > User Management > Import & Sync > Azure Active Directory.
- Choose What to Sync (same as above).
- Choose How to Sync (same as above).
- Click Save & Run Sync Now.
The results of the sync will be organized into categories. You should review the results and uncheck any changes you do not want to take effect.
The automatic sync does not allow manual intervention to take place. Make sure the preferences defined on the Azure Active Directory page are accurate.
- Click Sync Active Directory.
Anything in the Adding, Updating, Disabling or Deleting section has not been changed yet. Thus it being called a summary page. This is what Active Directory wants Proofpoint Essentials to do. In order to make those changes you must hit the Sync Active Directory button for those changes to happen.
If you try to manually sync and encounter an error, check out our article Azure AD Permissions Error.
Ongoing Domains And User Maintenance
The Proofpoint Essentials Azure sync service will continue to function per the sync cycle. However, if new domains are added into Azure, and not the Proofpoint Essentials side, this could force some problems with the syncing.
- Automated sync: The system continues to sync based upon all domains found in the Account Management - Domains section. Only the users where the primary domain is one of the domains found here will be brought over.
- Manual sync: If new domains are found in Azure during a manual sync, the sync will fail and a red box appears indicating it found multiple domains associated in the customer's Azure. In order to run Azure manually, these domains will need to be added into the service. (If they have no mail flow with Proofpoint Essentials, then can be added in as Management domains.)
SHARED MAILBOXES AND DISTRIBUTION GROUPS
Some email addresses will not require a license, i.e. shared mailboxes or a user that has left the company.
Sometimes some Shared Mailboxes will come over as users. Please see how to convert a user to a shared mailbox.
If a user leaves the organization, but still need to maintain mail flow, the address needs to remain active, but you can convert it to a functional account. Please also ensure that you exempt this address from syncing.
We do not currently support Dynamic Distribution Lists
How To Log In With A Microsoft Account
Prerequisites:
- You must have user with valid email Microsoft credentials.
- A matching email/alias account in Proofpoint Essentials.
- Enable Microsoft account login, ensure Disable login with Microsoft credentials is disabled under Administration > User Management > Import & Sync > Azure Active Directory
Logging In With Microsoft 365
PROCEDURE
- Go to your Proofpoint Essentials account login page.
- Enter your Username (email address) and click Login.
- You will be redirected to a Microsoft account login page.
- Enter your Microsoft credentials.
- If successful, login will redirect you back to Proofpoint Essentials and you will be automatically signed into your account.
Enabling this feature will direct all users (including administrators) to login using their Microsoft account. If Microsoft is unavailable, users will be redirect to the Proofpoint Essentials account login page and asked to login with their Proofpoint Essentials credentials.
If there is a problem with the Microsoft SSO, a custom parameter can be passed to utilize standard essentials authorization.
US
Email Address = john.jones@test.com
https://us1.proofpointessentials.com...?main=1&email=EMAIL_ADDRESS
Example: https://us1.proofpointessentials.com/app/login.php?main=1&email=John.Jones@test.com
EU
Email Address = john.jones@test.com
https://eu1.proofpointessentials.com...?main=1&email=EMAIL_ADDRESS
Example: https://eu1.proofpointessentials.com/app/login.php?main=1&email=John.Jones@test.com
Manual Login With Microsoft Account
We will continue to allow users to manually authenticate using their Microsoft account.
PROCEDURE
- Go to your Proofpoint Essentials account login page.
- Enter your Username (email address) and click Login.
- Click Sign in with Microsoft.
- You will be redirect to a Microsoft account login page.
- Enter your Microsoft credentials.
- If successful, login will redirect you back to Proofpoint Essentials and you will be automatically signed into your account.
2FA - Phone Number
With the addition of 2-Factor Authentication, the Proofpoint Essentials service will require the phone number field to be populated, specifically the Mobile Number field. If this field is not populated in the Azure Service/User Profile, the user will not be able to use the 2FA service and will just fail trying to log in, since no code can be sent.
If you are using the 2FA service, please ensure at the minimum all admin level accounts in Proofpoint Essentials have their mobile numbers set on your Azure system properly.
FAQ
Connection Status
Proofpoint has added in a status field on Azure. The box will either be green or grey.
- Green - successful connection
- Grey - not verified on last successful connection
- Timestamp - This is the last time the system was able to successful connect manually
You can get this green by running a manual sync, which will then update the timestamp. A grey status does not mean the sync is not running.
Carlos Rios
Comments