Skip to main content

Azure AD Sync - Using Microsoft Entra admin center

Evo Security syncs with active directory (AAD) via Microsoft Entra admin center.

The service will complete a scan periodically throughout the day, to confirm if there are changes to the users or any new users to be synced to your instance of Evo. The only user details that are synced are first name, last name, and email address. Passwords remain managed by your systems.

These instructions assume:

  • Organization configured for Microsoft Azure Active Directory.
  • You have admin access to the organizations Microsoft Azure Active Directory.
  • All users have been created under Microsoft Azure Active Directory.
  • All users have a unique email address, specific to their user.
  • All users are a member of a group to be synced.
  • NOTE: Additional or P1/P2 Azure Licenses NOT required for EVO Security Sync. 

To setup Microsoft Azure Active Directory with Evo, you will use the Azure App Registration Sync. Follow the steps below to manually configure the Evo application in your organizations instance of Microsoft Azure Active Directory.

Part 1: Adding Azure Active Directory via app registration

This must be completed by an administrator of your Evo portal, who is also an administrator of your organizations Microsoft 365 or Microsoft Azure account.

Configure Azure Active Directory

New app registration

  1. Open your favorite browser, and navigate to Home - Microsoft Entra admin center
  2. Login as a Microsoft Azure administrator.
  3. From the Entra ID home screen, under Applications tab. Click App registrations.
    AzureAD_1.png
  4. From App registrations, click New registration.
    AzureAD_2.png
  5. Enter the name of Evo Secure Login.
  6. Click Register
  7. Open your favorite text editor. Copy and paste the following from Azure into the text editor – do not close the editor.
    1. Application (client) ID
    2. Directory (tenant) ID

New client secret

  1. From the left-side navigation. Click Certificates & secrets.
  2. With Client Secrets Click New client secret.
    AzureAD_3.png
  3. Enter the description of Evo Client Secret
  4. From the Expires dropdown, select 24-months.
    AzureAD_7.png
  5. Click Add.
  6. In your favorite text editor, copy and paste the Value into the editor – do not close the editor.

    Before proceeding further. Confirm that the value was copied & pasted into the editor correctly. Reason, once we navigate away the value can’t be retrieved.
  7. Review all information of the application by navigate to Identity -> Applications -> App Registrations -> All applications -> Click on the Evo app you just created. 

Microsoft Graph permissions

  1. From the left-side navigation. Click API permissions.
  2. Click Add a permissionAzureAD_4.png
  3. Click Microsoft Graph.
  4. Click Delegated permissions.
    AzureAD_5.png
  5. In the search bar, under Select permissions, enter Directory.
  6. Expand Directory, and check ReadWrite.All.
    AzureAD_8.png
  7. Click Add Permission.
  8. Click Grand admin consent for <Your Organization>.
    AzureAD_6.png

Azure Active Directory Permissions

  1. Navigate to Identity -> Roles & admins -> Roles & admins.
  2. Roles and administrators portal.

We’re going to add the Evo Secure Login to three (3) administrative roles.

Directory Readers

  1. In the Administrative roles search box, enter Directory.
  2. Click the role name for Directory ReadersThis can be finicky. Be sure to click the role name, don’t simply check the box at the beginning of the row.
    AzureAD_10.png
  3. Click Add assignments.
    AzureAD_11.png
  4. In the Add assignments search bar, enter the app name of Evo Secure Login.
  5. From the search results, click Evo Secure Login.
  6. Click Add.

Directory Writers

  1. From the top navigation. Click Roles and administrators.
    AzureAD_12.png
  2. Click the role name for Directory WritersThis can be finicky. Be sure to click the role name, don’t simply check the box at the beginning of the row.
  3. Click Add assignments.
  4. In the Add assignments search bar, enter the app name of Evo Secure Login.
  5. From the search results, click Evo Secure Login.
  6. Click Add.

Helpdesk Admin or Global Admin

This assignment is specific to the Password Rotation capabilities within Evo.

  1. From the top navigation. Click Roles and administrators.
  2. In the Administrative roles search box, enter either:
    1. Helpdesk administrator: Grants Evo the ability to reset the passwords for NON-administrator or helpdesk administrators.
    2. Global administrator: Grants Evo the ability to reset passwords for ALL users.
  3. Click the role name. This can be finicky. Be sure to click the role name, don’t simply check the box at the beginning of the row.
  4. Click Add assignments.
  5. In the Add assignments search bar, enter the app name of Evo Secure Login.
  6. From the search results, click Evo Secure Login.
  7. Click Add.

Part 2: Configure directory in Evo

Do you still have that text editor handy? Great as we’re about to need everything that was pasted into it.

Add Azure Active Directory

  1. From the left nav menu, select My Company. Alternatively, select Customers and choose a customer from the list.
  2. From the side navigation, click Directories.
  3. Select the Azure Active Directory tab.
  4. Click Add New Directory button.
  5. Enter in a directory name.
  6. Select the Azure App Registration Config and Sync Toggle.
  7. From the text editor you have open. Copy and paste the following
    1. Azure: Application (client) ID to Evo: Client ID
    2. Azure: Directory (tenant) ID to Evo: Tenant ID
    3. Azure: Value to Evo: Client Secret
  8. Optionally, to sync Evo passwords set on users back to Azure. Check Sync user passwords back to Azure AD. Once this option is checked, Evo will update AAD users' passwords by the Evo users' passwords. Your end-users will need to login to their email services (outlook, webmail, mobile app...) with the new passwords. 
  9. Click Sync Azure Active Directory.

Note: If you would like to use Azure AD federation Only, please refer to this article for more information - Federating Microsoft 365 domain with Azure AD

 

Group sync configuration

Now that the configuration is completed, the initial sync will result in ALL users to be synced with Evo.

This may be acceptable, or there may be a specific group(s) you’d like connected, rather than everything.

  1. In the displayed list of directories, find the new Azure Active Directory just created. Click the pencil icon at the end of the row. 
  2. Uncheck all groups that shouldn’t be syncing users over to Evo. Only the Checked groups will sync with Evo.
  3. Click Sync Azure Active Directory.

Now that you’ve completed the configuration for Azure Active Directory, your users will be able to authenticate with Evo. And you can go ahead and close that text editor we used earlier, we’re all done with it now.

If you’ve experienced any issues with the configuration, please contact us and we’re happy to help.

Was this article helpful?