We share the video of the Workshop conducted by our technical team called "Users and Groups in SMARTFENSE." There we explain with a practical exercise the required setup for connecting to Microsoft Entra ID and Google Workspace (from minute 36:25).
To watch the video, enter your first name, last name, and email address. Video of the Workshop
To set up the connection with Microsoft Entra ID, it is necessary to enter the following data: domain, Application ID, and Application Secret Key. This data can be obtained by following the steps mentioned below.
Configuration Data
1. Log in to your Microsoft Entra ID portal: https://portal.azure.com/
2. Select the Microsoft Entra ID option from the left side menu.
3. Select the Manage > Custom domain names option from the left side menu.
4. Copy the domain name and paste it into the SMARTFENSE platform in the Domain field.
5. Go back to the Microsoft Entra ID portal and select the App registrations option.
6. Select the New Registration option from the top menu.
7. In the Name field, enter "SMARTFENSE".
8. Select 'Accounts in this organizational directory only (SMARTFENSE only: single tenant).
9. In that section, further down in Redirect URI (optional), select 'Select a platform' from the dropdown list: Web, and on the right, enter https://www.smartfense.com
10. Press the Register button.
11. Copy the value from the 'Application (client) ID' field corresponding to the application created in the previous step, and paste that value into the SMARTFENSE platform in the Application ID field.
12. Select the Response Redirect URI option from the General Information menu.
13. Add https://*.takesecurity.com/complete/azuread-oauth2/ as a new reply URL and then click Save. Replace the * with your instance's subdomain, or log into the platform and copy the link provided in the setup guide at step 13. You can find this under Users and Groups > Import and Sync > From Microsoft Entra ID. After pressing Save, scroll down to the bottom of the page and click on the Setup Guide button
14. In the left-hand side menu, select the API Permissions option.
15. Click the + Add a permission button to enter the API Permissions Request menu.
16. In the API Permissions window, select Microsoft Graph.
17. Select the following permissions for the Microsoft Graph application:
- A) Delegated Permissions::
- Directory.Read.All - Type: Delegated - Description: Read directory data
- User.Read - Type: Delegated - Description: Sign in and read user profile
- User.Read.All - Type: Delegated - Description: Read all users' full profiles
- User.Read.Basic.All - Type: Delegated - Description: Read all users' basic profiles
- B) Permisos de aplicación:
Directory.Read.All - Tipo Aplicación - Descripción: Read directory data
Example of a delegated permission:
Example of an application permission:
18. Click on the Update permissions button in the Add API access section.
The added permissions appear as follows:
19. Click the Grant admin consent for... button
Confirm by clicking the YES button.
The configured permissions should appear as follows with the green checkmark:
20. In the left-hand side menu, select the Certificates & secrets option.
21. Click on + New client secret.
22. In the new right-hand side window: Add a client secret, enter 'SMARTFENSE' in the Description field.
23. Select Never expires or Select 2 years in the Expires field, according to the available fields.
Warning: If you select an expiration date, keep in mind that once that date arrives, the connection will stop working and you will need to create the key again. For any ongoing campaign that requires user login, users will not be able to authenticate until you recreate the key and successfully verify the connection.
24. Copy the generated value. Note that it is shown only once and cannot be retrieved.
25. Paste the key value copied in the previous step on the SMARTFENSE platform under the Application secret key field.
26. Click the Check Connection button within the SMARTFENSE platform to verify that the configuration was successful.
Warning: Ad-blocking extensions like Ad-Block Plus often interfere with this test, so it is recommended to disable them when checking connectivity.
Users
Once the data has been obtained and it has been verified that the connection was successful, you should continue with the user configuration and how you want to manage their import.
- Users to import: You can choose between two options: Import all users from the directory or Import only users that belong to certain groups. The option will be at the discretion of the platform administrator. If you choose to Import only users that belong to certain groups, you must specify the names of the groups to which the users belong in your Azure AD. Example: if the user group SMARTFENSE was created in your Azure AD and the users who will participate in the awareness plan were added there, you must enter the name of the group SMARTFENSE in the text box for Names of the groups to which the users to import belong.
Important: Loading the groups to which the users to be imported belong from your Azure AD does not create the groups in SMARTFENSE. It only imports the users.
- Users to exclude: You can choose between Do not exclude users or Exclude users. Only if you want to exclude users will you have the possibility to select the fields you want to evaluate at the time of import. Users who do not have a defined value in at least one of the fields to be considered will be excluded. Only users who have a defined value in all the fields to be considered will be imported. Example: if the fields "Employee ID" and "Language" are selected, only users who have a value assigned to both fields within the active directory will be imported.
- Users without email: You can choose between Do not import users who do not have a defined email in Azure or Import users who do not have a defined email in Azure. It allows defining what SMARTFENSE should do with those users who do not have a defined email address in Microsoft Azure AD. The default behavior does not import these users as the platform requires users to have an email for proper functioning in campaign delivery. If you still want to import them, you must select the option Import users who do not have a defined email in Azure.
-
Create usernames from: Users imported through Azure AD have a username that uniquely identifies them within SMARTFENSE. The username can be created from:
- Mail nickname
- First part of the UPN (User Principal Name) up to the at symbol:
- Full UPN (User Principal Name)
- User status: You can choose to Use status defined in SMARTFENSE or Reflect in SMARTFENSE the status of Azure’s users. If you select the option to use status defined in SMARTFENSE, the platform sets new users to active status. The status defined in SMARTFENSE is maintained for already imported users. If you select the option to reflect in SMARTFENSE the status of Azure AD users, the status of the users will be determined by the accountEnabled attribute of each of them.
- Users deleted in Azure: It allows deciding how users will be treated. Keep users removed from Azure without changes in SMARTFENSE or Deactivate Azure deleted users in SMARTFENSE. This will define what SMARTFENSE should do when a user previously imported into the platform is deleted in Google. On one hand, it is possible that this user remains unchanged in SMARTFENSE, on the other hand, it can be automatically deactivated.
Important: Only those users who have been deleted in Microsoft Azure AD within the last 30 days will be deactivated on the SMARTFENSE platform.
- Default Language: Default language applies only to users who do not have a defined language in Azure AD.
Groupings
Finally, you must indicate to the platform how you want to import the groups to which users belong in their Azure AD, and which fields in your Azure AD reference the Functional Areas and Levels of Hierarchy.
- Groups to import: You can select between Import Azure groups for each user and Do not import Azure AD groups for each user. If you choose to import groups, you can choose to Import all the groups whose names start with the indicated character string or Import only the groups whose names exactly match the entered character string. Example: if you want to import the groups to which users belong based on a string of characters, you can enter the name "Management" in the text box, and it will import the groups to which users belong that begin with the name "Management." If you select the option to import only groups whose names exactly match the entered string, you must enter the group name exactly as it appears in your Azure AD.
Important: The group filter allows you to import only those groups that are of interest to carry out your awareness program. This configuration does not affect which users will be imported; it only determines which users from your active directory will be created as SMARTFENSE users. To manage user import, review the Users subsection.
Finally, you can select whether to import Functional Areas and Levels of Hierarchy from your Azure AD.
- Functional Areas: You must indicate SMARTFENSE which Field in which the user's Functional Areas are located in your Azure AD and the Separator Character if they belong to different functional areas.
- Levels of Hierarchy: You must indicate SMARTFENSE which Field in which the user's Levels of Hierarchy are located in your Azure AD and the Separator Character if there are different levels of hierarchy.
Language Synchronization through Microsoft Azure AD.
The field that synchronizes by default for all users on the SMARTFENSE platform is as follows: preferredLanguage.
You can get more information about the fields synchronized from Microsoft Azure AD to SMARTFENSE here: Which are the fields used for import and synchronization with Microsoft Azure Active Directory?
If you want all users in your Microsoft Azure AD to have the same language, the Azure AD administrator can execute this command from PowerShell, and the desired value will be configured in the 'PreferredLanguage' field.
Get-ADUser -Filter * -Properties mail, PreferredLanguage | where { ($_.mail -ne $Null) -and ($_.PreferredLanguage -ne "en-US") } | ForEach-Object {Set-ADUser $_.SAMAccountName –replace @{PreferredLanguage="en-US"}}
This example retrieves all AD users with a value in the "mail" field where "PreferredLanguage" is not equal to "en-US" and sets it to that value.
For further information, please refer to the following Microsoft article: