Configuring synchronization with the Microsoft Azure Active Directory admin console

We recommend launching synchronization in test mode. In this mode, you can view the changes that will be applied after synchronization, but these changes will not be made to the application database. This will help you isolate configuration errors and make changes to synchronization settings.

To configure synchronization with Active Directory:

  1. Sign in to the Microsoft Azure Active Directory administration console as an admin.
  2. Add the Kaspersky Automated Security Awareness Platform application to the list of Active Directory applications. To do this, perform the following actions:
    1. In the left panel, select the Enterprise applications section.

      AD1

    2. Click New application.

      The Browse Azure AD Gallery (Preview) will open.

      AD2

    3. Click Create your own application.

      The Create your own application will open.

      AD3

    4. In the What's the name of your app field, enter any name you want to use to find the added application in the list of Active Directory applications.
    5. Click Create.

    The added application will appear in the workspace in the Enterprise applications section. The Overview window will open.

    AD4

  3. Select the user accounts you want synchronized with the application. You can do this in one of the following ways:
    • Link certain users to the application (assignment-based scoping).

      Check out the Microsoft documentation for more on this method.

    • Filter users by attribute-based scoping.

      Check out the Microsoft documentation for more on this method.

    • Link specific users to the application and then filter them by account attributes.
  4. If Azure AD users are sorted into groups, then in order to correctly transfer account information to ASAP, you must make sure that Active Directory user group synchronization is disabled. To do this, perform the following actions:
    1. In the Mappings section, select Provision Azure Active Directory Groups.

      AD_groups1

    2. Set the Enabled switch to the No position.

      AD_group2

    3. Click Save.

    Disabling group synchronization is only available if you have an Azure Active Directory Premium P2 license.

  5. Configure the settings for the Azure AD Provisioning connection responsible for data synchronization by the server. To do this, perform the following actions:
    1. In the left panel, select the Provisioning section.

      AD8

    2. Click Get started.

      The Provisioning window will open.

      AD9

    3. In the Provisioning mode list, select Automatic mode.
    4. In the Admin Credentials section, configure connection settings:
      1. In the Tenant URL field, specify the address of the ASAP server where you want to send data synchronization requests. You can copy it in the web interface of the Kaspersky Automated Security Awareness Platform in the Users section → Import usersSCIM in the Tenant URL field.
      2. In the Secret Token field, enter a token to authenticate synchronization requests. You can copy it in the web interface of the Kaspersky Automated Security Awareness Platform in the Users section → Import usersSCIMNew token.

      The token isn't stored publicly in the Kaspersky Automated Security Awareness Platform system. After closing the Get token window, it will be unavailable to view. If you closed this window without copying the token, you need to click New token again for the system to generate a new token.

    5. Click Test Connection to make sure the connection settings are accurate.
    6. Click Save.
  6. If needed, make sure the Active Directory account attributes and custom fields in the application match. To do this, perform the following actions:
    1. In the Mappings section, select Provision Azure Active Directory Users.

    AD10

    The Attribute Mapping window will open.

    AD11

    1. Copy the value of the attribute in the SCIM protocol specified in the custommappsso Attribute column and paste it in the Kaspersky Automated Security Awareness Platform web interface in the Users section → Import usersSCIMAdditional parameters in the relevant custom field, or select it from the suggested drop-down list options.

    By default, matching is configured for the following required fields: Email (mail), Full name (Join ("", [givenName], [surname])), Short name (givenName). You can change the linking of these fields to attributes in the SCIM protocol. If you're using predefined field matching, make sure the givenName, surname, and mail fields in Active Directory are all completed in the accounts you want to synchronize with the application.

  7. In the Target Object Actions section, tick the operations to be performed during synchronization.

    The default operations are Create (create new users), Update (update information about existing users) and Delete (delete user).

  8. If users have already been added to the Kaspersky Automated Security Awareness Platform before synchronization starts, configure the settings for Azure AD Provisioning to match Active Directory accounts and application users. To do this, perform the following actions:
    1. Select the attribute for matching.

      We recommend using the mail attribute.

      The Edit Attribute window will open.

      AD12

    2. In the Match objects using this attribute menu, choose Yes.
    3. In the Matching precedence list, change the priority of this attribute during synchronization if needed. Close the Edit Attribute window.
  9. Click the Provisioning Status slider to On, to enable automatic data synchronization.

    AD13

  10. Click Save.
  11. In the Provisioning window, click Start provisioning.

    AD14

Synchronization of the application with Active Directory will be configured and launched. Data synchronization requests will be sent every 40 minutes. You can view the history of processed requests in the Kaspersky Automated Security Awareness Platform web interface. If you approve of all configuration changes, now you can switch the application from test to main mode.

To the top