The configuration of the synchronization of Kaspersky Automated Security Awareness Platform users with Active Directory accounts involves the application admin ("ASAP admin") and Active Directory admin.
Synchronization configuration involves the following steps.
The ASAP admin and Active Directory admin need to prepare a list of domain users whose information should be synchronized with the application. For example, you can put users in one group or think over which attributes to filter them by.
In test mode, you can view the changes that will be applied after synchronization, but these changes will not be made to the application database. This will help you isolate configuration errors and make changes to synchronization settings.
To establish a connection between the application and the Active Directory server, the ASAP admin needs to send the Active Directory admin the URL address of the ASAP server to which data synchronization requests will be sent (Tenant URL), as well as a token for authenticating requests. You can copy them in the application's interface. To do this, go to the Users section → Import and add /sync/scim/settings
at the end of the URL.
The token is not stored in the ASAP system with public access. After closing the Get token window, it will be unavailable to view. If you closed this window without copying the token, you need to click New token again for the system to generate a new token.
The issued token is valid for 12 months. When this period expires, the token is revoked. The issued token is also revoked if it is not used for 6 months.
The ASAP admin needs to add custom fields in the application for the account attributes that need to be retrieved from Active Directory.
You can enable the application of rules if you want users to be automatically grouped according to the specified settings. When you start synchronization in test mode, you can see in the log which group the user was placed in and, if necessary, adjust the rule settings. The training status for the new user group isn't determined during synchronization in test mode.
We don't recommend using automatic group distribution rules if you start synchronization with Active Directory when there are previously existing users and training has already been activated. This can lead to changes in user groups and their training program.
After all the necessary settings of the Kaspersky Automated Security Awareness Platform and the Azure AD Provisioning service are configured, you can start data synchronization.
After synchronization is complete, we recommend that the ASAP administrator review the history of processed synchronization requests and ensure that the specified attributes of the selected users are transferred correctly. If users were already added to the application before the start of synchronization, you need to check that the data about these users was updated correctly.
If you approve of all configuration changes displayed in the log, now you can switch the application from test to main mode. Afterwards, the Active Directory admin needs to restart the synchronization to ensure that all changes are recorded in the application database.
If synchronization is successful, each user retrieved from Active Directory should have a SCIM ID.
If a user who was added to the application before the synchronization started doesn't have a SCIM ID, you need to check the Active Directory account information. The account may have been deleted, or the user's email may have changed. In this case, the ASAP admin needs to manually enter changes or delete the user from the application. Then the Active Directory admin needs to restart synchronization.