Synching users and groups from Active Directory
| Situation | Proofpoint Essentials AD Sync Tool allows organizations using Active Directory to import and/or synchronize users and functional accounts |
|---|---|
| Summary |
See below article for information on:
|
About Active Directory
Active Directory is Microsoft’s cloud-based directory and identity management service. For more information please see: https://docs.microsoft.com/en-us/windows/desktop/ad/about-active-directory-domain-services
About Proofpoint Essentials AD Sync Tool
Proofpoint Essentials AD Sync Tool allows organizations using Active Directory to import and/or synchronize users and groups from Office 365 directly to their account.
|
Prerequisites In order to configure Active Directory and Proofpoint Essentials you will need the following:
You may need to open firewall ports to accept incoming LDAP requests. Please refer to Connection Details for a complete list of external IP addresses. |
|---|
Note on passwords: Lengths needs to be less than 24 characters and not contain any math symbols
CONFIGURE PROOFPOINT ESSENTIALS
- Sign-in to the Proofpoint Essentials user interface.
- Navigate to Administration > User Management > Import and Sync > Active Directory Sync.
- Choose the desired default role from the dropdown.
|
A silent user will receive a quarantine digest report but will be unable to login to the user interface. An end user will receive a quarantine digest report and will receive a welcome email from Proofpoint to login to the user interface. |
|---|
- Enter the Active Directory URL.
- Enter the Username and Password of the read-only user account Proofpoint will use to connect to your environment.
- Choose the Port that should be used to establish a connection (Port 636 is recommended).
- Enter the Base DN value to query your Active Directory forest.
- Choose What to Sync
- Active Users
- Disabled Accounts
- Functional Accounts
- Security Groups
- Include items hidden from the GAL (Global Address List)
- Choose How to sync accounts.
- Add
- Create new user accounts and groups
- Sync Updated Accounts
- update existing user accounts and groups
- Delete Removed Accounts
- Remove accounts from Proofpoint Essentials that are no longer found in Active Directory
- Add
- Choose When to Sync accounts.
- You can choose to sync never (which you would need to run manually) or every 1, 3, 6, 12 or 24 hours
- Click Save.
- Click Search Now.
- Verify the user and group objects that were identified in your Active Directory account.
- Click Sync Active Directory.
Active Directory Sync Summary
The Active Directory Sync summary page allows you to view all changes related to your current Essentials account and your Active Directory account. You can use this summary page to:
- Verify user and group sync connection.
- Verify user and group sync counts.
- Identify accounts for sync exemption.
| Section | Description |
|---|---|
| Adding | This table will display all user objects that will be added to your Essentials account. |
| Updating | This table will display all user objects that will be updated on your Essentials account. |
| Disabling | This table will display all user objects that will be disabled on your Essentials account. |
| Deleting | This table will display all user objects that will be deleted from your Essentials account. |
| Exempt from sync | This table will display all user objects that have been identified as exempt from changes due to a sync. |
Anything in the Adding, Updating, Disabling or Deleting section has not been changed yet. Thus it being called a summary page. This is what Active Directory wants Proofpoint Essentials to do. In order to make those changes you must hit the Sync Active Directory button for those changes to happen.
Items Hidden from GAL
This is a feature that is enabled or disabled from the Active Directory side. See Article Items Hidden from Address Book. This is helpful to know if you have added a user that will not sync to Proofpoint.
Sync Exemption
You may need to identify a user or functional account to be exempt from sync.
For example: You may wish to convert a user account to a functional account in Essentials. Yet, when you perform the sync, AD will force it back to a user account. You can choose to exempt these accounts from the sync process and therefore preserve the Essentials setting.
Not properly exempting users/accounts could result in billing/licensing numbers being higher than expected
Adding a user account for Exemption
- While on the Active Directory Sync Summary page, expand the Adding or Updating table.
- Check the checkbox next to the object(s) you wish to exempt.
- Click Exempt Selected.
- Click Sync Active Directory
| The object will be removed from the selected table and be moved to Exempt from sync table. It will no longer be subject to AD changes. |
|---|
Removing a user account from Exemption
- While on the Active Directory Sync Summary page, expand the Exempt from sync table.
- Identify the object you wish to remove from exemption,.
- Click Add to Sync.
- Click Sync Active Directory
| The object will be removed from the exemption table and no longer be exempt from AD changes. |
|---|
2FA - phone number
With the addition of 2-Factor Authentication, the Proofpoint Essentials service will require the phone number field to be populated, specifically the Mobile Number field. If this field is not populated in Active Directory, the user will not be able to use the 2FA service and will just fail trying to log in, since no code can be sent.
If you are using the 2FA service, please ensure at the minimum all admin level accounts in Proofpoint Essentials have their mobile numbers set on your AD system properly.
KB Last Reviewed: 2022-08-10