Skip to main content
My preferencesSign out
Proofpoint, Inc.

Azure Active Directory (Entra ID) Sync Guide - New API Version

Situation

You want to integrate Azure Active Directory(now known as Microsoft Entra ID) with Proofpoint Essentials to sync your user base. 

Solution

Following the steps outlined below will allow you to configure and integrate Azure Active Directory with Essentials:

  1. Creating the custom Application in Azure( Entra ID).
  2. Configuring Azure(Entra ID) within Proofpoint Essentials interface.

Azure(Entra ID) Active Directory Sync

Proofpoint Essentials DOES NOT support GCC High Azure((Entra ID) or AD Setups. 

Please note:

  • These steps have been updated based on the current version of Azure( Entra ID)
  • The account creating the credentials must be a Global Administrator.
  • Keep in mind the Legacy API at the bottom of the New Registration page also works. 
  • Proofpoint Essentials currently supports the Home and Business plans for Azure( Entra ID). 
  • Do not use AD Sync and Azure( Entra ID) Sync together.  (remove all configuration from AD Sync if migrating to Azure( Entra ID). Sync)

Customers hosted on Office 365 may prefer to use Azure Active Directory( Entra ID) to sync users and groups to Proofpoint Essentials. This will allow you to import:

• Active users (including both primary email address and user aliases)
• Distribution Groups
• Security groups

Proofpoint Essentials only allows connection to one AD at a time. Multiple sources cannot be managed at this time

Video Tutorial Available

We have a video tutorial that walks through all these steps.  Take at look: https://youtu.be/4YfL-e33K2A

Step 1: Creating the custom Application in Azure (Entra ID)

  1. Login to your Microsoft Azure( Entra ID) portal as an admin user through https://aad.portal.azure.com
  2. Navigate to Azure Active Directory( Entra ID) > App Registrations > + New Registration>
  3. Enter a name for the application (i.e. Proofpoint Essentials Azure( Entra ID) Sync).
  4. Under Supported account types leave the default of Accounts in this organizational directory only (COMPANY NAME).
  5. Under the Redirect URI (optional)
    1. Leave the default of Web.
    2. Enter the appropriate Proofpoint Essentials interface URL (US1, US2, US3, US4, US5, EU1) (i.e. https://us1.proofpointessentials.com or https://us3.proofpointessentials.com etc.)
  6. Click Register

    You will now be able to view this app from the App Registrations view.

  7. Copy your Application ID for future use. This will be the Application ID in Proofpoint Essentials. 

Permissions

Azure (Entra ID) Active Directory Graph under Supported Legacy APIs can work with existing setups. For new setups, or if your old setup is on the Azure (Entra ID) AD Graph, you should use the Microsoft Graph API. This is the Microsoft Graph API at the top of the page. If your credentials stop working, or you get the error, "Failed to connect. Please check your Azure (Entra ID) Credential" it could be you are pointed to the older legacy API (Azure(Entra ID) Active Directory Graph). In this case you will need to setup the Microsoft API Graph. 

Additionally, If you get the credentials error- "We have come across a problem, and cannot continue. Please contact support quoting 'code displayed here' if this problem persists." Please create a new Azure (Entra ID)App on the Azure (Entra ID) admin area and then add the credentials into the PPE portal under "Administration- User Management- Import & Sync- Azure Directory sync. Once entered click Save. Sync can then be run without error. 

End of life for the Azure (Entra ID)Active Directory Graph is June 30th, 2020. Click here for more details. 

  1. In the Application ID just created, click on API Permissions > Add a permission > Microsoft API Graph.
    requestAPIpermission.PNG
  2. Ensure the following permissions are checked:

    You will want to click Add Permissions once more and choose Application Permissions.

    • Delegated Permissions:
      • Directory
        • Directory.Read.All
      • Group
        • Group.Read.All
      • User
        • User.ReadBasic.All
    • Application Permissions:
      • Directory
        • Directory.Read.All
  1. Select Add Permissions (at the bottom).
  2. Select Grant Admin Consent for <Company Name>.
  3. Select Yes at the top.

Key (Secret)

  1. Navigate to Certificates and Secrets > + New Client Secret.
  2. Enter a Key Description. (***See IMPORTANT 'Value' note below***)
  3. Choose a duration.
  4. Click Add

clipboard_e1b20e7fd91abbde1e5bcea136902072e.png

The Value will be displayed when you save the changes. Copy down the Value field, as you will NOT be able to retrieve it after leaving the page. The Value (in Azure (Entra ID)AD page) will be put into the Client Secret Key field in Proofpoint Azure Sync page. You will get the Application ID needed to complete the credentials in the Proofpoint field Application (client) ID from the Overview area inside the connection. clipboard_e3986d0e77a58d7b4e997da4d163c7596.png

This Key WILL EXPIRE at the end of the selected duration period. After that period of time A NEW SECRET KEY needs to be generated again.

In Azure (Entra ID) AD- sign in must be enabled for accounts to be active and mail to flow.

White-label customers may need to do an approval/consent of applications. They would be asked to give consent via cloud-protect.net. If using standard Proofpoint Essentials settings this may not be an issue. 

Step 2: Configuring Azure within Proofpoint Essentials interface

After logging into your Proofpoint Essentials interface (such as https://us1.proofpointessentials.com):

  1. Navigate to Administration > User Management > Import & Sync > Azure Active Directory (Entra ID).
  2. Set the Default New User Role to either End User or Silent User. 
    End Users Can login to the Proofpoint Admin Console and receive Quarantine Digests.
    Silent Users Do not have access to the Proofpoint Essentials Admin console, nor do they receive Quarantine Digests by default, but can enabled.
  3. Enter the below information: 
    Primary Domain The Primary Domain associated with your Office 365 organization custom Azure (Entra ID) web application.
    Client ID The unique identifier which is generated with the creation of the web application.
    Secret ID The secret value which is generated with the creation of the secret key.
  4. Choose What to Sync by checking/unchecking the following fields:
    • Active Users
    • Distribution Groups
    • Security Groups
  5. Choose How to Sync by checking/unchecking the following fields:
    Add Users Creates new user accounts for newly synced active users.
    Update Users Updates existing user accounts for previously synced mailboxes.
    Add Groups Creates new groups/functional accounts for newly synced groups.
    Update Groups Updates existing groups for previously synced groups.
    Remove Deleted Users Removes user accounts for mailboxes that no longer exist.
    Remove Deleted Groups Removes groups/functional accounts for groups that no longer exist.
  6. Choose When to Sync by selecting from the options under the Sync Frequency dropdown menu.
    • 1 hour
    • 3 hours
    • 6 hours 
    • 12 hours
    • 24 hours 

If there is no Tech Contact defined in your Proofpoint Essentials Dashboard (Administration- Account Management- Profile-Tech Contact), eventually the system will change the Azure Active Sync Frequency back to the Never setting automatically.  

There will be a report that is sent daily called the Azure AD Summary report that cannot be disabled. This is due to the notification that the service is running and is a system audit. The only way to stop these is to set the sync frequency to never. 

7. Click Save at the bottom of the page. The page will refresh, and a prompt will confirm that the settings have been saved. 

Press Save Button

Do not press the Search Now immediately. Ensure that all your settings are saved first and save it. After it has been saved, proceed with the Manual Sync below.

 

Manual Sync

Proxy Address
Accounts with no proxyAddresses assigned will not be detected by the Proofpoint Essentials Azure pull. If you do not find the email in the ProofPoint side, please check Azure (Entra ID) to ensure at least 1 proxyAddress has been assigned. 

Once you complete the above steps, Proofpoint Essentials will connect and sync data from your Office 365 environment based on the frequency you chose. You may want to execute a manual sync to validate the data being returned.

To perform an ad-hoc/manual Azure Active Directory (Entra ID) sync:

  1. Navigate to Administration > User Management > Import & Sync > Azure Active Directory (Entra ID).
  2. Choose What to Sync (same as above).
  3. Choose How to Sync (same as above).
  4. Click Save & Run Sync Now.

    The results of the sync will be organized into categories. You should review the results and uncheck any changes you do not want to take effect.

    The automatic sync does not allow manual intervention to take place. Make sure the preferences defined on the Azure Active Directory (Entra ID) page are accurate.

  5. Click Sync Active Directory.

 Anything in the Adding, Updating, Disabling or Deleting section has not been changed yet. Thus it being called a summary page. This is what Active Directory wants Proofpoint Essentials to do. In order to make those changes you must hit the Sync Active Directory button for those changes to happen.

If you try to manually sync and encounter an error, check out our article Azure AD Permissions Error.

 

Ongoing Domains and User Maintenance

The Proofpoint Essentials Azure sync service will continue to function per the sync cycle. However, if new domains are added into Azure, and not the Proofpoint Essentials side, this could force some problems with the syncing. 

  • Automated sync: The system continues to sync based upon all domains found in the Account Management - Domains section. Only the users where the primary domain is one of the domains found here will be brought over.
  • Manual sync: If new domains are found in Azure (Entra ID) during a manual sync, the sync will fail and a red box appears indicating it found multiple domains associated in the customer's Azure (Entra ID). In order to run Azure (Entra ID) manually, these domains will need to be added into the service. (If they have no mail flow with Proofpoint Essentials, then can be added in as Management domains.)

Shared Mailboxes and distribution groups

Some email addresses will not require a license, i.e. shared mailboxes or a user that has left the company.

Sometimes some Shared Mailboxes will come over as users. Please see how to convert a user to a shared mailbox.

If a user leaves the organization, but still need to maintain mail flow, the address needs to remain active, but you can convert it to a functional account. Please also ensure that you exempt this address from syncing.

We do not currently support Dynamic Distribution Lists

 

How to log in with a Microsoft Account

Prerequisites: 

  • You must have user with valid email Microsoft credentials. 
  • A matching email/alias account in Proofpoint Essentials. 
  • Enable Microsoft account login, ensure Disable login with Microsoft credentials is disabled under AdministrationUser Management > Import & Sync > Azure Active Directory

clipboard_e9423925fa47b83e5a1b0d0cd2bf30c0f.png

Logging In With Microsoft 365 

PROCEDURE 

  1. Go to your Proofpoint Essentials account login page.
  2. Enter your Username (email address) and click Login.
  3. You will be redirected to a Microsoft account login page.
  4. Enter your Microsoft credentials.
  5. If successful, login will redirect you back to Proofpoint Essentials and you will be automatically signed into your account.

Enabling this feature will direct all users (including administrators) to login using their Microsoft account. If Microsoft is unavailable, users will be redirect to the Proofpoint Essentials account login page and asked to login with their Proofpoint Essentials credentials.

If there is a problem with the Microsoft SSO, a custom parameter can be passed to utilize standard essentials authorization.


US 

Email Address = john.jones@test.com

https://us1.proofpointessentials.com...?main=1&email=EMAIL_ADDRESS

Example: https://us1.proofpointessentials.com/app/login.php?main=1&email=John.Jones@test.com

 

EU

Email Address = john.jones@test.com

https://eu1.proofpointessentials.com...?main=1&email=EMAIL_ADDRESS

Example: https://eu1.proofpointessentials.com/app/login.php?main=1&email=John.Jones@test.com

 

Manual Login With Microsoft Account 

We will continue to allow users to manually authenticate using their Microsoft account. 

PROCEDURE 

  1. Go to your Proofpoint Essentials account login page.
  2. Enter your Username (email address) and click Login.
  3. Click Sign in with Microsoft.
  4. You will be redirect to a Microsoft account login page.
  5. Enter your Microsoft credentials.
  6. If successful, login will redirect you back to Proofpoint Essentials and you will be automatically signed into your account.

2FA - Phone number

With the addition of 2-Factor Authentication, the Proofpoint Essentials service will require the phone number field to be populated, specifically the Mobile Number field. If this field is not populated in the Azure(Microsoft Entra ID) Service/User Profile, the user will not be able to use the 2FA service and will just fail trying to log in, since no code can be sent. 

If you are using the 2FA service, please ensure at the minimum all admin level accounts in Proofpoint Essentials have their mobile numbers set on your Azure(Microsoft Entra ID) system properly.

 

FAQ

Connection Status

Proofpoint has added in a status field on Azure (Entra ID). The box will either be green or grey.

  • Green - successful connection
  • Grey - not verified on last successful connection
  • Timestamp - This is the last time the system was able to successful connect manually

You can get this green by running a manual sync, which will then update the timestamp. A grey status does not mean the sync is not running.