Skip to main content
My preferencesSign out
Proofpoint, Inc.

Azure Active Directory Sync Guide - New API Version


You want to integrate Azure Active Directory with Proofpoint Essentials to sync your user base. 


Following the steps outlined below will allow you to configure and integrate Azure Active Directory with Essentials:

  1. Creating the custom Application in Azure.
  2. Configuring Azure within Proofpoint Essentials interface.

Azure Active Directory Sync

Please note:

  • These steps have been updated based for the current version of Azure
  • The account creating the credentials must be a Global Administrator.
  • Keep in mind the Legacy API at the bottom of the New Registration page also works. 

Customers hosted on Office 365 may prefer to use Azure Active Directory to sync users and groups to Proofpoint Essentials. This will allow you to import:

• Active users (including both primary email address and user aliases)
• Distribution Groups
• Security groups

Proofpoint Essentials only allows connection to one AD at a time. Multiple sources cannot be managed at this time

Video Tutorial Available

We have a video tutorial that walks through all these steps.  Take at look:

Step 1: Creating the custom Application in Azure

  1. Login to your Microsoft Azure portal as an admin user through
  2. Navigate to Azure Active Directory > App Registrations > + New Registration>
  3. Enter a name for the application (i.e. Proofpoint Essentials Azure Sync).
  4. Under Supported account types leave the default of Accounts in this organizational directory only (COMPANY NAME).
  5. Under the Redirect URI (optional)
    1. Leave the default of Web.
    2. Enter the appropriate Proofpoint Essentials interface URL (US1, US2, US3, US4, US5) (i.e. or etc.)
  6. Click Register

    You will now be able to view this app from the App Registrations view.

  7. Copy your Application ID for future use. This will be the Application ID in Proofpoint Essentials. 


  1. In the Application ID just created, click on API Permissions > Add a permission > Microsoft API Graph.requestAPIpermission.PNG
  2. Ensure the following permissions are checked:

    You will want to Add Permissions once more and choose Application Permissions.

    • Delegated Permissions:
      • Directory
        • Directory.Read.All
      • Group
        • Group.Read.All
      • User
        • User.ReadBasic.All
    • Application Permissions:
      • Directory
        • Directory.Read.All
  1. Select Add Permissions (at the bottom).
  2. Select Grant Admin Consent for <Company Name>.
  3. Select Yes at the top.

Key (Secret)

  1. Navigate to Certificates and Secrets > + New Client Secret.
  2. Enter a Key Description
  3. Choose a duration.
  4. Click Add

The Key value will be displayed when you save the changes. Copy down the key value, as you will NOT be able to retrieve it after leaving the page.

Step 2: Configuring Azure within Proofpoint Essentials interface

After logging into your Proofpoint Essentials interface (such as

  1. Navigate to Administration > User Management > Import & Sync > Azure Active Directory.
  2. Set the Default New User Role to either End User or Silent User. 
    End Users Can login to the Proofpoint Admin Console and receive Quarantine Digests.
    Silent Users Do not have access to the Proofpoint Essentials Admin console, nor do they receive Quarantine Digests by default, but can enabled.
  3. Enter the below information: 
    Primary Domain The Primary Domain associated with your Office 365 organization custom Azure web application.
    Client ID The unique identifier which is generated with the creation of the web application.
    Key The unique value which is generated with the creation of the web application.
  4. Choose What to Sync by checking/unchecking the following fields:
    • Active Users
    • Distribution Groups
    • Security Groups
  5. Choose How to Sync by checking/unchecking the following fields:
    Add Users Creates new user accounts for newly synced active users.
    Update Users Updates existing user accounts for previously synced mailboxes.
    Add Groups Creates new groups/functional accounts for newly synced groups.
    Update Groups Updates existing groups for previously synced groups.
    Remove Deleted Users Removes user accounts for mailboxes that no longer exist.
    Remove Deleted Groups Removes groups/functional accounts for groups that no longer exist.
  6. Choose When to Sync by selecting from the options under the Sync Frequency dropdown menu.
    • 1 hour
    • 3 hours
    • 6 hours 
    • 12 hours
    • 24 hours 

If there is no Tech Contact defined in your Proofpoint Essentials Dashboard (Administration- Account Management- Profile-Tech Contact) eventually the system will change the Azure Active Sync Frequency back to the Never setting automatically.  

7. Click Save at the bottom of the page. The page will refresh and a prompt will confirm that the settings have been saved. 

Press Save Button

Do not press the Search Now immediately. Ensure that all your settings are saved first and save it. After it has saved, proceed with the Manual Sync below.

Manual Sync

Once you complete the above steps, Proofpoint Essentials will connect and sync data from your Office 365 environment based on the frequency you chose. You may want to execute a manual sync to validate the data being returned.

To perform an ad-hoc/manual Azure Active Directory sync:

  1. Navigate to Administration > User Management > Import & Sync > Azure Active Directory.
  2. Choose What to Sync (same as above).
  3. Choose How to Sync (same as above).
  4. Click Search Now.

    The results of the sync will be organized into categories. You should review the results and uncheck any changes you do not want to take effect.

    The automatic sync does not allow manual intervention to take place. Make sure the preferences defined on the Azure Active Directory page are accurate.

  5. Click Sync Active Directory

If you try to manually sync and encounter an error, check out our article Azure AD Permissions Error