Knowlege base

Synchronize Users against Azure AD Source

Article ID: 938
Last updated: 01 Dec, 2023

Starting from December 2022, you can provision Imagicle users from an Azure AD source. To enable such users' synch, you must involve Imagicle Technical Support and provide them some data about your geographic area.

Before illustrating the whole procedure, let us highlight the requirements:

  • Imagicle UC Cloud Suite must be in place, or a Cloud-connected on-prem/hosted UC Suite, reaching "" domain on both TCP ports 443 and 1636.
  • The customer's delegate, in charge to apply the configuration, should have administrative access to Azure portal.

Moreover, consider the following limitations, coming from Azure AD:

  • disabled users are not provisioned;
  • users belonging to nested groups are not provisioned: to include them you need to explicitly add the nested groups to the provisioning scope (see here for more details).
  • Null/empty user fields are not provisioned by Azure AD (see here). This means that if a synchronized user property is cleared on Azure, the change will not reflect automatically on Imagicle suite.

Request to Imagicle Technical Support

If above requirements are satisfied, please proceed by contacting Imagicle Support team to provide the following information:

  • Customer name
  • Optionally: a short nickname to identify the customer, with no spaces inside, like "ACME-INC". max 35 chars length. If not provided, Imagicle invents one.
  • Geographical macro-area where customer is located. I.e. Europe, Americas, middle-east, etc.

Imagicle Support applies an internal configuration in our Cloud, to enable a LDAP interface. This might requires few days. Once done, they are going to return you the following:

  • Az_client_creds.json:  A script text file including Azure AD token.
  • Suite_ldap_creds.txt:  this is a text file including all details and credentials to manually configure the LDAP synch connector in Imagicle UCX Suite, as explained at the bottom of this KB.

How to enable Users Synchronization on Azure

Please download the Windows executable to automatically apply Azure configuration (attached to this KB article) and save it in a local folder (for instance C:\Temp).

Copy into the same folder the configuration json file provided by Imagicle.

Open a Command Prompt window (CMD) as administrator and move to the same folder:

cd \Temp

Then type the following command:

ImagicleUserCloudSync Az_client_creds.json --disable-autostart --app-name "Imagicle Users Synch"

(supposing the json file provided by Imagicle is named Az_client_creds.json).

Once you execute above command, a pop-up window appears prompting you to enter your Microsoft admin credentials. Once done, you can close the pop-up window.

After few seconds, the process completes and you can track the configuration steps as below sample:

The Imagicle script automatically creates an Azure Enterprise Application. You can view it from Azure web portal, as below sample:

If you click on this application, you can access the "Provisioning" menu and trigger a users' synch by hitting "Start provisioning" button. If the synch is correctly accomplished, you get the number of imported users (33 in below sample):

Interval between each users' synch can't be below 40 minutes.

How to apply filters to provisioned users

By default, above configuration imports ALL users available in Azure AD. You can limit the amount of data by applying either a filter based on users/groups or based on attributes content. Both filtering methods are explained in the following paragraphs.

Filter based on Users/Groups list

Within the Imagicle Enterprise Application, please click on left panel's "Users and groups" menu option and browse/search for users/groups you wish to import from Azure AD. Just tick the box besides each user or group to enable the import. See below sample:

Filter based on Azure AD attributes

Within the Imagicle Enterprise Application, please click on left panel's "Provisioning" and make sure that "Provision Azure Active Directory Groups" is disabled. See below sample:

Click on "Provision Azure Active Directory Users" to access the Attribute Mapping page:

Click on Source Object Scope ⇒ All records. See below:

Click on "Add scoping filter" to invoke the filter editor. See below:

From this page, you can add multiple filters, based on different Azure AD attributes available within "Target Attribute" pull-down menu. "Operator" column decides how to match the filter entered within "Value" column. Once the row is properly compiled, you can click on rightmost button to add the rule and create another row for additional filtering.


  • Multiple filtering rules are applied with "AND" operator
  • "IsMemberOf" filter is currently not supported.
  • The members attribute on a group is currently not supported.
  • Filtering is not supported for multi-valued attributes.
  • Scoping filters returns "false" if the value is null/empty.

More details are available within this Microsoft web page.

Configurations on Imagicle UC Suite

Please login to Imagicle UC Suite web portal as administrator and go to Administration ⇒ Synchronize users with an external data source » Configure Data Sources >>

Select LDAP from pull-down menu and add a new source, with a name of your choice:

LDAP connector should be configured as per the Suite_ldap_creds.txt file provided by Imagicle support. See below sample:

You can manually run the users' synch straight away or just wait for automatic synch performed during night time (midnight, by default).

LDAP Synch Rules

1) In the Users' synch rules select "Use local IAS authentication" as Users authentication mode.

2) While we import data from Azure AD into our Cloud LDAP and, in turns, into Imagicle UC Suite, we are applying the following standard fields mapping;

Azure label

Azure attribute

LDAP attribute

UCX Suite field

Object ID



UCX Suite Login Username

Display Name

displayName or

uid or

cn (commonName) or

dn (distinguishedName) or


displayName or

uid or

cn (commonName) or

dn (distinguishedName) or


PBX username




Single Sign-on id | Email

First Name



First Name

Last Name



Last Name

Preferred language



Preferred language

Business phone



First Extension Number





Mobile phone



Mobile business number

Street address



User Address



State or province


ZIP or postal code


Country or region


Fax number



Fax Number







SSO username

Some mapping can be manually changed by selecting "Synch Rules" menu option. See below sample for PBX username, mapped to email address to support MS-Teams Call Recording:

Article ID: 938
Last updated: 01 Dec, 2023
Revision: 28
Views: 1066
Print Export to PDF Subscribe Share
This article was:  
Attached files
file (9.63 mb)

Prev   Next
Syncing Users' Privileges from Imagicle LDAP Module, generic...     Single Sign On