Skip to main content
Skip table of contents

Synchronize Users against Entra ID (Azure) Source

Request to Imagicle Technical Support

Contact Imagicle Support team to provide the following information:

  • Customer name

  • Optionally: a short nickname to identify the customer, with no spaces inside, like "ACME-INC". max 35 chars length. If not provided, Imagicle invents one.

  • Geographical macro-area where customer is located. I.e. Europe, Americas, middle-east, etc.

Imagicle Support applies an internal configuration in our Cloud to enable an LDAP interface. This may take a few days. Once completed, they will return the following:

  • Az_client_creds.json:  A script text file including Entra ID token.

  • Suite_ldap_creds.txt:  this is a text file including all details and credentials to manually configure the LDAP synch connector in Imagicle UCX Suite, as explained at the bottom of this KB.

In case of an Imagicle UCX Cloud Suite, the LDAP connector is configured by Imagicle Support team.
(Suite_ldap_creds.txt not needed)

How to enable Users Synchronization on Entra ID

Please download ImagicleUserCloudSync_240313172434.zip to automatically apply the Entra ID configuration. Expand zip and save the executable in a local folder (for instance C:\Temp).

Copy into the same folder the configuration json file provided by Imagicle.

Open a Command Prompt window (CMD) as administrator and move to the same folder:

cd \Temp

Then type the following command:

CODE 
ImagicleUserCloudSync Az_client_creds.json --disable-autostart --app-name "Imagicle Users Synch"

After executing the command, a pop-up window prompts you to enter your Microsoft admin credentials. Close the pop-up once done.

After a few seconds, the process completes. You can track the configuration steps using the sample below:

image-20250124-105520.png

The Imagicle script automatically creates an Azure Enterprise Application. You can view it in the Azure web portal as shown below:

image-20250124-105536.png

This script applies a default field mapping according to below screenshot:
(the userName\objectId is the primary key; do not change it)

image-20250124-105548.png

Click the Imagicle application to access the "Provisioning" menu, then trigger user synchronization by clicking the "Restart provisioning" button. Upon successful synchronization, the system displays the number of imported users (33 in the example below):

image-20250124-105602.png

Interval between each users' synch can't be below 40 minutes.

How to apply filters to provisioned users

By default, the above configuration imports all users from Entra ID. You can limit data by applying filters based on users, groups, or attribute content. Both filtering methods are explained below.

Filter based on Users/Groups list
or
Filter based on Entra ID attributes

Filter based on Users/Groups list

Within the Imagicle Enterprise Application, please click on left panel's "Users and groups" menu option and browse/search for users/groups you wish to import from Entra ID. Just tick the box besides each user or group to enable the import. See below sample:

image-20250124-105624.png

Within the Imagicle Enterprise Application, please click on left panel's "Provisioning" and make sure that "Provision Azure Active Directory Groups" is disabled. See below sample:

image-20250124-105637.png

Expand the "Settings" section and select "Synch only assigned users and groups" from the pull-down menu:

image-20250124-105652.png

Filter based on Entra ID attributes

Click on "Provision Azure Active Directory Users" to access the Attribute Mapping page:

image-20250124-105709.png

Click on Source Object Scope ⇒ All records. See below:

image-20250124-105719.png

Click on "Add scoping filter" to invoke the filter editor. See below:

image-20250124-105728.png

From this page, you can add multiple filters, based on different Entra ID attributes available within "Target Attribute" pull-down menu. "Operator" column decides how to match the filter entered within "Value" column. Once the row is properly compiled, you can click on rightmost button to add the rule and create another row for additional filtering.

Limitations

  • Multiple filtering rules are applied with "AND" operator

  • "IsMemberOf" filter is currently not supported.

  • The members attribute on a group is currently not supported.

  • Filtering is not supported for multi-valued attributes.

  • Scoping filters returns "false" if the value is null/empty.

More details are available within this Microsoft web page.

Final check

Once above configuration has been applied, you can manually launch a new provisioning by selecting "Restart provisioning". Please be patient: the restart action is queued, so it might be delayed.

UCX Suite configuration

Follow this guide for on-premise installation only.

Configurations of the Imagicle UCX Suite: LDAP for EntraID

Additional configurations:

How to import custom fields

Imagicle Users' database supports 10 custom fields, to be mapped with ExternalID attribute in Azure during the provisioning. Please find below the procedure:

Access to Azure web portal and select "Imagicle Users Synch" Enterprise Application. From the "Overview", please click on "Provisioning":

image-20250124-105806.png

Hit "Edit provisioning":

image-20250124-105818.png

Expand "Mapping" section and click on "Provision Entra ID Users":

image-20250124-105829.png

In "Attribute Mapping" section, please hit “Add new mapping” at the bottom of the screen:

image-20250124-105839.png

In “Edit Attribute”, please choose the following options:

  • “Mapping type” = Expression

  • “Target attribute” = ExternalID

  • “Expression” = see sample in below picture.

image-20250124-105849.png

Expression syntax

Custom fields and relevant values are mapped through a dedicated "Expression" whose syntax follows Entra ID attribute mapping rules. See here for more details.
Imagicle feature implies that custom fields are mapped as “CustomX=", [Attribute] for each custom field to be enabled, where each custom field is separated from the next one by adding "$$$" separator.
See below a typical expression sample:

CODE 
Join("$$$",
"ImagicleCustomFields",
Append("customX=", [Microsoft Entra ID Attribute1]),
Append("customY=", [Microsoft Entra ID Attribute2])
)

where "Microsoft Entra ID Attribute" corresponds to the actual Entra ID field to be mapped.

If the expression syntax is correct, by clicking outside of expression box, you should read the message “The expression was correctly parsed.”.

Final check

Once above configuration has been applied, you can manually launch a new provisioning by selecting "Restart provisioning". Please be patient: the restart action is queued, so it might be delayed.

Current limitations

  1. Custom fields can include max 256 alphanumeric characters

  2. Custom fields content should NOT include "$$$" string, already used as expressions separator.

  3. If a custom field mapping rule is removed, custom field already populated by the last synchronization is not blanked.

  4. If the expression is entered with a wrong syntax or field length is greater than 256 chars or content includes above mentioned separator, Azure returns a generic "Error 500" with no details.

To check what Azure actually sends as External ID attribute value, you can perform a manual provisioning of s single user and then access to Dataflow section. See below:

image-20250124-105941.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close