Learn how to synchronize Sift users and groups with your existing Azure Active Directory domain.
Import Sift users and profile attribute information directly from your Azure Active Directory (AAD) cloud service into Sift with Sift’s Azure Active Directory sync feature.
Sift AAD Sync is a one-way operation. No information from Sift is imported into your user directory.
Prerequisites necessary for Active Directory synchronization are as follows:
- A designated Azure admin service account to use for authorizing the sync. This account needs the Azure Global Administrator role during Sift setup, but you can reduce the service account's role privileges later.
- Azure AD groups populated with users to sync.
- Administrator access to the Sift Admin Dashboard
- Having created a directory in the Sift Admin Dashboard for your Azure Active Directory Sync (Details on how to setup a directory can be found in this guide).
Authorizing Azure Active Directory
After having selected Microsoft Azure Active Directory as a source type from the Sift Directory Sources Page you will need to click the Authorize button to grant Sift access to read information from your Azure AD domain.
Clicking the Authorize button will take you to the Azure AD portal. Sign in with your designated Azure service administrator account that has the global administrator role for this Azure Active Directory. You may need to complete an Azure MFA for that service account admin user.
Sift does not see or store your Azure Active Directory administration credentials.
Note: If you are already signed into a microsoft account you may not see this step, ensure the account you are logged into is the correct administrator account before proceeding.
Once you’ve signed into Azure, you must click Accept to grant Sift the read rights needed to import your users from your Azure AD domain.
Authorizing the Azure application redirects you to the Azure settings tab on the Source Settings page in the Sift Admin Dashboard. Verify that the Authorization status is authorized in the Azure Settings Tab.
Selecting which groups to sync
In the Azure Settings Tab, you can select which groups you want to sync from your Azure AD domain. Start typing the name of your Azure AD groups and any groups that match your input will be displayed in the form autocomplete.
Multiple groups can be selected, simply select the first group then begin typing again to choose a second.
If no groups are selected, all users on your Azure AD domain will be imported.
If you would like to import photos from your Azure AD domain, navigate to the Source Settings Tab and turn the Photo Sync setting to the “On” position.
You can map user attributes from your Azure AD domain to import into Sift via the Mappings tab on the Source Settings page. Details on mapping attributes can be found in this guide, with the same process being used for all source types.
In the Source Settings Page, click the Enable Sync button is enabled at the top right of the page to sync profiles from your Azure AD Domain to your Sift instance.
Once enabled, Sift will sync with your Azure AD domain once every 60 minutes
If you choose to disable your Azure AD sync, or if your sync loses authorization, your user data will remain as a reflection of the most recent successful sync with your Azure AD domain. User data will not be deleted nor will any source settings be lost.
When you reactivate sync, or reauthorize your Azure AD instance, sync will resume and any changes since the last sync will be reflected.
Debugging Failed Syncs
If your data sync is consistently in the failed state, trying one or more of the following may resolve your issue:
Reauthorize your source with a current Azure admin
If the person who originally authorized your Azure source is no longer with your organization, or is no longer an Azure admin, your authorization will fail on the next sync. To fix this issue, have someone in your organization who is currently an Azure admin go through the authorization flow by clicking the "Reauthorize" button.
Check your Azure Groups
If you restricted your sync to specific groups in Azure, and one or more of those groups no longer exist, you may see issues with your sync. Ensure that the groups listed in the Sift admin dashboard under Groups to Sync are current.
Check Required Data Mappings
If Sift finds users from your data source that do not have all of our required mappings (primary key, first name, last name, and email), they will be ignored. If no users are found that have all of these attributes, then the sync will fail. Ensure that all users you want to be synced into Sift have a value for all of these mappings.
If the above steps do not fix the issue, you can contact us using the Chat button in the admin dashboard, and we can help you investigate!