Learn how to synchronize Sift users and groups with your existing Azure Active Directory domain.
Import Sift users and profile attribute information directly from your Azure Active Directory (AAD) cloud service into Sift with Sift’s Azure AD sync feature.
Sift AAD Sync is a one-way operation. No information from Sift is imported into your user directory.
There are a couple of different places you can configure your Azure AD integration on the Admin Dashboard:
During the initial Directory/source setup Wizard when the Source is first created.
After you've created your source, you can update your authorization and configuration on your Source Dashboard after it's been set up.
We'll walk through the first scenario noted above, but the second is very similar.
Prerequisites necessary for Active Directory synchronization are as follows:
A designated Azure admin service account to use for authorizing the sync. This account needs the Azure Global Administrator role during Sift setup, but you can reduce the service account's role privileges later.
Azure AD groups populated with users to sync.
Administrator access to the Sift Admin Dashboard
A Directory created in the Sift Admin Dashboard for your Azure Active Directory Sync (details on how to set up a Directory can be found in this guide).
Authorizing Azure Active Directory
After selecting Microsoft Azure Active Directory as a source type, you will need to click the "Authorize" button to grant Sift access to read information from your Azure AD domain.
Clicking "Authorize" will take you to the Azure AD portal. Sign in with your designated Azure service administrator account that has the global administrator role for this Azure Active Directory. You may need to complete an Azure MFA for that service account admin user.
Sift does not see or store your Azure Active Directory administration credentials.
Note: If you are already signed into a Microsoft account you may not see this step. Ensure the account you are logged into is the correct administrator account before proceeding.
Once you’ve signed into Azure, you must accept to grant Sift the read rights needed to import your users from your Azure AD domain by clicking the "Yes" button.
After authenticating, you'll either be redirected back to Sift, confirming your authorization was successful, or shown an error. If you receive an error, the most likely reason is that the account signing into Azure AD did not have sufficient permissions.
Selecting which Groups to Sync
You can select which groups you want to sync from your Azure AD domain. Start typing the name of your Azure AD groups and any groups that match your input will be displayed in the form autocomplete.
Multiple groups can be selected. Simply select the first group then begin typing again to choose a second.
If no groups are selected, all users on your Azure AD tenant will be imported. If groups are selected, only those within the selected groups will be imported.
Completing the Setup Process
Once you've successfully authorized Azure AD, you will go through the rest of the setup process to create your mappings and enable your sync.
Enabling and Disabling Sync
On the Source Dashboard, click the "Enable Sync" switch on the top right of the page to sync profiles from your Azure AD to your Sift instance.
Once enabled, Sift will sync with Azure AD once every 60 minutes. You can also manually initialize a sync using the "Sync Now" button, as long as a sync isn't already running.
If you choose to disable your Azure AD sync, or if your sync loses authorization, your user data will remain as a reflection of the most recent successful sync with your Azure AD domain. User data will not be deleted nor will any source settings be lost.
When you reactivate sync or reauthorize your Azure AD instance, sync will resume, and any changes since the last sync will be reflected.
Debugging Failed Syncs
For further documentation on possible sync errors, check out our troubleshooting article.
If your data sync is consistently in the failed state, trying one or more of the following may resolve your issue:
Reauthorize your source with a current Azure admin
If the person who originally authorized your Azure source is no longer with your organization or is no longer an Azure admin, your authorization will fail on the next sync. To fix this issue, have someone in your organization who is currently an Azure admin go through the authorization flow by clicking the "Reauthorize" button.
Check your Azure groups
If you restricted your sync to specific groups in Azure, and one or more of those groups no longer exist, you may see issues with your sync. Ensure that the groups listed in the Sift admin dashboard under Groups to Sync are current.
Check Required Data Mappings
If Sift finds people in your data source who do not have all of our required mappings (Primary Key, first name, last name, and email), they will be ignored. If no people are found that have all of these attributes, then the sync will fail. Ensure that all people you want to be synced into Sift have a value for all of these mappings.
If the above steps do not fix the issue, you can contact us using the "Chat" button in the Admin Dashboard, and we can help you investigate!
Additional Setup (Optional)
If you would like to import photos from your Azure AD domain, navigate to the "Source Settings" tab on your Source Dashboard and turn the Photo Sync setting to the "On" position.