To synchronize with a standard Azure AD tenant, you need to create a new application in your Azure Tenant.
-
Step 2. Give your application permissions to read users and groups
-
Step 5. Synchronize user and group details with standard Azure AD
Requirements
-
An Azure Active Directory tenant
Step 1. Create your Azure application
-
Log in to Azure as an application administrator.
-
In the Search bar, search for and select Azure Active Directory.
-
In the navigation pane, under Manage, select App Registrations.
-
Click New registration.
-
Fill in the basic information for your application.
-
Set Name as something you can easily identify, for example, PaperCut Azure Sync.
-
Set the supported account type to Accounts in this organizational directory only.
-
-
Click Register.
Step 2. Give your application permissions to read users and groups
-
In the navigation pane, under Manage, select API Permissions and click Add a permission.
-
In the right pane, select Microsoft Graph, and click Delegated permissions.
-
Use the search bar to locate and add the following permissions:
- User.Read
-
Click Application permissions.
-
Use the search bar to locate and add the following permissions:
-
GroupMember.Read.All
-
User.Read.All
-
Group.Read.All (only required if you want to sync Groups)
-
-
Under Configured Permissions, click Grant admin consent, and then click Yes to confirm.
Step 3. Configure your application’s authentication
-
In the navigation pane, under Manage, select Authentication.
-
Under Platform configurations, click Add a platform.
-
In the right side pane, select Web.
-
Fill in the platform configuration with the following values:
-
Redirect URIs: set to : https://type-our-own-papercut-server-address-here:9192/api/oauth2callback
For example: https://papercut.school.com:9192/api/oauth2callback
-
Leave the front-channel logout URL blank.
-
Under Implicit grant and hybrid flows, select ID Tokens.
-
-
Click Configure.
Step 4. Generate an application client secret value
-
In the navigation pane, under Manage, select Certificates & secrets.
-
Under Client Secrets, click New client secret.
-
Complete the following fields:
-
Description: set to something memorable, for example, “PaperCut Sync Secret”.
-
Expires: Choose an appropriate expiry date.
-
-
Click Add.
-
Copy the client secret value for later use.
Step 5. Configure PaperCut
-
Log in to the PaperCut Admin web interface.
-
Select Options > User/Group Sync.
The User/Group Sync page is displayed.
-
In the Sync Source area, in Primary sync source, select Azure AD.
-
Fill in the following fields:
-
Tenant ID: The ID of your tenant, as listed in Azure Active Directory.
-
App ID: The ID of the application you registered as part of this setup.
-
Client Secret: The client secret value that you created in Step 4 above.
-
-
If you want to sync the Primary card number in PaperCut from the employeeID field in Azure:
(Note that if you are using PaperCut MF/NG version 22.0.9 or later, you can configure the Primary/Secondary Card/ID sync from within Options > User/Group Sync > Sync Source > Azure AD > Card/ID number)
-
From the Actions menu, click Config editor (advanced) to open the Config Editor.
-
Search for
user-source.update-user-details-card-id
. -
Change the value from N to Y and click Update.
-
-
If you want to sync aliases for your usernames, select Username alias > Sync from AD/LDAP field (this feature requires PaperCut MF/NG version 22.0.9 or later).
- Enter the attribute name in the AD/LDAP field name text box.
- Note that for Azure AD, you can find a number of the popular property names in this
Azure properties table from Microsoft
. For example if you’re wanting to sync the Mail Nickname field from Azure, this should be entered as the property
mailNickname
.
-
By default, the Azure AD username and e-mail are one and the same. An organization can now elect to make them different (this feature requires PaperCut MF/NG version 23.0.5 or later). To do this, select Email > Sync from AD/LDAP field
- Enter the sync field name in the AD/LDAP field name text box.
-
Click Apply.
-
If you want your users to be able to log in to the Admin and User web interfaces using the Sign in with Microsoft button:
-
Return to Options > User/Group Sync.
-
Scroll down the page to find Single Sign on with Microsoft and select the checkbox to enable it.
-
Fill in the fields with the same information as above.
-
Click Apply at the bottom of the page.
-
Comments