Environment: Microsoft Graph sync for Active Directory and Azure servers
Summary: This article describes how you can manage your Huntress SAT (security awareness training) learners through integration with your company’s Microsoft Active Directory or Azure server.
Syncing your Huntress SAT (Curricula) learner group with Microsoft Active Directory or Azure it a two-step process. You can configure your settings to sync all your company contacts in your Active Directory or you can create a designated group in your Active Directory and only sync the contacts that will participate in Huntress security awareness training. (For instructions on configuring a designated group for training, see the Active Directory Group Sync (Optional) section below.)
Step 1: Register Graph API Application
First, you need to create a valid Microsoft Graph API application — you will enter these credentials into the Curricula (SAT) app in Step 2.
Follow these steps to create a valid Microsoft Graph API application:
- Sign in to your Azure Portal
- If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the Azure AD tenant that you want.
- In the left-hand navigation pane, select the Azure Active Directory service, and then select App registrations New registration.
- When the Register an application page appears, give your application an SAT related name, for example, "SAT Integration".
- When finished, select Register.
- Temporarily copy the following keys to a text file, as you'll be entering these values into SAT later.
- Application (client) ID
- Directory (tenant) ID
- Select Certificates & secrets then "Add a client secret", choose an expiration time, and finally select "Add". Note: you will need to renew this secret when it expires to maintain a connection with SAT.
- Temporarily copy the newly created client Secret Value into the text file from step 6, as you will need to input it into SAT later.
- Select API Permissions then "Add a permission". Choose an "Microsoft Graph Application permissions", select "Directory Directory.Read.All", then select "Add Permissions". This is the only permission SAT needs access to.
- Finally, select API Permissions, then select "Grant admin consent for..."
Step 2: Configure in SATNext, you need to add these credentials from Step 1 into the Learner Management section of your SAT group settings.
Follow these steps to add your copied data from Step 1 into your SAT group settings:
- Sign in to your Security Awareness Training account and navigate to your group's directory sync settings by clicking “Learners” in the top navigation and clicking “Import & Sync”. Choose "Microsoft Graph" as the management type and click "Update".
- Navigate to the Microsoft Graph section that will appear below. Paste the Directory (tenant) ID from the temporary text file you created into the "Tenant ID" field.
- Paste the Application (client) ID from the temporary text file you created into the "Client ID" field.
- Paste the Client Secret from the temporary text file you created into the "Client Secret" field.
- Click update, then "Manual Sync" to confirm everything is working.
Active Directory Group Sync (Optional)
Sometimes it can be helpful to only sync certain users from Active Directory with your SAT group.
Follow these steps to do this using the Active Director “Groups” feature:
- In the left-hand navigation pane, select the Azure Active Directory service, and then select Groups New group.
- Choose "Security" as the group type and give it a name/description. For example, "Security Training".
- Click on the newly created group's name then click "Members", from here you can add any users you want to the group.
- Next copy the Group's Object Id. You can find this ID by clicking on "Properties" and looking for the "Object Id" field.
- Lastly, paste that ID into the "Group ID" field of the "Syncing" of your Graph configuration in SAT. Now only users who are inside this Active Directory Security group will be synced with SAT.
UPN vs Email
If you would prefer to use the "UPN" (User Principal Name) attribute instead of the user's "Email" attribute, please check this box prior to syncing.