Environment: Microsoft Graph sync for Active Directory and Azure servers
Summary: This article describes how you can manage your Huntress SAT (security awareness training) learners through integration with your company’s Microsoft Active Directory or Azure server.
Syncing your Huntress SAT (Curricula) learner group with Microsoft Active Directory or Azure has never been more manageable. You can configure your settings to sync all your company contacts in your Active Directory, or you can create a designated group in your Active Directory and only sync the contacts that will participate in Huntress security awareness training.In addition, you can now opt-in to the API-based phishing and transactional message insertion.
This article is for the updated OAuth-based integration that was released in August 2023. If you are looking for the legacy integration instructions, you can find them at Microsoft-Graph-Integration-Legacy.
Step 1: Create an Integration Provider
First, you will be creating an integration connection with Microsoft.
Note: Channel partners will need to drill down into a customer sub-account to perform this task.
- Sign in to your Huntress Security Awareness Training (SAT)/Curricula account and navigate to Integration Providers by clicking “Settings” in the top navigation and then clicking “Providers” in the left navigation.
- Click “+ Add a provider”
- Click the “Connect” link in the Microsoft Graph tile.
- Choose the level of security permissions you wish to grant to Huntress SAT/Curricula.
-
Choose the level of security permissions you wish to grant to Huntress SAT/Curricula.
We recommend “Full Permissions,” which allows you choose between traditional email delivery of messages or API insertion of messages that bypass email filters, transport rules, and allows for sender customization for transactional messages. However, this requires granting Huntress permission to write and read messages. -
Alternatively, you can grant permission to set up group sync only. This limits the product’s capabilities and is only recommended when your organization’s policy requires a limited scope. Authenticate with your Microsoft 365 account and click “Accept” on the Permissions requested.
-
- Authenticate with your Microsoft 365 account and click “Accept” on the Permissions requested.
Step 2: Map a SAT group to your Microsoft 365 tenant group(s.) This is a mandatory step to set up a group sync.
- If you aren’t automatically sent to the group setup step after connecting your SAT account to Microsoft, click “+ Connect a group” on the Providers detail page.
- Choose whether you want to connect to an existing SAT group or create a new one. Please note that the ‘Staff’ group is created by default in all SAT accounts, and there is a one-to-one mapping between an SAT group and a Microsoft 365 mapping.
- Configure the group settings
- You can leave the Group ID blank to synchronize all identities in the Microsoft 365 directory or paste the group’s “GUID” from Microsoft. If you would prefer to use the "UPN" (User Principal Name) attribute instead of the user's "Email" attribute, please check this box before syncing.
- We recommend the following settings:
- Enabled:
- “Exclude unlicensed identities” - This setting ignores identities in Microsoft Active Directory that don’t have any licenses assigned to them. This is helpful to avoid importing non-human identities, such as printers and shared desktops.
- “Automatic Daily Sync” - This setting will schedule updates every 24 hours to keep your learner's list up-to-date.
- Attribute Options - Unless there are fields you explicitly want to ignore, we recommend leaving them all enabled.
- Set non-present learners to "Inactive" status - enable - If you ever delete identities in Microsoft Active Directory without setting them as “Inactive,” this setting will detect that and set learners who no longer appear in Active Directory as “Inactive.”
- Create Departments as needed - This will automatically create Departments in the SAT platform once they are seen as part of the sync
- Disable:
Set present learners to "Active" status - By enabling this setting, Curricula will ignore your resource’s “status” field when syncing users. Any users present in your resource will be set to “Active” status in the Curricula app after the sync is complete, even if they are marked as inactive or suspended in your directory.
- Enabled:
- You can leave the Group ID blank to synchronize all identities in the Microsoft 365 directory or paste the group’s “GUID” from Microsoft. If you would prefer to use the "UPN" (User Principal Name) attribute instead of the user's "Email" attribute, please check this box before syncing.
- Click “Preview & Sync” for stats and detailed information about how identities would be impacted under the' Log tab.'
- If everything looks correct, click “Apply Manual Sync.”
- After this initial sync, you can view results or download a CSV sync record under the Log tab.
- By running the manual sync, you have completed the configuration and have saved your changes. You can return to Settings->Integrations-> Provider to add more groups within the sync or modify settings.
API message insertion to Microsoft 365
If you enabled ”‘Full Permissions”, the option to deposit phishing emails and transactional emails are enabled by default. This means the system will attempt to deposit messages via API to bypass mail delivery rules and spam filters but will fail over to SMTP email delivery in the event of failure. Transactional emails (such as new assignment notifications or reminders) deposited via API will also use the customized sender name and email address from ‘Branding’ settings.
Important:
- This feature will bypass in-line filters but may still get caught by inbox crawling tools such as Microsoft Defender for Office p1 or p2. If you are using such a product, you must still allowlist the SAT domains.
- When using API message insertion, there will not be SMTP logs to review. This means that emails sent via API will not be searchable in Message Tracking and can only be located in the target mailbox, as they are directly inserted into the user's inbox, bypassing exchange servers.
Comments
0 comments
Please sign in to leave a comment.