Skip to content
English - United Kingdom
Sign in
Submit a Ticket
  • There are no suggestions because the search field is empty.

Configuring the Signature 365 on-premise Entra ID Connector

Scenario

You wish to integrate Signature 365 with your Entra ID tenant, but wish to implement individual Signature 365 instances to provide to separate business units or brands, or are unable to use the standard integration due to security restrictions imposed by your company.

Please note - this solution is only available to customers with Enterprise licencing.

Solution

For customers that cannot utilise the standard cloud Entra connector, we are able to support 2 methods of integration using customer provided / configured infrastructure:

In both cases, these options will integrate with your Microsoft 365 instance and allow the user to configure specific groups for sync with Signature 365, without requiring the standard set of permissions granted to Signature 365.

Warning

These methods require detailed knowledge of Microsoft Entra permissions. This requires an App registration to be created by the customer within Microsoft Entra which the on-premise connector will connect through to retrieve user data.

Azure Container Instance

Information
 

This method requires an Azure Subscription and will be billed on your Azure Subscription

Warning

Entra ID must be set up in the same subscription that the Storage account and Managed Identity are created

Login to Azure Portal (portal.azure.com)

Search for Subscription in the search bar

Select your Azure subscription to create the ACI within. Please speak with your internal IT team if your company has no Azure Subscription.

Select the Resource Visualiser  option from the menu, and click create a resource.

Search for "Storage Account" and click create.

Either add to an existing resource group, or create a new one for this purpose.

  • Name the subscription as desired
  • Select an existing or create a new Resource group
  • Primary service must be Azure Blob Storage, region should match your desired region
  • Redundancy should be configured to LRS

No other changes to settings are required, hit the Review + create button to save the changes.

Log on to your new Signature 365 tenant - note the organisation name listed under Settings -> Organisation

Contact Support team and request that the tenant be enabled for Entra ID Connector - please include the organisation name noted above.


After the support team confirm this is enabled, run the powershell script to create the managed identity.

Important!

The powershell script must be run as an administrator on the local device, and must be run using a Global Administrator account on your Microsoft 365 tenant.

We recommend using the Set-ExecutionPolicy -Bypass command to allow the script to run

Run the deploy script to start the creation process for the Container.

The script will request access to complete these configuration changes via graph, and to create the application required. Please ensure Consent on behalf of your organisation is selected.

The script will create a managed identity, and the related Blob storage area to store these details. The script output will detail the steps performed.

Retain the tenant and application ID values displayed by the script.

Login to the Signature 365 portal, and enable the Entra ID connector from Integrations -> Entra ID connector.

Select the Managed Identity for Azure hosted deployments authentication method.

Configure the Managed Identity settings using the Entra ID tenant and application ID returned from the powershell script.

This will return the tenant, client and application ID's referenced in the powershell script.

Repeat this process for any additional tenants to be integrated with the EntraCLI component.

All Signature 365 tenants to be used with the EntraCLI must have the Entra CLI function activated and enabled on the tenant

Create the configuration file used by the container - a default configuration document is listed in the PS script - this may be created automatically. Update the EntraId and Signature 365 sections with the relevant IDs created in the previous step

If you are using the default mapping, you can proceed to the next section and upload the config.json using Azure Storage Explorer.

For customers wishing to utilise multiple Signature 365 instances, the Signature365 and Mappings sections must be configured to assign Microsoft 365 groups to individual Signature 365 tenants.

CAUTION!

It is not possible to assign users to multiple Signature 365 tenants. Doing so will prevent signatures from correctly matching a user.

Signature 365 - This section details the Signature 365 tenants to import to, and the corresponding access tokens to use for this. Replace <Tenant1> and <Tenant2> with the names of your Signature 365 tenant, and Token with the value from the entraCLI integration, starting idscl_

"Signature365": {
        "Tenant1": {
          "Token": "idscl_ZxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxZTn0KU*kVaHU"
        },
        "Tenant2": {
          "Token": "idscl_hKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxRDa9v&6Z"
        }

Mappings - This section details the group(s) that should be used to map to the Signature 365 tenants;

  • From: For most customers, this will be EntraID:Default, matching the default import source
  • To: The destination Signature 365 tenant, as named in the Signature365 section
  • LimitToGroups: The group containing the users to be imported into this Signature 365 tenant. This must be entered as the ObjectID listed for the group in Entra ID
"Mappings": [
        {
          "From": "EntraId:Default",
          "To": "Signature365:Tenant1",
          "LimitToGroups": ["622b1005-624a-457b-a148-566d50f3f1ff"]
        },
        {
          "From": "EntraId:Default",
          "To": "Signature365:Tenant2",
          "LimitToGroups": ["201b4787-3b9e-411d-8def-a464b9d2d5df"]

Save this file as config.json on your local device

Azure Storage Explorer

We recommend using Azure Storage Explorer to upload the configuration file to Azure Blob storage.

Download and install Azure Storage Explorer - Azure Storage Explorer – cloud storage management | Microsoft Azure

Select the "Sign in with Azure" option

Select your Azure environment

Storage Explorer will prompt you to login - ensure you select the correct Microsoft 365 tenant. Once logged in, you will see the Subscription created previously.

Open the Subscription, and expand the Storage Accounts option - you will see the account previously created.

Data cannot be uploaded to the root of Blob storage. Right click on the Blob Containers item, and select Create Blob Container. Name the blob container - we recommend entracli or similar (Note: Blob containers can only contain lower-case letters, and numbers)

Drag and drop your config.json filecreated earlier from your device into the Blob Container you have created

Right click on the Blob Container, and select Properties. Copy the Blob URL and update the $ConfigurationBlobUri variable in the PS script.

Gaze upon the wonder of imported data via EntraCLI

Entra Connector installation
 

The Entra ID Connector can be downloaded from URLHERE and should be installed on a device within your company's IT infrastructure which is permitted to access your Microsoft 365 tenant.

System Requirements:

The Entra ID Connector can be installed on a physical or virtual server, and supports installation on an Azure VM.

OS:
Windows Server 2019+

Hardware:
2 CPU Cores
8GB RAM

Create the Entra App registration

First, the App registration that will be used by the Entra ID connector must be created to generate the application and tenant ID, and the client secret that will be used.

  • Login to the azure portal:
    https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps
  • Under App registrations, select New registration
  • Name the application as desired. We suggest naming this "Signature 365 Entra ID Connector". Leave the settings as default, and select Register.
  • The App details screen will be displayed. The Application (client) ID and Directory (tenant ID) values will be required to configure the Entra ID connector.
  • Next, you must configure API permissions to define access rights for the application. Select the API permissions menu option.
    Use the + Add a permission option to add the required permissions as follows:

    User.Read.All - Mandatory
    Domain.Read.All - Mandatory
    Group.Read.All - Mandatory
    Application.Read.All - Optional, required for extension attributes
    MailboxSettings.Read - Optional, required to determine mailbox type

    Once added, the Grant admin consent for <tenant> should be selected to ensure this is allowed for your tenant.
  • A client secret must be configured to secure the Application connection. Select the Certificates and secrets option, and select + New client secret
  • Name the client secret, define the validity period and hit Add

    The secret value will be hidden when this is copied to the clipboard. Ensure you have copied this before clearing your clipboard.

Enable the Entra ID Connector in Signature 365

  • Log on to the signature 365 portal at signature365.com; select the Integrations tab, and select Enable on the Entra ID card.
  • Select Enable
  • Copy the generated secret - as noted, this value is not shown again and will need to be regenererated if lost.

Install and configure the Entra ID connector

With the App registration completed and Entra ID connector enabled on your tenant, the Entra ID Connector can be installed. The installation does not require any configuration, and will create a local service on the device, running on an hourly schedule to match the cloud connector. On completion this will by default open the configuration json file:

The fields in the example above relate to the following information:
EntraId - Details the connection settings for the Entra ID registration;

  • Default: The default Entra ID source to import from;
    • TenantId: The tenant ID generated with the App registration
    • ClientId: The client ID generated on app registration
    • ClientSecret: The client secret created previously

Signature365 - Details the connection details for the Entra ID connector in your Signature 365 tenants, these should be named as the Signature 365 tenants the data will be imported to

  • Token: The token generated by the EntraID connector in the tenant

Mappings - Details the group(s) that should be used to map to the Signature 365 tenants;

  • From: For most customers, this will be EntraID:Default, matching the default import source
  • To: The destination Signature 365, as named in the Signature365 section
  • LimitToGroups: The group containing the users to be imported into this Signature 365 tenant. This must be entered as the ObjectID listed in Entra ID

The config.json file should then be saved, and the service restarted to trigger an initial import run.

The Signature 365 Entra ID Connector

  --validate-config-only    Validates the configuration file but does not run an import.

  --run-once              Will run the connector once and quit.

  --try-delta               Try a delta import if possible.

  --log-event-level   The log event level to use.

  --help                        Display this help screen.

  --version                   Display version information.