Skip to content
English - United Kingdom
Sign in
Submit a Ticket
  • There are no suggestions because the search field is empty.

Configuring the Signature 365 Entra ID Connector

This article explains how to configure the Signature 365 Entra ID Connector to synchronise directory data from Microsoft Entra ID into Signature 365.

The connector supports 2 deployment scenarios using customer infrastructure:

The Container instance or on-premises Entra ID connector are installed and configured within the customers network and cannot be accessed or managed by the Symprex support team.

In both cases, these options will integrate with your Microsoft 365 instance and allow the user to configure specific groups for sync with Signature 365, without requiring the standard set of permissions granted to Signature 365.

Please note - these integration methods require a Signature 365 Enterprise subscription. Please contact our support team for more information.

 

Azure Container Instance

Prerequisites
  • Entra ID Connector entitlement enabled by the support team.
  • Enterprise application management permissions on your Entra ID tenant.
  • An Azure subscription within the same Entra ID tenant the container instance will be created.
  • The Entra ID Connector PowerShell scripts.

Login to the Azure Portal (portal.azure.com)

Open Entra ID, and from the overview page, copy the Entra ID tenant value, and insert this into the $entratenantid value in the entra-id-customer-container-deploy-script PowerShell script.

Search for Subscription in the search bar

Select your Azure subscription to create the ACI within. Please speak with your internal IT team if your company has no Azure Subscription.

Select the Resource Visualiser  option from the menu, and click create a resource.

Search for "Storage Account" and click create.

Either add to an existing resource group, or create a new one for this purpose.

  • Name the subscription as desired
  • Select an existing or create a new Resource group
  • Primary service must be Azure Blob Storage, region should match your desired region
  • Redundancy should be configured to LRS

No other changes to settings are required, hit the Review + create button to save the changes.

Note the Resource group name and Storage account name, and update the deployment script with these details.

Creating the Managed Identity

Both PowerShell scripts provided by the support team should be extracted to the same folder. The entra-id-customer-container-deploy-script PowerShell script is run to create the managed identity.

Important!

The PowerShell script must be run as an administrator on the local device, and ideally should be run using a Global Administrator account on your Microsoft 365 tenant.

We recommend using the Set-ExecutionPolicy Bypass command to allow the script to run

Run the deploy script to start the creation process for the Container.

The script will request access to complete these configuration changes via graph, and to create the application required. Please ensure Consent on behalf of your organisation is selected.

A Managed Identity will be created, along with the related Blob storage area to store these details. The script output will detail the steps performed.

Permission to run a number of Graph and Azure PowerShell modules will be requested as part of the deployment process. 



The installation will request confirmation that your account has permissions to assign application roles within Entra ID. You will require an account capable of assigning application level permissions for an Enterprise application, or a Global Administrator account.

Selecting "Yes" will attempt to assign the required roles. Selecting "No" will detail the required commands to assign these application roles.

The script now details the tenant and application ID's to be entered for the Signature 365 configuration.

Login to the Signature 365 portal, and enable the Entra ID connector from Integrations -> Entra ID connector.

Select the Managed Identity for Azure hosted deployments authentication method.

Configure the Managed Identity settings using the Entra ID tenant and application ID returned from the PowerShell script.

This will return the tenant, client and application ID's referenced in the PowerShell script.

Repeat this process for any additional tenants to be integrated with the EntraCLI component.

Please note - all Signature 365 tenants to be used with the Entra ID connector must have the  function activated and enabled on the tenant by our support team.

Create the configuration file used by the container - a default configuration document is listed in the PowerShell script and is included in the installation files. Update the EntraId and Signature 365 sections with the relevant IDs created in the previous step

If you are using the default mapping, you can proceed to the next section and upload the config.json using Azure Storage Explorer.

For customers wishing to utilise multiple Signature 365 instances, the Signature365 and Mappings sections must be configured to assign Microsoft 365 groups to individual Signature 365 tenants.

Caution

Assigning a user to multiple Signature 365 tenants may cause issues with signature matching as the FIRST matching tenant is selected.

We strongly recommend that users are assigned to a single Signature 365 tenant to prevent unintended signature assignment.

Signature 365 - This section details the Signature 365 tenants to import to, and the corresponding access tokens to use for this. Replace <Tenant1> and <Tenant2> with the names of your Signature 365 tenant, and Token with the value from the entraCLI integration, starting idscl_

"Signature365": {
    "Tenant1": {
        "Token": "idscl_ZxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxZTn0KU*kVaHU"
    },
    "Tenant2": {
        "Token": "idscl_hKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxRDa9v&6Z"
    }
}

Mappings - This section details the group(s) that should be used to map to the Signature 365 tenants;

  • From: For most customers, this will be EntraID:Default, matching the default import source
  • To: The destination Signature 365 tenant, as named in the Signature365 section
  • LimitToGroups: The group containing the users to be imported into this Signature 365 tenant. This must be entered as the ObjectID listed for the group in Entra ID
"Mappings": [
    {
        "From": "EntraId:Default",
        "To": "Signature365:Tenant1",
        "LimitToGroups": ["622b1005-624a-457b-a148-566d50f3f1ff"]
    },
    {
        "From": "EntraId:Default",
        "To": "Signature365:Tenant2",
        "LimitToGroups": ["201b4787-3b9e-411d-8def-a464b9d2d5df"]
    }
]

Save this file as config.json on your local device

Azure Storage Explorer

We recommend using Azure Storage Explorer to upload the configuration file to Azure Blob storage.

Download and install Azure Storage Explorer - Azure Storage Explorer – cloud storage management | Microsoft Azure

Select the "Sign in with Azure" option

Select your Azure environment

Storage Explorer will prompt you to login - ensure you select the correct Microsoft 365 tenant. Once logged in, you will see the Subscription created previously.

Open the Subscription, and expand the Storage Accounts option - you will see the account previously created.

Data cannot be uploaded to the root of Blob storage. Right click on the Blob Containers item, and select Create Blob Container. Name the blob container - we recommend entracli or similar (Note: Blob containers can only contain lower-case letters, and numbers)

Drag and drop your config.json file created previously from your device to the Blob Container you have created.

Right click on the Blob Container, and select Properties. Copy the Blob URL and update the $ConfigurationBlobUri variable in the PS script.

Press Enter - the script will now prompt you to enter the Blob URI of the configuration file created.

A new container instance will now be created and started using the details provided.

View the container instances portal at the Azure Container Instances page

Select the new container instance, then Settings -> Containers. Select the Logs tab. You will see details of the container instance loading your users and groups from EntraID, and then uploading these to Signature 365.

 

On-Premises Entra Connector installation
 

The Entra ID Connector should be installed on a device within your company's IT infrastructure which is permitted to access your Microsoft 365 tenant.

Prerequisites

  • Entra ID Connector entitlement enabled by the support team.
  • App Registration management permissions on your Entra ID tenant.
  • A Windows server matching the specifications below.

System Requirements:

The Entra ID Connector can be installed on a physical or virtual server, and supports installation on an Azure VM.

OS:
Windows Server 2019+

Hardware:
2 CPU Cores
8GB RAM

Create the Entra App registration

First, the App registration that will be used by the Entra ID connector must be created to generate the application and tenant ID, and the client secret that will be used.

  • Login to the azure portal:
    https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps
  • Under App registrations, select New registration

  • Name the application as desired. We suggest naming this "Signature 365 Entra ID Connector". Leave the settings as default, and select Register.

  • The App details screen will be displayed. The Application (client) ID and Directory (tenant ID) values will be required to configure the Entra ID connector.



  • Next, you must configure API permissions to define access rights for the application. Select the API permissions menu option.

  • Use the + Add a permission option, and select "Microsoft Graph" -> application permissions to add the required permissions as follows:

    User.Read.All - Mandatory
    Domain.Read.All - Mandatory
    Group.Read.All - Mandatory
    Application.Read.All - Optional, required for extension attributes
    MailboxSettings.Read - Optional, required to determine mailbox type

    Once added, the Grant admin consent for <tenant> should be selected to ensure this is allowed for your tenant. The screen will display as follows:



  • A client secret must be configured to secure the Application connection. Select the Certificates and secrets option, and select + New client secret

  • Name the client secret, define the validity period and hit Add



    The secret value will be hidden when this is copied to the clipboard. Ensure you have copied this before clearing your clipboard.

Enable the Entra ID Connector in Signature 365

  • Log on to the signature 365 portal at signature365.com; select the Integrations tab, and

    (navigate to the following URL:  https://app.signature365.com/integrations/entra-id )

    select Enable on the Entra ID card.

  • Select Enable

  • Select the Client secret option

  • Copy the generated secret - as noted, this value is not shown again and will need to be regenererated if lost.

Install and configure the Entra ID connector

With the App registration completed and Entra ID connector enabled on your tenant, the Entra ID Connector can be installed. The installation does not require any configuration, and will create a local service on the device, running on an hourly schedule to match the cloud connector. On completion this will by default open the configuration json file:

The fields in the example above relate to the following information:
EntraId - Details the connection settings for the Entra ID registration;

  • Default: The default Entra ID source to import from;
    • TenantId: The tenant ID generated with the App registration
    • ClientId: The client ID generated on app registration
    • ClientSecret: The client secret created previously

Signature365 - Details the connection details for the Entra ID connector in your Signature 365 tenants, these should be named as the Signature 365 tenants the data will be imported to

  • Default: A reference to the Signature 365 instance - this is referenced in mappings
  • TenantId: The tenant ID of the Signature 365 tenant - support can provide this information
  • ClientId: The Client ID token generated by the EntraID connector on the tenant

Mappings - Details the group(s) that should be used to map to the Signature 365 tenants;

  • From: For most customers, this will be EntraID:Default, matching the default import source
  • To: The destination Signature 365, as named in the Signature365 section
  • LimitToGroups: The group containing the users to be imported into this Signature 365 tenant. This must be entered as the ObjectID listed in Entra ID

The config.json file should then be saved, and the service restarted to trigger an initial import run.