Skip to main content
Skip table of contents

Synchronization via AAD Sync App

This is the preferred way to synchronize Azure AD with Retarus and should be sufficient for most use cases.

Requirements

  • Requires a valid licence for Microsoft Azure Active Directory, including the Microsoft Graph API. This license is typically included with all Microsoft 365 licenses.

Implementation via the Azure App

Setting up synchronization via the AAD Sync App involves just a few simple steps:

1. Log in to Azure via the Retarus Login page
image-20240621-110834.png

  • Confirm the terms and conditions by clicking on the checkbox.

  • You are forwarded to your Azure account where you have to log in with your Azure admin credentials.

image-20240621-110909.png
2. Request Azure Permissions

  • A new window informs about required permissions for the Retarus AAD Sync app.

  • By clicking on Accept you grant admin consent to the Retarus app.

image-20240621-110938.png

  • The Retarus AAD Sync app should now be listed in your account.

image-20240621-111006.png
3. Prepare the synchronization

  • You are now ready for synchronization.

  • Next: Please contact Retarus to activate the synchronization.

Architecture

Retarus AAD Sync Service operates via a so-called “enterprise app” inside the Azure environment. As a customer, you have to add this app to your account and grant permissions to read the required user data from your Azure Active Directory. The Retarus app doesn’t contain any source code, it only acts as synchronization interface. The Microsoft Azure “Graph” API is used to access the data.

image-20240621-101131.png
image-20240621-101131.png

Synchronization data

As displayed during the installation and afterwards under “details” of the Retarus AAD Sync app in your Azure account, the Retarus AAD Sync app needs following Microsoft Azure permissions to work:

  • Read all users full profiles

  • Read all user mailbox settings

  • Read all group memberships

These permissions allow read-only access to a certain amount of user data, but we request and synchronize only the following data that is mandatory for the service to work:

  • Domains

  • Email addresses
    → Email addresses may include generic addresses like “room mailboxes” or “equipment mailboxes” defined in Microsoft 365.

  • Alias email addresses
    → Alias email addresses defined in Microsoft 365 are used for the alias-to-primary quarantine mapping of Retarus Email Security. Emails sent to an alias address and quarantined are transferred to the user quarantine of the primary user address.

  • Groups

The following data is not being synchronized:

  • Group owners defined in Microsoft 365 are not transferred. Group addresses themselves are synchronized (as described above) and treated the same way as other user addresses.

  • Dynamic distribution groups cannot be synchronized as they are not supported by the Microsoft Graph API.

  • Mail-enabled public folders cannot be synchronized as they are not supported by the Microsoft Graph API. You may of course manually add these addresses to the Retarus DirFilter Allowlist in order to make sure that emails to those recipient addresses are accepted.

  • Shared mailboxes cannot be synchronized as the Microsoft Graph API doesn’t offer a dedicated access permission without having to access all user emails as well. You may of course manually add these addresses to the Retarus DirFilter Allowlist in order to make sure that emails to those recipient addresses are accepted.

  • Any other personal user data that could be used for the Signature/Disclaimer feature.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close