2LRN4 security awareness platform
NL · EN
← Back to support

Synchronization with Microsoft Entra

The synchronization with Microsoft Entra synchronizes the following attributes: first name, last name, email address, login, department, manager, status (disabled), PreferredLanguage and Country. The synchronization works one-way only: from Microsoft Entra to 2LRN4 (not the other way around).

Please note:

  • Azure import is the basic level, which allows departments to be changed in the future using all available options.

  • CSV import is the next level, which restricts department changes made via Azure import.

  • Administrator assignment is the highest level, which blocks changes via imports entirely. If a department is assigned by an administrator, it cannot be modified via imports.

Instructions

Step-by-step instructions to synchronize 2LRN4 with your Microsoft Entra ID (via the Azure Graph menu).

  • You need at least a Microsoft Azure Premium P1 license.

  • If you create new departments, you still need to enroll them in the appropriate categories and courses.

  1. Go to https://portal.azure.com/#home.

  2. Click Microsoft Entra ID.

  3. Create a security group in Microsoft Entra containing all users who need access to 2LRN4.

    • Navigate to Groups and select New Group.

    • Enter the group name and properties.

    • Add one test user to verify the connection later.

    Preferably create separate groups per role (e.g. admin, manager, user). Start with one user and expand later.

  4. Return to Home and open More services.

  5. Select Identity from the left-hand menu.

  6. Open Enterprise applications and click New application.

  7. Choose Create your own application, give the app a name, and select registration for Microsoft Entra ID.

  8. Select Multitenant (accounts in any organizational directory) and register the app (leave Redirect URI empty).

  9. Go to App registrations and open your newly created app.

  10. Open Certificates and secrets and create a New client secret.

  11. Copy the Secret value and store it securely (you will need it in 2LRN4).

  12. Copy the Application (client) ID.

  13. Add the required API permissions and grant Admin consent.

  14. Assign the previously created security group under Users and groups in the Enterprise application.

  15. Copy the Tenant ID from Microsoft Entra (you will need it in 2LRN4).

  16. Go to https://portal.2lrn4.com and open Azure Graph.

  17. Create a new Azure Graph configuration and enter the Tenant ID, Client ID and Client Secret.

  18. Test the synchronization via UsersImport from Azure AD.

  19. Warning: do not synchronize the admin group as “users”. This may lower permissions and lock you out.

Scheduling Azure AD synchronization

  1. Go to Azure Graph Schedules and create or edit a schedule.

  2. Create a separate schedule for each security group you want to synchronize (and per connection if you use multiple connections).

  3. Use the security group object ID as the Group ID, select the correct role and define the schedule.

Tip: schedule the admin group (customer/admin) last, for example 30 minutes after the other groups. This helps prevent and resolve permission conflicts.

Errors and solutions

Error messagePossible solution
Invalid_client / unauthorized_client Most likely the Secret ID was copied instead of the Secret value. Create a new client secret and use the secret value.
These users cannot be imported: invalid_client Check whether the token (client secret) is still valid and whether the Group ID is correct.
Error 504 Gateway Time-out Check whether the token is still valid and try again.
Azure client error Verify that the correct Application permissions have been added and that admin consent has been granted.
Error 403: Action unauthorized You may have locked yourself out by synchronizing the wrong group with the wrong role. Contact support and use scheduled synchronizations.
User(s) are not synchronized Check that the user has a unique email address and is a member of the synchronized security group.
Disabled status is not synchronized Verify that the user is disabled in AD, has a unique email address, and is a member of the security group.
Synchronization is not executed After creating or modifying a schedule, it can take up to 24 hours before it runs.
Accounts are not removed after synchronization This is not an error. This functionality is intentionally disabled to prevent mistakes.
Departments are not synchronized

  • Azure import is the basic level.

  • CSV import restricts changes originating from Azure import.

  • Administrator assignment or CSV import blocks changes via Azure import.

Stuck?

Ask a question or book a short demo. We’ll help you move forward.

Contact Back to support