• Tenant ID (needed to identify which Azure Tenant to sync from)
  

• Filter (needed to identify which Administrative Unit or Group to filter from).
  Ensure Filter values are correct.
  Multiple filter strings should be separated by parentheses. Possible Filter values include:

  • (AU=<Admin_Unit_Name_1>)

    • gets users and groups within an Admin Unit

  • (Group=<Group_Name_1>)

    • gets users and groups within a group

  • (AU=<Admin_Unit_Name_1>,Group=<Child_Group_Name>)

    • gets users from a child group (within an Admin Unit)

  • (Group=<Parent_Group_Name>, Group=<Child_Group_Name>)

    • gets users from a child group (within a parent group)

  • (AU=<Admin_Unit_Name_1>,Group=<Parent_Group_Name>, Group=<Child_Group_Name>)

    • gets users from a child group (within a parent group which is within an Admin Unit)

  • (AU=<Admin_Unit_Name_1>,Group=<Group_1>)(AU=<Admin_Unit_Name_1>,Group=<Group_2>)

    • gets users from Group_1 and Group_2 (within the same Admin Unit)

  • (AU=<Admin_Unit_Name_1>,Group=<Group_1>)(AU=<Admin_Unit_Name_2>,Group=<Group_3>)

    • gets users from Group_1 and Group_3 (within different Admin Units)

• Active - this checkbox should be checked to enable sync.

The OIDC button must also be configured with the IDP URL, Issuer, Client ID and Client Secret:

More information on Web config can be found in the setup documentation: Entra Directory Sync (EDS)

1.2 Incorrect Configuration (EDS)

• After logging in to the EDS, most configuration values will populate automatically from the web.

  • Client ID and Secret must be entered manually

  • Client ID/Secret values can be tested by saving, running the EDS, and clicking the Test Settings button on the Entra Directory screen. If the EDS can communicate with the Azure Tenant, the user will see a success notification, or an error notification otherwise.

• EDS will fail to start if there are any configuration issues.

1.3 Incorrect Configuration (Azure)

• If the EDS logs reports any Microsoft OData errors, then this indicates that the EDS application within Azure does not have sufficient rights to fetch user/group/AU data. Ensure that the Azure application has the correct permissions - information on how to add permissions can be found here: Create EDS Application in Azure - Step 6

1.4 User has no email address set

If only a few select users are not syncing, then check their properties on Azure to ensure they have email addresses associated with the user. The email address is used as their username on My1Login, and so is required.

Most users will automatically have their Entra ID email address associated with their user, however in some cases it seems to be bypassed (e.g. tenant owners seem to be missing email addresses and have to be manually added)

Email field must contain a value for users to be able to sync

Login Issues

Users are presented with this screen when login issues occur

2.1 Incorrect Configuration (Azure)

After logging in with Microsoft, if the following screen appears, there is an issue with the redirect URL. Check that the redirect URL set up in the EDS app in the Azure Portal is correct. Details on EDS app configuration can be found here: Create EDS Application in Azure - Step 4

Error screen from Microsoft stating that the redirect URL has been wrongly configured in Azure

Expired Client Secret

• Client secrets expire - depending on lifespan on creation

• Expired client secret will impact sync and seamless SSO

• Check client secret: Azure | Microsoft Entra ID | App Registrations | All Applications | My1Login | Clients and Secrets 
  

• If expired, + new secret
  

• Update on My1Login Security OIDC config page and also on EDS Admin UI under Server Settings