Directory Synchronisation

This feature needs the ALL or User_Management role.

It only works with a correctly configured Azure app, see Azure Settings for Directory Synchronisation.

If there are already existing tasks, an overview of all tasks is displayed. Clicking on a task will show the log of the most recent synchronisation.
If there are no tasks yet, they need to be added via Add task.

Sections on this page:

Tasks overview

Tasks Overview

Column	Description
ID	Displays the ID generated when creating the task.
Name	Displays the task name.
Description	Displays the task description.
Type	Type of task. Currently only M365 is possible here. (The types LDAP and CSV might be implemented in the future.)
Periodic sync	Displays whether periodic sync is active.
Last sync	Time stamp of the last synchronisation
Success?	Displays if the sync was successful (yes/no).
Actions	Displays the actions performed.

Add a task

Select Add Task (usually one task per tenant is enough) and enter the necessary information in the three sections.

(1) Edit Task

Field	Description
Name	Enter a suitable name.
Description	Enter a suitable description. Both name and description will be displayed in the list of tasks.
M365 tenant ID	Enter the M365 tenant ID as copied during the Azure portal configuration.
Application (client) ID	Enter the Client ID as copied during the Azure portal configuration.
Client Secret Value	Enter the Client Secret as copied during the Azure portal configuration.
Client Secret Valid Until	Enter the date until which the Client Secret remains valid. Microsoft allows a maximum of 180 days.
Periodic sync	By default disabled. Only activate this if you have already configured groups for synchronisation. When enabled, a background service will run periodically to synchronize the data.
Disable missing users	By default disabled. If active, users missing in the synchronized directory will be disabled in the seppmail.cloud.

Click on Test Access to verify the access information.

If the test succeeds, click on Next. Otherwise correct the access credentials and click on Test Access again.

(2) Domains

This section is only available when the test access in the first section worked.

Field	Description
Domain	An available domain in this tenant.
Use in this task	Select if you want to enable this domain for synchronisation. Only domains which are validated on M365/Entra ID (next two fields) and validated in the seppmail.cloud (that means in the CRM SEPPmail, last field) can be selected. At least one domain has to be selected.
In directory	Indicates whether the Microsoft directory is informed about this domain. Possible values are validated / not validated.
directory validated?	"validated" is a term used by Microsoft. When adding a domain to M365, you have to add a special record in DNS to verify your claim that this is your domain. If correctly done, Microsoft considers this domain as validated. Possible values are yes / no.
in CRM?	Indicates whether SEPPmail has this domain in their CRM as a managed domain. Possible values are yes / no.

If this is the first time you are going through the configuration, or if you recently enabled additional domains, click on Refresh Domain List.

After selection, click on Save and then on Next.

(3) Directory Groups

Field	Description
Name	Name of the group
Sync	Select for synchronization.
edit / Actions	Edit and add the group actions. The actions can be reordered; the processing order starts from top.

Field

Description

Name

Name of the group

Sync

Select for synchronization.

edit / Actions

Edit and add the group actions.

The actions can be reordered; the processing order starts from top.

The editing process is as follows:

Mark the groups which you want to include in the synchronisation and click on Save.
For each group, click on edit, add the desired group actions (see below), and click on Save.
If you are fine with your selection and configuration of groups, click on Test.
If you are fine with the output of the test, you can enable the regular synchronisation on the Edit Task tab.

List of group actions

Action	Internal name	Description
Admin Roles	assignAdminRoles	Select the admin roles to assign to each user in the group (these are the same admin roles which may be set manually for internal users). This can also be empty to indicate that existing admin roles should be removed.
Crypto Settings	crypto	Select which cryptographic functions should be available to each user in the group. Must be one of SigEnc, SigOnly or None.
LFT Available	lftAvailable	Indicate whether LFT should be available to each user in the group. Boolean field.
LFT Quota	lftQuota	Specify (in Mbyte) the LFT quota available to each user in the group. Note that the per-user quota is enforced. If lftAvailable is False, the lftQuota is not used.
Login locked	loginLocked	Set to True to disable login to the seppmail.cloud portal for each user in the group.
Login Security Level	loginSecurity	Select which login security (besides the password) is used for each user in the group. Select one of none, sms, otp. We strongly suggest to use otp in most cases, especially for admin users.
Do not sync users in this group	noSync	If this is True, the members in the group are explicitly not synced (and the other settings are ignored).
Quarantine One-Click Release	quarOneClick	If the user quarantine is enabled, use the "one click" feature to grant access to the quarantine to release messages. This setting is ignored if quarantine is not enabled (either because parallel mode is used, or because sending of quarantine reports is disabled).
Send Quarantine Report at...	sendQuar	Set the time(s) at which a quarantine report should be sent. To disable sending, an empty list may be provided.
Send Admin Quarantine Report at...	sendQuarAdmin	Set the time(s) at which an admin quarantine report should be sent - this is only evaluated if the user has an admin role. To disable sending, an empty list may be provided.
Send Quarantine Report if empty	sendQuarEmpty	Set to True to also send a quarantine report if it is empty. This should usually be turned off since it may annoy users. It may be enabled for users who are particularly sensitive to mails "lost" in a quarantine.
Disable Users	usersDisabled	If this is set to True, all users in this group are set to a disabled state. This overrides all other actions for a group.

Recommended setup of groups and actions

Give all groups descriptive names. Unless you have specific naming conventions, we recommend to use a prefix and name that clearly defines the groups purpose (for example "seppmail.cloud admin users").

Every user should be in only one synchronised group. It is perfectly fine to use an existing or built-in group. However, if a user exists in multiple groups, the settings from the (alphabetically) first group are used, which may or may not be the desired effect.

Suggested groups:

A group which will hold all users you wish to disable, for example users who left the company. Only a single action should be added (usersDisabled set to True).
A group which will hold all admin users. Please ensure to set loginSecurity to otp for these users. If the admin users are also end users, you should include the actions of Sign/Encryt and LFT. It is possible to create admin users without crypto or other functions, especially if specific admin accounts are used (as opposed to regular end-user accounts). If the admin accounts are not used for actual outgoing email, they are not charged.
A group which will hold all users who have the "Sign and Encrypt" option. Set LFT and quarantine settings as required.
A group which will hold all users who have "Sign-Only" option. Set LFT and quarantine settings as required.
If you have users which should not have their settings synchronised from the directory, but retain any manual settings you provided for them under User Management in the seppmail.cloud portal, we suggest to create a group for users with noSync set to True.