Active Directory Synchronization
Context
Avanteam enables identity management automation through synchronization with your enterprise directory (AD/LDAP).
Prerequisites
- Service account with read permissions on Active Directory
- Access to administration tools (SyncTool, AdminTools)
- For Azure AD: Application registered in Azure portal with appropriate permissions
- System administration rights
Operating Principle
- Automation: Accounts are automatically created or updated during first login (via ADFS/SSO) or by a nightly scheduled task (
SynchroADFS). - "Network" Origin: When this mode is active, certain user profile fields are read-only (grayed out) because they are directly managed by your IT department (e.g., Name, Email, Department).
- Attribute Mapping: Synchronization automatically retrieves key metadata:
- Manager: To build the organizational chart without manual entry.
- Service/Company: To assign the user to the correct structure node.
- Single Sign-On (SSO): Users don't need to enter a password in Avanteam; the system recognizes their open Windows session.
Technical Implementation of AD Sync
Configuration is typically performed via the SyncTool or in advanced directory settings:
Connection
Enter the LDAP path (e.g., LDAP://DC=mycompany,DC=com) and credentials for a service account with read permissions on AD.
Extraction Filters
Define rules to target users (e.g., (&(objectCategory=person)(objectClass=user)(memberOf=CN=Avanteam_Group,...)).
Field Mapping
Associate AD attributes with Avanteam fields:
sAMAccountName→Usernamemail→Emailmanager→Manager
Scheduling
Enable the synchronization agent to automate updates (daily frequency recommended).
Azure AD Synchronization
For cloud environments, Avanteam also offers synchronization with Azure Active Directory.
Access: Menu Tools > AdminTools > Select SynchroAzureAD from the dropdown list.
Technical Connection Parameters
These fields establish the secure link with your application registered in the Azure portal:
- Use configuration from Web.config: If checked, the system ignores the fields below and uses technical parameters entered directly in the server configuration file.
- Resource URI: The Microsoft Graph resource identifier (typically
https://graph.microsoft.com). - Client ID: The Application ID generated when creating the application in Azure AD.
- Authority: The authentication service URL (e.g.,
https://login.microsoftonline.com/). - Tenant ID: The unique identifier of your Azure AD directory (Directory ID).
- Secret: The secret key (Client Secret) generated in Azure to authorize the connection.
Synchronization Filter Configuration
You can precisely define who should be imported:
- Resource Type: Allows choosing between synchronizing Users or Groups.
- CN / DN Attribute: Identifies the Azure properties to use as "Common Name" and "Distinguished Name" (typically
displayNameandid). - Filter: Allows entering an OData query to restrict the import (e.g., import only users whose department is "Quality").
- Group Filter: Allows synchronizing only members belonging to a specific Azure AD group.
Property Mapping
This section defines the correspondence between Azure data and Avanteam fields:
- Object Property: The source property in Azure AD (e.g.,
mail,givenName,surname). - APS Property: The destination field in the Avanteam user profile (e.g.,
Email,First Name,Last Name). - Property Format: Defines if the data requires special processing (Text, Date, etc.).
Synchronization Actions
- PREVIEW RESULT: Displays the list of users who would be affected without making actual changes. Essential for verifying your filters.
- GENERATE RESULT (THIS FILTER): Runs import/update only for the currently selected filter.
- GENERATE RESULTS (ALL FILTERS): Runs a global synchronization by chaining all configured rules.
A poorly configured synchronization can disable a large number of users or create duplicates. Always use the Preview button before running an actual generation.