Professional Documents
Culture Documents
INTEGRATION –
MICROSOFT AZURE
USER IMPORTS AND AUTHENTICATION (SAML
2.0) FOR PROOFPOINT PROTECTION SERVER
Update Window
We recommend only making changes during a well-planned change control window.
• Some of the Azure Active Directory (AD) features shown or listed are based on an
AD plan level.
Please refer to your Microsoft Azure AD documentation for more information
concerning your plan level.
• Microsoft Azure Active Directory’s administration interface can change; refer to
Microsoft
documentation for configuration details.
As-is Instructions
Because we do not directly support Microsoft Azure AD, these instructions are given
as-is.
An example template (with sample values filled in) is available on the following page.
Copy the below template to a text document to record your Proofpoint and Azure values.
Values from Azure (Note differences between names between Proofpoint and Azure):
Login URL (Identity Provider URL):
Azure AD Identifier (Identity Provider Entity ID):
Certificate (Base64):
Values from Azure (Note differences between names between Proofpoint and Azure):
Login URL (Identity Provider URL):
https://login.microsoftonline.com/4c5938e3- 3ea0-4934-820a-c17142e4c203/saml2
Azure AD Identifier (Identity Provider Entity ID):
https://sts.windows.net/4c5938e3-3ea0-4934-820a-c17142e4c203/
Certificate (Base64):
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIQZWlRziftGqJHrJoLMR+YxzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD
EylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0xOTAxMDMwMzEw
MzFaFw0yMjAxMDMwMzEwMzFaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQg
U1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqLW2HuZdhrmo
tcIVfcJT639eOgNDMoI8QwRKpq84QGHtqMXgcH3eABENf2WGZ1hHrjos74e8cSbzOzXFEEGq1YQT
fco3O5TBbFJlZhjQ3Hvrxmj3lO6xRrRV/N/Uxy+MJZIZKH6+B1ULEnxcsqPdPY9VHYbDvjNiodP0
astM/JoF1ZTvn7l+28lf2bLqW7kZ2BlYvJ6iiSZQEfKxBU3ZioVd+E16UbrJf5ssnO4YXktWk7Rp
HcokIcvSV3MYCyAdHomgb7umflOQSGCkOiMYMcn6RHn7zHoWT3YDCPn2jBK3kcew7tK18gi2joGZ
j86rTUTgL4Vvhx/nmU6yCyvYRwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCit9luZ71/0uFqZ8F/
/rzWM7u4y0IHpW39OSJ4ab2leACCFietSY8p7LxPiW4bKcjAOP1T8urfVBDg+ntlNTlBJyBMmx3p
xbmRfq1gmjdwN1o2oIoVo14rmklVcw+vEinbs0x0RxsqQCGLtZVYmt2xKpsEagvgo9eSkfvtx+GI
tbYYD4wn0dg1/swKHKA7lt3SED6PL8zM+OKqP1PKtPhYeUoCGwAZ9XD+l4FLieL2UC9IigF3jWtw
u+xtMnkMDW7gS00aDHjRDDugPOk0HOPzhlUIrMgt8AsvUWK/TeIYQtf7NvRoCLdhF5qFrJppKdVH
c3okfJTgn8kp1i4t9f07
-----END CERTIFICATE-----
1. Log into the Azure Portal (https://portal.azure.com) then click Azure Active
Directory
2. Click App registrations from the menu on the left (you may need to expand the
menu to find the option)
5. Make note of your Application ID (Client ID) and the Directory ID (Tenant ID) in the
integration worksheet document mentioned previously.
7. Click APIs my organization uses and search for Windows Azure Active
Directory, then select Windows Azure Active Directory.
NOTE: While the current version of the Azure user import uses the Azure Active
Directory Graph API, future versions will be moving to the Microsoft Graph API. The
next steps will provide permissions for use by future versions of user sync. We’ll add
them now, so they don’t need to be modified later to allow future versions to work
properly.
10. To add the Microsoft Graph API, again click Add a permission.
13. Scroll down until you see Directory. Expand Directory and
select Directory.Read.All then click Add permissions.
14. Apply the permissions by clicking Grant admin consent. You may need to confirm
the changes.
16. Click Certificates & secrets, make sure Client Secrets is selected, then click New
client secret.
17. Enter a description to identify the key and select an expiration time based on your
organizations policies, then click the Add button.
18. Once your key is displayed, Copy the Key Value and document it to the Client Key
(Client Key Value) line in the integration worksheet document mentioned in the
previous section of this guide.
1. Log into the Proofpoint Admin Console and navigate to System (tab) -> User
Management (module) -> Import/Auth Profiles
3. On the Add Profile page, select Azure Active Directory as the Data Source
5. Verify Tenant ID, Client ID and Client Key are correct and click Test button. If
successful you will see: Successfully accessing <Your Tenant ID> at the top
of the page.
6. Then click the Advanced tab and set Allow Mailing Lists without Owner to
On. In the Command Options field, enter “-removeoldgroup” and “-report -to
<email@address>” to have import results delivered to the specified address.
1. Log into the Proofpoint Admin Console and navigate to System (tab) -> User
Management (module) -> Import/Auth Profiles
2. Select the checkbox next to the newly created Azure Import/Auth profile, and
then click the Import button.
3. Click the Import Now button at the bottom of the pop-up window.
Depending on the browser you may not get visual feedback of the button being
pressed. The import window can be safely closed after ~30 seconds. The import
will continue in the background. Depending on the number of objects and groups
to be imported the process could take up to several hours to complete.
5. Once the import has been verified as successful, it can be scheduled. Click the
Schedule button for the AzureAD import profile to be scheduled
6. In the Type field, select Time. In the Time field, select the time you’d like to
schedule the import to run. In the Days field, select what days you’d like to run
the import (commonly Every Day or Weekdays Only)
7. Select >> to add the time to be scheduled and click Save Changes
8. Additional times can be scheduled by clicking on the scheduled time for the
profile. Please use caution to ensure that additional imports are not scheduled to
start before a previous import completes. The duration can be found in the
status email sent after each import to the “-report -to” address specified
1. Log into the Proofpoint Admin Console and navigate to System (tab) -> End User
Services (module) -> Web Application
2. Make note of the End User Web Application - Access URL as the Sign-on URL:
in the integration worksheet document mentioned previously.
5. In the Add Profile pop-up window, select SAML 2.0 for the Data Source
1. Log into the Azure Portal (https://portal.azure.com) then click Azure Active
Directory
2. Click App registrations from the menu on the left (you may need to expand the
menu to find the option)
6. Select Properties from the menu on the left, set Assignment required to No, then
click Save
11. In the Set up <your app name> (Section 4), make note of the Login URL and Azure
AD Identifier in the integration worksheet document mentioned previously
1. In the Add Profile pop-up window on your Proofpoint Protection Server, enter the
following values from the Integration Worksheet obtained in the previous section:
Add the Azure AD Identifier to the Identify Provider Entity ID field
Add the Login URL to the Identity Provider URL field
2. To import the certificate downloaded in the previous section, click the Browse
button, select the certificate, then click Upload. The certificate should now be
displayed in the Primary IdP Signing Certificate field.
1. Log into the Proofpoint Admin Console and navigate to System (tab) ->
Administrator (module) -> Password Policy
3. Your browser will be directed to Azure to authenticate. Once logged in via Azure,
your browser should be directed back to your Proofpoint Protection Server, and
you will be taken to the Proofpoint Admin Console.
4. If you aren’t properly logged in, review the Microsoft Azure Single Sign-On
section, and/or contact your Support or Professional Services Consultant for
additional assistance.
1. Log into the Proofpoint Admin Console and navigate to System (tab) -> User
Management (module) -> Authentication
2. Connect to your Proofpoint End User Web portal via the Sign-on URL on the
Integration Worksheet
3. Your browser will be directed to Azure to authenticate. Once logged in via Azure,
your browser should be directed back to your Proofpoint Protection Server, and
you will be taken to the Proofpoint End User Web Portal
4. If you aren’t properly logged in, review the Microsoft Azure Single Sign-On
section, and/or contact your Support or Professional Services Consultant for
additional assistance.