Introduction
In this step, we’ll configure the synctool so it can connect both to Microsoft Entra ID (previously called Azure AD) and the Workspace.
All the data you have collected in the first two steps can be filled in the configuration UI tool. You can find this tool in the downloaded Workspace 365 synctool folder. When you unzip the folder, the name of the file is:
Configuration UI synctool
Let's get started
To disable the welcome page, uncheck checkbox at the bottom of the page. You can change the default language to Nederlands or English. Click Next to continue.
Connect to Azure AD
To connect the Azure AD synctool to Microsoft Entra ID, fill in the fields below. Click Next when all information is entered. Here, the connection to the entered information/Microsoft Entra ID will be validated.
Tenant ID
Tenant name
Application (client) ID
Client secret (value)
Environment settings
To add a new environment, fill in the following and click on 'Save' when you're done:
Your Workspace site URL: this is the workspace base URL where all the environments are hosted on, mostly 'https://{companyname}.workspace365.net'.
Environment name: this must match exactly with the environment name in Workspace 365 and can be retrieved from the Workspace 365 URL, e.g. 'https://portal.workspace365.net/john -> john'.
The environment name must be lower case.
Sync API authentication token: this must match with the Workspace 365 environment 'Users & groups' > 'User provisioning' > API key (step 2).
Filtering
Accidently included the wrong group and/or domain in filtering? No worries! You may follow these steps:
Uncheck the checkbox for that specific group and/or domain.
Click 'Save'.
Wait for the periodical sync to begin and has finished, or restart the synctool service yourself.
The corresponding users will then be automatically removed and won't be able to sign into Workspace. The removed users will be present under the "deleted users" list under 'User Management' and will be removed permanently after 30 days (of course these users will not be deleted from Microsoft 365!).
Changed your mind or want to add to a specific group and/or domain? Follow these steps:
Check the checkbox for that specific group and/or domain.
Click 'Save'.
Wait for the periodical sync to begin and has finished, or restart the synctool service yourself.
The corresponding users will be now be added to the Workspace environment.
Domain filtering
You can choose the desired filtering options. If you leave both unchecked, domain- and group filtering, it will sync all users and groups.
If you want to enable domain filtering, check the enable domain filtering checkbox. This will expand and show all domains and subdomains within the current domain.
You can make a selection of the desired domains you want to sync. All users with the domain prefix selected will be synced in this case:
Will not be synced:
Group filtering
If you want to enable group filtering, check the enable group filtering checkbox. This will expand and show all groups within this current domain.
We do not support nested groups.
Here you can make a selection of the desired groups you want to sync. All users within the selected group and the group itself will be synced in this case:
All members of ‘Anton League’
All members of ‘prefix1demo_1’
Group ‘Anton League’
Group ‘prefix1demo_1’
Will not be synced:
All other groups that are unchecked including the users
Domain- and group filtering
It is possible to combine both, domain- and group filtering, as shown below:
We have the following active directory structure:
24631 development
Anton League
App search
prefix1demo_1
If domain filtering is enabled and the following checked:
onmicrosoft.com
If group filtering is enabled and the following is checked:
Anton League
prefix1demo_1
The following users and groups will be synced:
All members of ‘Anton League’ with the ndawdev.onmicrosoft.com domain
All members of ‘prefix1demo_1’ with the ndawdev.onmicrosoft.com domain
Group ‘Anton League’
Group ‘prefix1demo_1’
Will not be synced:
All other groups and domains that are unchecked including the users
Synchronization settings
Click on preferences to open the synchronization settings menu.
You can set the synchronization type to Periodical or Once a day. If you choose to set the synchronization type to 'Periodical' you need to define the interval in hours and/or minutes. If you choose to set the synchronization type to 'Once a day', you need to define at which time you want to run the sync.
If you set the synchronization type to Once a day, you cannot perform a manual sync.
When set to Periodical, you can perform a manual sync.
Clear cache
What is caching? And how does it work?
Why do we have caching? Well, caching makes things much faster. Instead of syncing every user object from scratch, the Azure AD synctool will only check for changes, and only these changes will be handled by the synctool and written to the cache. The cache can be seen as the synctool's "memory". When you clear the synctool's cache, you basically clear the synctool's memory and thus the entire user history. Unfortunately you cannot look into the cache history.
When you make user changes like adding or removing users in Microsoft Entra ID, these changes are written to the synctool's cache. That is, when the sync from the User provisioning settings in Workspace is enabled.
AD sync in Workspace disabled
But what happens when you disable the sync and make manual user changes in Workspace 365? For example, you removed a user in Workspace from a group that is being synchronized while the sync was disabled in Workspace. As a consequence, this user change will not be written to the cache. In other words, the cache still thinks the user exists in Workspace.
So, what happens when you made a mistake and want to re-add that same user? It doesn't matter if you also deleted the user from the deleted user list, the cache still thinks the user exists in Workspace and, as a consequence, the synctool will not sync the user.
Why do we want to avoid clearing the cache?
If users are not being updated or added to specific groups, clearing the cache may fix this issue. However, we have seen that clearing the cache may cause user discrepancies later on and it can take a long time to sync all user objects, especially in large environments, and is generally too resource-intensive.
So how can I fix user synchronization issues, without clearing the cache?
You need to make sure that Microsoft Entra ID is in correspondence with Workspace. If you deleted or added a user from a group in Workspace, you need to do the same in your Microsoft Entra ID.
Make sure you enable the sync in Workspace under the User provisioning settings.
Restart the synctool's Windows service.
Wait for the sync to complete. When complete, the cache is up to date.
Now you can make user changes in Microsoft Entra ID. If you had filtering disabled, you can create a new group of users in Microsoft Entra ID and sync it to Workspace.
What do I need to take into account when I still want to clear the cache?
Do not clear the cache as first solution! If you clear the cache, please make sure you run the latest version of the Azure AD synctool. Please contact support when you're in doubt.
If groups are not being synced accordingly, try disabling filtering first and run a full sync before you clear the cache. When the sync is complete, you can enable filtering again and sync the selected groups.
How to clear the cache
Make sure the checkbox of the synctool is enabled in Workspace.
Stop the synctool service.
(This way, you make sure the synctool button won't trigger while executing the clear cache).In the synctool configuration UI, click "Preferences" at the bottom left.
Then, click the “Clear cache” button at the bottom right.
Click “Ok” to confirm.
Run the synctool manual in the synctool directory as an administrator.
Wait until the user is added to the Workspace.
Start the synctool service.
Proceed to step 4.