Comparing Azure AD (Entra ID) directory sync configurations

Connect your Azure Active Directory (Entra ID) instance to Axios HQ.

Axios HQ can connect with your Azure Active Directory directory in two ways, via Enterprise Application or App Registration. Both setups offer slightly different configuration options and have varied restrictions.

⭐ Directory Sync requires an upgrade from the Essential Package. Review our packages here.

Screenshot 2024-06-13 at 4.11.19 PM

Why it matters

  • Setting up directory sync allows you to connect your current Azure/Entra email distribution lists and sync them to Axios HQ.
  • As your email lists change you won’t have to worry about updating your audience to match in Axios HQ. Updates will sync automatically!

Table of contents:

  1. Overview
  2. Application Registration
  3. Enterprise Application
  4. FAQ


1. An overview of both setups

Some groups in Azure sync with either an Enterprise Application or App Registration, some with neither, others with both!

 Enterprise Application vs. Application Registration

Able to sync to Axios HQ | ✓* Must have a Premium License (P1 or higher)

What groups can sync Enterprise Application App Registration
All Azure groups  
Only select Azure groups ✓*
Security groups
Nested groups  
Non-security groups  
Distribution lists  
Dynamic distribution groups ✓* ✓*
Dynamic distribution lists    

You can create a dynamic security group within Entra ID as long as you have a Premium P1 License (or higher.)


A note on attributes:

👫 While members of your directory may have specific attributes mapped to their profile within Entra ID, Axios HQ only utilizes a small subset.

Your HQ users will only be able to search the directory for a group name, recipient’s name, and any email address. Any groups you would like to create based on additional fields (ex: location, department, etc) will need to be built within your directory provider and synced into the platform as a group.

As we continue to grow, this may change! Our team is always working to expand our offerings, and additional attributes are highly requested!


2. Application Registration

An App Registration allows you to sync your entire directory in one swoop, and syncs with nearly every group type.

  • Nested groups maintain their nested structure.
  • You are able to sync your entire directory or individual groups.
  • Every group type within Azure is eligible to sync, except for dynamic distribution lists (not to be confused with dynamic distribution groups; see the chart above for clarification.)
  • App Registrations do not allow for individual users to sync: recipients must be part of a group in order to bring them into HQ. 

This sync requires three main permission types: GroupMember.Read.All, Group.Read.All, and User.Read.All.

  • This syncs directly with Axios HQ; we do not have a third party involved in this setup.
  • Directories will update on a nightly or weekly basis.
  • While we have the technical capability to pull all attributes into the platform, we currently only look for the following:

Required Application Registration Attributes

Group Attributes User Attributes
id id
displayName displayName
description mail
mail userPrincipalName
visibility accountEnabled

Getting started

Review our App Registration instructions, then send us your details via this secure ShareFile link for your Azure tokens..


3. Enterprise Application

An Enterprise Application (with a Premium License) allows you to pick and choose which individual groups to sync in Axios HQ.

  • Enterprise Apps do not allow for nested groups/subgroups to sync in their nested structure, and your Azure admin will have to select each individual subgroup when provisioning.
  • Your HQ users will need to repeat that process in the Axios HQ platform, selecting individual groups to build their audience.
  • Directory members who are not part of a group can be synced as individuals and do not need to be part of a group.
  • Any groups synced to an Enterprise Application in Azure Active Directory must be security groups. For this reason, you can sync a Dynamic Distribution Group, but cannot sync a Dynamic Distribution List.

🕰 General time to update is at the time of changes within Azure, with a maximum time of one hour. 

This integration syncs with WorkOS

WorkOS is a sub-processor of HQ that is covered under our policies and agreements. WorkOS will facilitate the connection to the Enterprise App, and then Axios HQ will connect to WorkOS to finalize that pipeline.

  • By default, WorkOS may store additional attribute data sent over from your Enterprise App. While WorkOS does store this additional information, Axios HQ does not save or access it at this time.
  • If you would like to limit the attributes that are synced, you may do so. The following attributes are necessary to ensure functionality within the Axios HQ platform:

Required Enterprise Application Attributes

userPrincipalName givenName
Switch([IsSoftDeleted], , "False", "True", "True", "False") surname
displayName Join(" ", [givenName], [surname])
mail objectId

Getting started

You can set up an Enterprise Application directly in HQ! Check out our Directory Sync page for more detailed instructions.



4. FAQ

Why do I need a Premium License?

The license plan your organization is on will determine, in Entra, the way your IT team will be able to add users and groups to the Enterprise Application. This is a restriction within Microsoft.

If you're on a Premium License plan, you will be able to add individuals and select which groups you do or do not want to add to the application.

How can I set up an Application Registration?

Our self-serve portal available in the HQ platform only provides the option for the Enterprise Application. If your directory configuration is incompatible and you would prefer an App Registration, review our App Registration instructions,  then send us your details via this secure ShareFile link for your Azure tokens..

Can you sync with an on-prem directory?

Unfortunately, we do not sync with on-prem directories at this time.

My Enterprise Application is not pulling in the recipients

If your Azure Active Directory setup is not pulling in email addresses, you may need to configure attribute mapping in your SCIM app in Azure. Review this tutorial from Microsoft, and consider mapping a known email attribute, such as UPN, to the emails[type eq "work"].value SCIM attribute.