Connect to Entra with an Application Registration to sync your audience!
An App Registration allows you to sync your entire directory in one swoop, and syncs with nearly every group type.
This sync type is not available in the self-serve portion of our platform. If you are interested in connecting to Entra via Application Registration, please follow the instructions below to send us your sync information.
⭐ Directory Sync requires an upgrade from the Essential Package.
Table of Contents
- Register a new application
- Add API permissions
- Add client credentials
- Optional fields
- Sending your information to Axios HQ
- What your HQ users can expect
- Update your existing connection
- FAQs
1. Register a new Entra application
🛠️ How it works
- Open Entra and select App Registrations on the left sidebar.
- Click +New registration and register a new private application with the following:
- Name: Axios HQ Directory Sync
- Account Type: Accounts in this organizational directory only
- Redirect URI: Skip this section
- Select Register
- Once registered, you will be redirected to your Application Overview
- Use this outlined text file to fill out the information needed to complete the connection.
- Copy the Application (client) ID and the Directory (tenant) ID and add them to the document.
2. Add API permissions
🛠️ How it works
- In Entra ID navigate to API permissions on the left sidebar and select +Add a permission
- In the Request API Permissions window, select Microsoft Graph
- Select Application permissions.
-
Remove the following permissions:
- User.Read (Type: Delegated)
-
Add the following permissions:
- Group.Read.All
- GroupMember.Read.All
- User.Read.All
- OrgContact.Read.All (only necessary when selecting for Axios HQ to sync Contacts in addition to Users)
- Select Grant admin consent.
3. Add Client credentials
🛠️ How it works
- Navigate back to the Application Overview in Entra ID
- Under the Essentials heading, select Client credentials: Add a certificate or secret.
- Click +New client secret and add a client secret; give your secret a description, and choose an expiration date.
- We recommend the longest amount of time possible. When this secret expires, your users will no longer be able to access your directory through HQ.
- Copy the Secret ID and Value and provide them to Axios HQ.
- The value will not be shown again. Be sure to save the secret before leaving the page.
4. Optional Fields
Include the following fields if they apply to your directory:
Groups:
Axios HQ allows you to sync your entire Entra directory or select specific groups. If you would like to limit the groups that are visible to your users in Axios HQ, please provide their Entra Object IDs.
- To locate the Group Object IDs, navigate to Entra, then locate Groups on the left sidebar.
- Copy the Object IDs for the groups you would like to sync and provide them to Axios HQ.
Attributes:
Allow Axios HQ users to create dynamic recipient lists by utilizing employee attributes. Syncing attributes will pull in each of the below fields to HQ; your team can approve the visibility of these attributes at the time of setup to tailor what users will be able to see and leverage within the platform. See how this works in Axios HQ.
- Select from the list of attributes below.
| employee_id | department_name | raw_address | manager_name |
| job_title | division_name | street_address | manager_email |
| employment_start_date | cost_center_name | city | preferred_language |
| employment_status | region | ||
| employee_type | postal_code | ||
| country |
Azure Government:
Azure Government is a version of Entra that provides extra protection by limiting potential access to systems. It must be noted during setup.
Is your team using Azure Government?
- Yes, our team is using Azure Government
- No, our team is using Entra
Username fallback:
Usernames are leveraged by some organizations in place of email addresses. Axios HQ can use the "username" field if no email address is provided.
Should Axios HQ set the "username" field as a fallback?
- Yes, use the "username" field as a fallback for email addresses
- No, we do not use the "username" field as a fallback
Contacts:
Contacts are mail-enabled objects that are shared across the organization and contain external email addresses; they may have an internal address but are not a member with login abilities. They differ from Users, who make up the internal members, such as employees or students.
Should Axios HQ sync Contacts in addition to users?
-
Yes, sync Contacts in addition to Users
- 🛠️ Note: Please add the OrgContact.Read.All permission to your registered application to enable the contact sync
- No, our organization does not leverage Contacts
These optional fields can be edited at any time, simply use this form to let us know what updates you need!
5. Sending your information to Axios HQ
📬 Use this secure link to send your txt document containing:
-
Your Axios HQ Organization Name
- Include the name of the HQ organization you would like to link this directory to. If your team is leveraging multiple organizations, include all organizations this directory should be available within.
-
Setup Owner Name and Email Address
- Include the name and email address of the best person for us to reach out to if we have any questions. Typically, this is whoever established the connection, an IT contact, or the Organization Owner.
- Application (client) ID
- Directory (tenant) ID
- Client credentials Secret ID
- Client credentials Secret Value
- Any additional optional fields
6. What your HQ users can expect
Adding directory groups to your series audience
- Navigate to your series audience, by clicking on the megaphone icon in the top navigation menu of your series
- Click “Manage recipients”, then “Import segments”
- Select the directory groups you’d like to send to. You can filter segments by source and select Azure for easy reference.
Note: The "Use full directory" toggle is not currently operational on this type of Entra sync. If you would like to sync your whole audience, we recommend adding an All Staff list.
Directory updates
Your synced groups will update nightly at midnight EST.
7. Update your existing connection
🔒 Update your secret
Entra secrets are set to expire after a certain amount of time. Once your setup is connected, it's typically good to go for a year or two, depending on the client credentials expiration date your team selected.
If you need to update your secret, follow these steps:
- Navigate to Entra ID, then select App Registrations on the left navbar
- Select the Axios HQ application you registered for this sync
- Navigate to "Certificates & secrets"
- Select the "Client secrets" tab
- Select "New client secret"
Please provide us with the secret value that is generated. This can be a simple txt file.
Fill out this document and share it with us via this secure Sharefile link.
⭐ Update your optional fields
Optional fields including syncing specific groups, attributes, or Contacts can be edited at any time. Review what we have available in the Optional Fields section above, and send us any edits you'd like using the form below!
Fill out this document and share it with us via this secure Sharefile link.
8. FAQs
Incorrect Directory Groups & Members
My groups have no users
Check your Application permissions in Entra:
- Ensure that Group.Read.All, GroupMember.Read.All, and User.Read.All permissions are Type: Application permissions (and not Type: Delegated permissions)
- Ensure that the User.Read permission is not enabled
- If you are expecting Contacts, please make sure to specify this at the time of setup. You will also need an extra permission in your App Registration: OrgContact.Read.All
My directory is not up-to-date
If your entire directory seems to be out of sync, check your authentication token's expiration date. If the token has expired, please send us a new one following this outlined document via this secure Sharefile folder and provide your new token, organization name, and IT contact information to us via this link.
- Our team will update the token and provide confirmation that your sync is back online.
My specific group is not up-to-date
Our directories sync overnight, so if you have membership that was edited after midnight EST, you can expect the changes to be visible after the nightly sync has completed.
The numbers in Axios HQ do not match the numbers I am seeing in Entra.
Axios HQ only syncs valid members of your directory. We will not sync any members marked as "suspended," "disabled," or "inactive" in your directory. These members may be counted within Entra as part of the total group, but will not be ported over to Axios HQ.
This includes group objects. Although Axios HQ does not bring in the group object as a member, any membership of the groups that are nested will be properly reflected in the parent group. For example, if a Parent Group (of 1 direct member and 1 nested group) included a Child Group (with 5 direct members,) the flattened Parent Group in HQ would appropriately have 6 recipients. In Entra, you may see "7 members" because the group itself is included in this count.
Updating the Sync
My Entra secret has (or will) expire. How can I send a new one?
Send us a new Entra secret by filling out this form via this secure Sharefile folder. Please be sure to include your HQ organization.
How do I edit / add / remove groups from this connection?
- Edit groups within Entra. The changes will automatically sync to HQ.
- Add or remove groups from this connection by reaching out to us at help@axioshq.com.
Entra Connection
What Entra types can Axios HQ sync?
We currently support Entra ID and US Government Azure L4. We do not sync to Azure on-prem at this time.