.png)
Synchronize Users from Entra ID (Azure AD)
Microsoft Entra ID, previously known as Azure AD, is a cloud-based identity and access management (IAM) solution. It provides an integrated approach to directory management, application access, and identity protection. The centralized administration of these functionalities can be efficiently handled through the Microsoft Entra admin center.
You can easily integrate your Entra ID environments with MyQ X. This might mean your users are solely managed in Entra ID, users in hybrid environments managed with Entra ID Connect, or users printing from Entra ID Joined or Entra ID Registered devices.
Prerequisites
Before you start synchronization or during the preparations to create user synchronization sources, you should do the following:
Consider your environment and whether you need to synchronize new users or update users already synchronized previously from other sources (most likely a local Active Directory).
Consider the type of your accounts, e.g., whether they are cloud-only accounts or use the hybrid model, see below for more resources on the hybrid identity with Microsoft.
What status are the devices from which printing to MyQ will be performed? Are they Entra ID registered, Entra ID joined, or hybrid joined? This might affect how you configure user detection for job authentication (see Identify Job Authentication Method).
Select Synchronization Method
Method | Recommended if |
|---|---|
Entra ID user source |
|
LDAP (Entra ID Domain Services required*) |
|
*Microsoft Entra ID Domain Services offer managed domain services, including domain join, group policy, LDAP, and Kerberos/NTLM authentication. The service eliminates the requirement to deploy domain controllers in the cloud. This is a paid service from Microsoft.
Hybrid Identity
Find more resources:
Hybrid identity documentation - Microsoft Entra ID | Microsoft Learn
Step 1. Determine your cloud identity model - Microsoft 365 Enterprise | Microsoft Learn
LDAP synchronization with Microsoft Entra ID - Microsoft Entra | Microsoft Learn
Connecting MyQ to Entra ID
Detailed instructions on connecting to Entra ID can be found here:
These guides outline how to connect your MyQ server to Entra ID for general purposes (some organizations choose to use Entra ID as an authentication server, rather than to synchronize users). However, in order to use Entra ID specifically to synchronize users, you should further configure the connection to suit your purposes.
Full details of the available settings and how to use them can be found here:
In addition, in this guide, we will look at some common synchronization use cases, and which settings should be used to establish them correctly.
Using Entra ID as a Single Authoritative Synchronization Source
For many organizations, Entra ID will be the sole source of users added to MyQ. This means that when a new user enters the organization or leaves, this will be processed in Entra ID alone, with these changes pushed to MyQ via synchronization.
In these cases, it’s important to adjust certain settings to ensure that Entra ID has full control over all your active MyQ users.
In Users to import, All users should be selected.
The options Deactivate missing users and Add new users should be enabled.
On the Groups tab, no groups should be selected under Ignore groups.
With these settings configured, provided synchronization is carried out regularly, your MyQ users will accurately reflect your current users in Entra ID. You can adjust the settings for regular automated user synchronization in Settings > Task Scheduler.
Using Multiple Entra ID Accounts to Synchronize to MyQ
You can now use multiple Entra ID tenants in MyQ environments to synchronize and authenticate users. This is particularly useful in shared print infrastructure settings, such as those found in the public sector, where multiple organizations manage printers from a single location, while each uses its own Entra ID.
Follow the same process outlined above multiple times to establish several connections to separate Entra ID tenants, ensuring that clear and unique naming is given to each tenant, which will allow administrators to identify which is relevant at any given time.
Each Entra ID tenant can then be configured separately for user synchronization. For example, from one you may wish to synchronize all users, while from another only particular groups. In these cases it is of particular importance to take into account settings such as Alias, Pair by Object ID, and potentially Create normalized alias from Display name, to ensure users with similar or identical credentials can be correctly differentiated.
You can read more about this option here.
Using Entra ID to Synchronize Users and as an Authentication Server
In many instances, it’s preferable to both synchronize your users from Entra ID, and use it as an authentication server. To do so make sure that the option Use as authentication server is enabled on the Users tab.
This will allow users from this Entra ID tenant to sign in with their Microsoft credentials, including any two-factor options you may have enabled there. This provides a streamlined and secure sign-in experience.
Normalized Aliases for Entra ID Joined Devices
The option Create normalized alias from Display name can be helpful, especially for organizations with a large number of users, to ensure that Entra ID credentials can be correctly recognized and mapped to the correct MyQ users.
An Entra ID Joined device is defined as a corporate-owned and managed device, which is authenticated using an ID that exists in Entra ID, and only authenticated using that ID.
If enabled, this option will complete the following transformations to the relevant users' displayName:
Removes spaces.
Removes following characters
" [ ] : ; | = + * ? < > / \ , @.Removes all characters with ASCII codes less than 32 decimal (20 hex).
Removes character with ASCII code 127 decimal (7F hex)
Keeps all other international characters (UTF-8) such as apostrophes, ěščřžýáíé, etc.
The maximum length of the Alias should be only 20 characters after the transformation process (truncated to 20 characters).
The result is added as the user’s alias on top of their other aliases configured in the sync source.
Known Limitation: if two or more users have the same Full Name synced from Entra ID, normalized Alias will be created only for the first user. There is no way to distinguish Job owners for this case in the Entra ID environment since the printer’s driver provides only a concatenated user’s Name and Surname.