Skip to main content
Skip table of contents

Transition from Active Directory to Entra ID

If you are moving your user management from a local Active Directory to the cloud-based Entra ID, there are a few steps that you should learn about to make this transition as smooth as possible. These recommendations are based on the fact that:

  • Not every AD attribute has a representation in Entra ID.

  • Different organizations might have different preferences for usernames and user-friendly login credentials.

  • Users already synchronized in MyQ from an on-premises AD should be updated from Entra ID, rather than duplicated. This ensures that they maintain their history in MyQ, including credits, quotas, and pending jobs.

In this article, we will go through the options you have to ensure that users in MyQ are updated by the Entra ID synchronization and not created as new.

If you are starting from scratch, and do not need to update users already existing in MyQ, you can continue to the guide on new Entra ID synchronization.

Issues in User Identification

MyQ synchronizes Entra ID users with userPrincipalName (User Principal Name, UPN) as their primary identifier, and for this reason, userPrincipalName is automatically set as their username. This cannot be influenced in any way. The resulting username will look like tim.canterbury@acme.com.

The reason is that for a fully functional authentication against Entra ID, MyQ needs the entire UPN of the user. On top of that, if more Entra ID tenants are synchronized in MyQ, the distinction between them is easier when userPrincipalName is used since it also contains the domain making it unique.

However, MyQ synchronizes users from an Active Directory with sAMAccountName as their usernames. This attribute also cannot be changed. Users synchronized from AD will most likely have usernames such as tim.cantebury, timcanterbury, or simply canterbury.

By default, when updating users, MyQ uses usernames to identify the user that should be updated. However, since sAMAccountName and userPrincipalName are commonly not identical, without certain prerequisite steps, the synchronization of such users would result in duplicates.

Determine Your Environment

First of all, it is important to recognize how the environment you are working with is designed and configured. The following situations might occur:

Situation

How to update existing users

Users already have a valid attribute userPrincipalName in on-premises AD and it matches the Entra ID's userPrincipalName attribute.

Option 1: Update users from CSV.

Option 3: Use the Personal number field to match user identities.

Entra ID’s userPrincipalName can be created from the combination of sAMAccountName and domain.

Option 1: Update users from CSV.

Option 2: Append domain to usernames and then update users from Entra ID.

Entra ID’s userPrincipalName is largely different than the current sAMAccountName.

Option 1: Update users from CSV.

Option 3: Use the Personal number field to match user identities.

How to Update Existing Users

To prevent user duplication, you need to select one from the following methods to match the two different identities of the same user:

  • Normalize users with CSV and update them from Entra ID.

  • Append domains to usernames and then update users from Entra ID.

  • Use the Personal number field to match user identities.

Synchronization Sources

When updating users in MyQ, it is important to understand the synchronization sources and how they coexist. In user synchronization source settings, you will find two options:

Synchronization source field

Synchronization source: the name of the source. It also acts as a “marker” to identify users coming from this source.

  • If you add two sources, both named “CSV”, the second source can overwrite what the first source imported.

  • You can combine different source types as well, e.g., if your AD and CSV sources both use the name “SYNC1”, the CSV will be able to update users imported from AD and vice versa (depending on the order of synchronization).

  • If your sources were named “CSV1” and “CSV2”, synchronization from CSV2 will ignore users synchronized from CSV1, unless you use the option below.

Ignore synchronization source: When activated, this synchronization source will consider all users in MyQ and can overwrite/update them. When off, the synchronization will update only the users it imported.

Option 1: Normalize Users with CSV and Update Them from Entra ID

In this method, you should ensure that users in MyQ have personal numbers, export them, modify the exported CSV file to change all usernames to UPNs used by Entra ID, and then import all of this back while pairing users with the personal number. As a result, AD users will already have UPN as their username by the time you synchronize them, and their identities will be properly connected.

Prerequisites

  • If your users do not use personal numbers, synchronize them with personal numbers from the current AD. We will need this attribute to pair users later (since we will not be able to pair them by usernames).

  • If you cannot synchronize personal numbers from AD, assign them in MyQ directly. Export users to CSV (on the Users page, select ToolsExport), modify the CSV file in your preferred manner and assign each user a unique personal number (CODE column). Import the CSV back so that users in MyQ are updated and their personal numbers added.

Switch Usernames to UPN

  1. Go to the Users page, select ToolsExport, and wait for the CSV file with exported users to be downloaded.

  2. Modify the CSV in your preferred manner, change all usernames so that they take the form of UPNs in Entra ID, for example, timcanterburytim.canterbury@acme.com, and save the CSV file. Leave personal numbers intact.

  3. Back in MyQ, in SettingsUser Synchronization, add the final CSV file as a synchronization source.

    1. Change the synchronization source name from “CSV” to the name of your AD synchronization source (to target users from AD only) or check the “Ignore synchronization source” option (see (info) above).

    2. Enable Pair by the personal number.

  4. Run this user synchronization, either from the User Synchronization page or Task Scheduler (recommended).

Once this is complete, the usernames in MyQ should match userPrincipalName in Entra ID.

You can proceed with synchronizing users from Entra ID using the regular method. When creating the new Entra ID synchronization, remember to also adjust the synchronization source name or activate "Ignore synchronization source" to ensure that the Entra ID source can update users synchronized from AD (see (info) above).

Users matching via usernames should be accurately reflected in the logs (displayed as Match via LOGIN).

Option 2: Append Domain to Usernames and then Update Users from Entra ID

If your AD domain is the same as the domain of your Entra ID, you can do the following:

  1. In your AD synchronization source, enable the option Append domain to username, and synchronize users. This will result in a username change such as tim.canterburytim.canterbury@acme.com.

  2. Run the synchronization from AD, either from the User Synchronization page or Task Scheduler (recommended).

  3. Create a new Entra ID synchronization, modify the synchronization source name (see (info) above), or enable Ignore synchronization source to be able to update users synchronized from other sources.

  4. Run the synchronization from Entra ID, either from the User Synchronization page or Task Scheduler (recommended).

If usernames, after appending the domain, match the userPrincipalName of these users, they will be updated from the new source. From now on, you can continue synchronizing users from Entra ID and remove the old synchronization source.

Option 3: Use the Personal Number Field to Match User Identities

You can connect the two identities of the user by pairing them through the Personal number field. There are two common scenarios:

  • Users in AD already have personal numbers which can also be synchronized from Entra ID (e.g., employeeId attribute).

  • Users do not have personal numbers, but another piece of information can be synchronized to this field such as an email address.

In case you decide to match existing users by this method, do the following:

  1. In Settings – User Synchronization, adjust the AD synchronization source, and on the Users tab, specify the attribute you want to use for the Personal number, e.g., mail. If you use userPrincipalName, you can synchronize the user’s UPN from local AD and use it to match their identity against Entra ID.

  2. In the new Entra ID synchronization source, activate the Pair by the personal number option and fill in the same attribute in the Personal number field (mail or userPrincipalName in this example). Also, do not forget to alter the Synchronization source name or enable the Ignore synchronization source (see (info) above).

The attribute does not need to be amongst the ones listed in the dropdown, you can manually type in and create a new attribute, and thus synchronize practically any attribute of the user resource type in Entra ID.

  1. Run the synchronization, either from the User Synchronization page or Task Scheduler (recommended).

It is recommended to check the users after the AD sync is run, and make sure that the Personal number field contains the desired information. If it does, you can move on to the second synchronization from Entra ID.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close