Skip to main content
Skip table of contents

User Synchronization from Entra ID with Microsoft Graph

Microsoft Entra ID (formerly Azure AD) with Microsoft Graph is a service accessed from the Microsoft Azure Portal, it must be enabled and configured before it can be used to synchronize users to MyQ.

Add Microsoft Entra ID as a Source

Once the Microsoft Entra ID connection is established, go to MyQ > Settings > User Synchronization. Click Add, and then click Add Microsoft Entra ID source.

Adding an Entra ID sync source

Once the source is established, configuration options allow you to edit how users are imported.

  • In the General tab the Authentication Server and Synchronization Source can be set, and the synchronization can be enabled or disabled.

  • In the Users tab, the users that should be imported can be selected, their properties can be set, and various other options can be enabled or disabled.

  • In the Groups tab you can set rules not for which users to import (this is set in the Users tab), but how to group users that are imported, based on their grouping in your Entra ID source.

General Tab

This tab opens by default when you select Add Microsoft Entra ID source. The following options are available:

  • Enable: use this toggle to enable or disable the user synchronization.

  • Authentication Server: select the authentication server you wish to use. This server should already be connected and configured according to these instructions. If multiple connections are established, you can select which to use for this user synchronization.

  • Synchronization Source: give this particular user synchronization a name which allows it to be easily identified. This is especially important if you are using multiple Entra ID tenants, to differentiate between them.

Adding MS Entra ID server

Users Tab

This tab allows you to select which Users to import, their Properties, and various Options for user synchronization.

Users to Import

This is where you can select which users you want to import from your Entra ID Tenant into MyQ. You can select from All users or Users from selected groups. In the latter option, the groups refer to existing user groups in your Entra ID source, you can choose to use these groups, ignore them, or organize them further in MyQ in the Groups tab.

Properties

In the Properties section, you can map user information from Microsoft Entra ID to the credentials in MyQ. A predefined selection of recommended values is provided. If the predefined value is not used, a manually typed custom attribute can replace it and synchronize a different user attribute from Entra ID.

Property Name

Description

Predefined Attribute/s

Full name

Users' full name.

displayName

Personal number

User identification number.

employeeId or extensionAttribute1 to extensionAttribute15

Email

Users' email.

mail

Notes

Relevant notes.

extensionAttribute1 to extensionAttribute15

Language

Users preferred language.

preferredLanguage

Department

Users' department.

department

Alias

An alternative name or username.

displayName, userPrincipalName, upnPrefix, mailNickname, onPremisesSamAccountName, onPremisesSamAccountName@onPremisesDomainName, and extensionAttribute1 to extensionAttribute15

Card

The users' ID card number.

employeeId or extensionAttribute1 to extensionAttribute15

PIN

The users' PIN.

employeeId or extensionAttribute1 to extensionAttribute15

Custom (1)

Custom attribute to assign to other relevant information.

extensionAttribute1 to extensionAttribute15

Custom (2)

Custom attribute to assign to other relevant information.

extensionAttribute1 to extensionAttribute15

Custom (3)

Custom attribute to assign to other relevant information.

extensionAttribute1 to extensionAttribute15

For the Alias property, if the attribute onPremisesSamAccountName@onPremisesDomainName is used, the user's Alias after synchronization will be a combination of the user's Microsoft Entra ID attributes onPremisesSamAccountName and onPremisesDomainName in the format, for example, user@myq.cz.

Options

  • Deactivate Missing Users: this option allows the system to automatically deactivate users in MyQ X who are no longer present in the Microsoft Entra ID source.

  • Add New Users: when enabled, this feature automatically adds new users found in the Microsoft Entra ID source to MyQ X.

  • Use as authentication server: if you plan to authenticate users towards Azure using Active Directory credentials and use the Microsoft single-sign-on option, select the Use as authentication server option and click Save.

  • Pair by the personal number: check this box if you wish to update users based on their personal number. If the personal number option is checked, during re-synchronization, the system will look for the user by their personal number. If a match is found, the user details will be updated, otherwise, a new user will be created.

Since MyQ Print Server 10.2 RC 4, the Pair by the personal number option is checked by default for all newly created synchronization sources and cannot be changed. Sources created in 10.1 after migration to 10.2 allow editing this option. Pairing Users by personal number is strongly recommended.

  • Ignore Synchronization Source: this option provides the ability to selectively ignore certain aspects or data from the Microsoft Entra ID source during synchronization.

  • Create normalized alias from Display name: this option means an additional alias is added to the user on top of those configured in the user attributes section, this alias takes the form of AzureAD\concatedDisplayName. It allows proper recognition of users who print from Entra ID Joined devices.

If two or more users have the same Full Name synced from Entra ID, a normalized Alias will be created only for the first user. There is no way to distinguish Job owners for this case in the ADD environment since the printer’s driver provides only a concatenated user’s Name and Surname.

Groups Tab

The Groups tab does not specify which user groups to import, but how they should be organized within MyQ. Which user groups are imported is controlled in Users > Users to import.

The following options are available:

  • Select type of synchronization: In a synchronization source, you can adjust the level of synchronization on the Groups tab. It is possible to select from the following levels:

    • Full synchronization: synchronize groups 1:1 as they are in the source, meaning users are both added to and removed from groups as in the source.

    • Synchronize if not empty: leave a user in at least one group even after they lose all memberships in the directory.

    • Add new: ensure that once a user is assigned to a group in MyQ, they do not lose this membership even after they are removed from a group in the source directory.

  • Select groups: this allows you to select the groups that exist in your instance of Entra ID which you want to include as groups within MyQ.

  • Import groups under this group: allows you to select an existing user group in MyQ to use as a parent group for any groups synchronized from this source.

  • Ignore groups: select what Active Directory groups you do not want to use in this synchronization.

  • Ignore groups containing string: fulfills the same function as Ignore groups allowing you to specify groups to be ignored according to a string they contain.

Group Synchronization - Example Scenario

Administrators have enhanced control over group memberships during Entra ID user synchronization. With the Select groups filter option in the Entra ID User Sync source settings, you can specify which group memberships are imported into MyQ without affecting the overall user synchronization process.

Example:

The Entra ID group structure is as follows:

  • All students: 1,500 users

  • Class1A: 1,000 users

  • Class1B: 500 users

MyQ Settings:

  • In the Users tab under Users to import select Users from selected groups and specify the All students group to synchronize all 1,500 users.

  • In the Groups tab under Select groups, select Class1B only.

Result:

  • All 1,500 users are synchronized to MyQ.

  • Only the 500 users in Class1B have their group membership applied in MyQ.

  • The remaining 1,000 users are imported without any group membership.

  • Users who are also members of Class1A do not have this membership applied in MyQ.

Synchronize Now

Users can be now synchronized by selecting your Microsoft Entra ID source from the list and clicking Synchronize now. It is also possible to schedule user synchronization using the task scheduler.

Multi-Tenant Synchronization and Authentication

You can now use multiple Entra ID tenants in MyQ environments to synchronize and authenticate users. This is particularly useful in shared print infrastructure settings, such as those found in the public sector, where multiple organizations manage printers from a single location, while each uses its own Entra ID.

Follow the process as described below but repeat it to set up multiple instances. Ensure that clear and unique naming is given to each tenant, which will allow users to identify which is relevant for their use.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.