User synchronization from Microsoft Entra ID (Azure AD) with Microsoft Graph

Microsoft Entra ID (formerly Azure AD) with Microsoft Graph is a service accessed from the Microsoft Azure Portal, where it has to be enabled and configured.

Once the Microsoft Entra ID connection is established, go to MyQ, Settings, User Synchronization. Click Add, and then click Add Microsoft Entra ID source.

In the Microsoft Entra ID Synchronization properties panel to the right, in the General tab, if you have already set up an Microsoft Entra ID connection, the Microsoft Entra ID server is already in the Authentication Server field. Fill in the Synchronization source field with a name which will allow the source to be easily identified, this simplifies administration and maintenance for environments with multiple Entra ID (Azure) tenants. Click Add to set up a Microsoft Entra ID connection, and then click Save.

Users tab

In Users to import, you can choose to import All users or Users from selected groups. If you chose the second option, select the user groups from the drop-down.

In the Properties section, you can map user information from Microsoft Entra ID to the credentials in MyQ. Administrators can define custom Microsoft Entra ID user object attributes manually. A predefined selection of values will be provided. Administrators can also type in and create new custom attributes.

• For the User name user property, userPrincipalName is used by default.

• For the Full name user property, the predefined attribute available is displayName.

If the value of Azure’s custom attribute for the Full name is empty, the value of Azure’s attribute displayName will be used as the default.

Example: surname attribute is used for Full name. During synchronization, some users may have empty (not filled) value of surname attribute in their Microsoft Entra ID records. For such cases, the mandatory Microsoft Entra ID displayName attribute value will be used as a fallback.

• For the Alias user property, you can one or more of the following attributes: userPrincipalName, displayName, upnPrefix, mailNickname, onPremisesSamAccountName, onPremisesSamAccountName@onPremisesDomainName, and extensionAttribute1 to extensionAttribute15. If you choose the onPremisesSamAccountName@onPremisesDomainName option, the user's Alias after synchronization will be a combination of the user's Microsoft Entra ID attributes onPremisesSamAccountName and onPremisesDomainName in the format, for example, user@myq.cz.

• For the Language user property, the predefined attribute available is preferredLanguage.

• For the Card, PIN, and Personal number user properties, you can choose the employeeID attribute or extensionAttribute1 to extensionAttribute15.

In the Options section:

• Deactivate Missing Users - This option allows the system to automatically deactivate users in MyQ X who are no longer present in the Microsoft Entra ID source.

• Add New Users - When enabled, this feature automatically adds new users found in the Microsoft Entra ID source to MyQ X.

• Use as authentication server - If you plan to authenticate users towards Azure using Active Directory credentials and use the Microsoft single-sign-on option, select the Use as authentication server option and click Save.

• Pair by Object ID - Check this box if you wish to update users based on their Object ID. If the Object ID option is checked, during re-synchronization, the system will look for the user by the Object ID. If a match is found, the user details will be updated, otherwise, a new user will be created.

Since MyQ Print Server 10.2 RC 4, the Pair by Object ID option is checked by default for all newly created synchronization sources and cannot be changed. Azure sources created in 10.1 after migration to 10.2 allow editing this option. Pairing Users by Object ID is strongly recommended.

• Ignore Synchronization Source - This option provides the ability to selectively ignore certain aspects or data from the Microsoft Entra ID source during synchronization.

• Create normalized alias from Display name - This option means an additional alias is added to the user on top of those configured in the user attributes section, this alias takes form of AzureAD\concatedDisplayName. It allows proper recognition of users who print from Entra ID Joined devices.

In the Transformation section, the administrator can define regular expressions (RegEx) to transform user data during the synchronization process. For details, check Regular Expression Transformation for User Synchronization.

If two or more users have the same Full Name synced from Entra ID, a normalized Alias will be created only for the first user. There is no way to distinguish Job owners for this case in the ADD environment since the printer’s driver provides only a concatenated user’s Name and Surname.

When configuring the attributes from Entra ID to be synchronized, you can also specify an attribute not predefined in the selection, and thus synchronize a value from other attributes of the user.

Groups tab

In the Groups tab, you can select what Active Directory groups you want to remove from synchronization using the Ignore groups and Ignore groups containing string fields.

Synchronize Now

Users can be now synchronized by selecting your Microsoft Entra ID source from the list and clicking Synchronize now.

Entra ID (Azure) Multi-Tenant Synchronization and Authentication

You can now use multiple Entra ID tenants in MyQ environments to synchronize and authenticate users. This is particularly useful in shared print infrastructure settings, such as those found in the public sector, where multiple organizations manage printers from a single location, while each uses its own Entra ID.

Follow the process as described below but repeat it to set up multiple instances. Ensure that clear and unique naming is given to each tenant, which will allow users to identify which is relevant for their use.