GITBOOK-336: change request with no subject merged in GitBook

Author: defguard-community

.gitbook/assets/image (57).png

@@ -80,6 +80,7 @@
     * [Keycloak](enterprise/all-enteprise-features/external-openid-providers/keycloak.md)
     * [JumpCloud](enterprise/all-enteprise-features/external-openid-providers/jumpcloud.md)
     * [Okta](enterprise/all-enteprise-features/external-openid-providers/okta.md)
+    * [Custom](enterprise/all-enteprise-features/external-openid-providers/custom.md)
   * [External OIDC secure enrollment](enterprise/all-enteprise-features/external-oidc-secure-enrollment.md)
   * [VPN & Client behavior customization](enterprise/all-enteprise-features/behavior-customization.md)
 

.gitbook/assets/image (58).png

@@ -78,6 +78,46 @@ For this to work, make sure you have the following two things set:
 
 If you disable the option above, new users won't be able to automatically go through the enrollment. You will need to create their accounts by hand (with the same email address as the one they have set on your OIDC provider's side) and only then they will have an option to activate it by logging through the provider.
 
+### Directory synchronization
+
+{% hint style="info" %}
+This feature is available only in Defguard v1.2.0 and above
+{% endhint %}
+
+Defguard supports synchronizing users' and groups' states based on the state of the external provider directory. The following things can be synchronized:
+
+* **User Groups**: Automatically create and assign user groups in Defguard to reflect them in Google Workspace.
+* **User Deletion**: Removing a user from the provider's directory can also remove them from Defguard.
+* **User Status**: Disabling users in the provider's directory will disable them in Defguard.
+
+Defguard doesn't automatically create users based on the users in your provider's directory. They will have to manually log in to Defguard through your provider for their Defguard accounts to be created. Defguard is responsible only for synchronizing their later state.
+
+#### General configuration
+
+The menu can be found in Defguard settings by navigating to the "OpenID" tab.
+
+<figure><img src="../../../.gitbook/assets/image (57).png" alt=""><figcaption></figcaption></figure>
+
+The following configuration options are currently available in the directory synchronization menu for all providers:
+
+* **Synchronize (All/User/Group):** What to synchronize.
+  * **All** - synchronize both user state (disabled/enabled), their deletion, and groups
+  * **User** - synchronize only user state (disabled/enabled) and whether they've been deleted
+  * **Group** - synchronize only user groups
+* **Synchronization interval (600s by default):** How often to synchronize with your provider. Very low values may cause issues with the provider API. The user state is also synchronized on login.
+
+{% hint style="danger" %}
+If you want to delete your users based on the state of your provider we recommend trying out the "disable" behavior first to make sure everything works as expected. Always back up your database regularly.
+{% endhint %}
+
+* **User behavior (Keep, Disable, Delete):** What to do with Defguard users who are absent from your provider's directory.
+* **Admin behavior (Keep, Disable, Delete):** What to do with Defguard users with admin status (in Defguard) who are absent from your provider's directory.
+
+#### Currently supported providers
+
+* [Google](google.md#directory-synchronization)
+* Microsoft
+
 ## Known issues
 
 ### JumpCloud

.gitbook/assets/image (59).png

@@ -0,0 +1,15 @@
+# Custom
+
+{% hint style="warning" %}
+Defguard supports custom providers that allow a **code** response type in the OpenID authorization flow.
+{% endhint %}
+
+You can also configure a custom OpenID provider. The key thing here is setting up the **Base URL** correctly. This URL is used to discover all the endpoints required for the authorization flow.
+
+The easiest way of obtaining the Base URL is to find out what is the OpenID `.well-known` URL of your provider. For example, for Google it's `https://accounts.google.com/.well-known/openid-configuration`, in this case, the Base URL would be `https://accounts.google.com` (note the lack of a trailing slash). The part starting with `/.well-known` is added automatically, so it should be omitted from the Base URL. This is explained in more detail in the [Base URL](custom.md#base-url) section.
+
+In order to get the **Client ID** and **Client Secret** values, refer to the documentation of your custom provider of choice.
+
+When configuring your external OpenID provider, at some point you will need to provide a callback URL, which will redirect the user back to Defguard. This URL is in form of `<DEFGUARD_DASHBOARD_URL>/auth/callback`. Replace `<DEFGUARD_DASHBOARD_URL>` with the URL under which your dashboard is accessible, e.g. `https://defguard.example.com`. If you'd like to use OpenID enrollment through proxy too, make sure to enter an additional URI in the form of `<DEFGUARD_ENROLLMENT_URL>/openid/callback`.
+
+If you're having issues with your custom provider's base URL, check Defguard's (core) logs. It should say what URL it expected.

.gitbook/assets/image (60).png

@@ -42,40 +42,24 @@ This feature is currently limited to 500 Google Workspace members or groups. It
 This feature is available only in Defguard v1.2.0 and above
 {% endhint %}
 
-Defguard supports synchronization of users and groups state based on Google Workspace. The following things can be synchronized:
-
-* **User Groups**: Automatically create and assign user groups in Defguard to reflect them in Google Workspace.
-* **User Deletion**: Removing a user in Google Workspace can also remove them in Defguard.
-* **User Status**: Disabling a user in Google Workspace will disable them in Defguard.
-
-Defguard doesn't automatically create users based on the users in your Workspace. They will have to manually login to Defguard through your provider in order for their Defguard accounts to be created. Defguard is responsible only for synchronizing their later state.
+This documentation concerns only the Google directory synchronization. For more general information, see the [general directory synchronization guide](./#directory-synchronization).
 
 #### Directory synchronization configuration menu
 
 The menu can be found in Defguard settings by navigating to the "OpenID" tab.
 
 <figure><img src="../../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
 
-The following configuration options are currently available in the directory synchronization menu:
-
-* **Synchronize (All/User/Group):** What to synchronize.
-  * **All** - synchronize both user state (disabled/enabled), their deletion and groups
-  * **User** - synchronize only user state (disabled/enabled) and whether they've been deleted
-  * **Group** - synchronize only user groups
-* **Synchronization interval (600s by default):** How often to synchronize with Google. Very low values may cause issues with Google API. Users are also synchronized on login.
+The following configuration options are currently available in the directory synchronization menu specifically for the Google provider:
 
-{% hint style="danger" %}
-If you want to delete your users based on the state of Google Workspace we recommend trying out the "disable" behavior first to make sure everything works as expected. Always backup your database regularly.
-{% endhint %}
-
-* **User behavior (Keep, Disable, Delete):** What to do with Defguard users not present in Google Workspace.
-* **Admin behavior (Keep, Disable, Delete):** What to do with Defguard users with admin status (in Defguard) who are not present in Google Workspace.
 * **Admin email:** The email of the Google Workspace admin user on whose behalf Defguard will call the Google API
-* **Service account in use:** The email of the Google service account which is currently used
+* **Service account in use:** The email of the Google service account that is currently used
+
+To learn more about the rest of the configuration options, see the [general directory synchronization guide](./#directory-synchronization).
 
 #### Directory synchronization setup
 
-1.  Navigate to [Service Accounts](https://console.cloud.google.com/iam-admin/serviceaccounts) in the Google cloud console\
+1.  Navigate to [Service Accounts](https://console.cloud.google.com/iam-admin/serviceaccounts) in the Google Cloud console\
 
 
     <figure><img src="../../../.gitbook/assets/image (49).png" alt=""><figcaption></figcaption></figure>

.gitbook/assets/image (61).png

@@ -30,18 +30,49 @@ Make sure the Redirect URL you insert here is correct. Replace `defguard.example
 
 13. Now you should be good to go. A new login button should appear on the login screen.
 
-#### Custom OpenID provider
+### Directory synchronization
+
+{% hint style="info" %}
+This feature is available only in Defguard 1.2.1 and above
+{% endhint %}
 
 {% hint style="warning" %}
-Defguard supports custom providers that allow a **code** response type in the OpenID authorization flow.
+This feature is currently limited to 999 Microsoft Entra ID members or groups. It may not work correctly if you have more members than that. If this limit is an issue, report it on our GitHub.
 {% endhint %}
 
-You can also configure a custom OpenID provider. The key thing here is setting up the **Base URL** correctly. This URL is used to discover all the endpoints required for the authorization flow.
+Defguard supports synchronizing groups' and users' states based on your Microsoft directory.
+
+Make sure to check the [general guide to directory synchronization](./#directory-synchronization) to learn more about the available configuration options.
+
+#### Setup
+
+1. Go back to your app registrations in Microsoft Entra ID and select the app you registered during the provider setup.
+2.  Navigate to API permissions\
+
+
+    <figure><img src="../../../.gitbook/assets/image (58).png" alt=""><figcaption></figcaption></figure>
+
+
+3.  Click "Add a permission", then select "Microsoft Graph"\
+
+
+    <figure><img src="../../../.gitbook/assets/image (59).png" alt=""><figcaption></figcaption></figure>
+
+
+4.  Select "Application permissions", as Defguard will perform the synchronization in the background.\
+
+
+    <figure><img src="../../../.gitbook/assets/image (60).png" alt=""><figcaption></figcaption></figure>
+
+
+5. Assign the following permissions:
+   * `GroupMember.Read.All`
+   * `Group.Read.All`
+   * `User.Read.All`
+6.  Now grant admin consent for the permissions using the "Grant admin consent for" button\
 
-The easiest way of obtaining the Base URL is finding out what is the OpenID `.well-known` URL of your provider. For example, for Google it's `https://accounts.google.com/.well-known/openid-configuration`, in this case, the Base URL would be `https://accounts.google.com` (note the lack of a trailing slash). The part starting with `/.well-known` is added automatically, so it should be omitted from the Base URL. This is explained in more detail in the [Base URL](microsoft.md#base-url) section.
 
-In order to get the **Client ID** and **Client Secret** values, refer to the documentation of your custom provider of choice.
+    <figure><img src="../../../.gitbook/assets/image (61).png" alt=""><figcaption></figcaption></figure>
 
-When configuring your external OpenID provider, at some point you will need to provide a callback URL, which will redirect the user back to Defguard. This URL is in form of `<DEFGUARD_DASHBOARD_URL>/auth/callback`. Replace `<DEFGUARD_DASHBOARD_URL>` with the URL under which your dashboard is accessible, e.g. `https://defguard.example.com`. If you'd like to use OpenID enrollment through proxy too, make sure to enter an additional URI in the form of `<DEFGUARD_ENROLLMENT_URL>/openid/callback`.
 
-If you're having issues with your custom provider's base URL, check Defguard's (core) logs. It should say what URL it expected.
+7. You should be good to go now. Navigate to the directory sync settings in Defguard and try to test your setup using the test connection button.