Creating Groups/Adding Targets
      Back to home
      1. Help Center
      2. Getting Started
      3. Creating Groups/Adding Targets

      How do I set up AD Sync?

      If your organization uses Azure Active Directory (AD), you can configure an application in the Azure portal that will allow Hook Security to sync with the directory

      You will create an application registration in your AD, assign the proper API permissions, then share the application credentials via SendSafely to Hook Security. After doing so, Hook Security will be able to connect to your AD and import your AD's groups and users.

      Registering the Application

      To start, navigate to the Azure portal and sign in. Once signed in, click the hamburger menu in the top-left of the portal and click Azure Active Directory. After navigating to Azure Active Directory, Click App Registrations in the navigation menu on the left-hand side.

      azure-menu.PNG                  directory-menu.PNG

      Once in the App Registrations window, click the New registration button, located on the top of the window.

      new-registration.PNG

      This will open the application registration wizard. Give the application a name, and select the 'Accounts in this organization directory only' option under the 'Supported account types' section, then click the 'Register' button on the bottom left-hand side of the wizard. A Redirect URI is not required.

      registration-wizard-1.PNG

      Assigning Permissions

      Now the application has been created and you will be redirected to the application overview. Note the Application (client) ID and Directory (tenant) ID. Hook Security will need both, along with a secret, in order to connect to the directory. Please make sure you give the application API Permissions. Click the View API permissions button under the 'Call APIs' section, or the 'API permissions' link in the navigation menu on the left-hand side.

      view-api.PNG

      After navigating to the API Permissions page, click the Add a permission button, located above the permissions table. You will then need to select an API, select Microsoft Graph.

      add-permission.PNG

      ms-graph.PNG

      The application will require specific delegated permissions and application permissions. First, select Delegated permissions.

      permission-type.PNG

      The delegated permissions required are as follows;

      • Directory.Read.All
      • email
      • Group.Read.All
      • GroupMember.Read.All
      • profile
      • User.Read
      • User.Read.All
      • User.ReadBasic.All

      Click the respective check boxes for each permission above, then click 'Add permissions', located at the bottom of the Request API permissions form, to add the permissions to the application.

      After adding the Delegated permissions, the Application permissions must be added. Click the 'Add a permission' button, then select Microsoft Graph, then 'Application permissions'.

      The application permissions required are as follows;

      • Directory.Read.All
      • Group.Read.All
      • GroupMember.Read.All
      • User.Read.All

      Once again, click the 'Add permissions' button. After being redirected back to the application's API permissions page, administrator consent will be required to grant the selected permissions to the application. The minimum admin privileges required to grant consent are Application privileges. If the logged-in user has the proper privileges, click the Grant admin consent button on the application's API permissions page.

      admin-consent.PNG

      You will be asked to verify, click 'Yes' to continue. If the permissions are granted successfully, checkmark.PNG is displayed in the 'Status' column for the respective permissions.

      Credentials

      Next, the credentials needed for Hook Security to connect will have to be collected. Hook Security requires three distinct keys or IDs in order to connect to your AD;

      IDs

      The Application ID and Directory ID are displayed in the Overview tab of the application page. Click the Overview link in the navigation menu on the left-hand side.

      overview-link.PNG

      The Application ID and the Directory ID will be displayed at the top of the page below the application's display name.

      ids.PNG

      Client Secret

      Click the Certificates & secrets link in the navigation menu on the left-hand side of the Azure portal.

      certs-secrets.PNG

      Under the Client secrets section, click the 'New client secret' button.

      new-secret.PNG

      You will be prompted to give the secret a description and select an expiry date.

      • NOTE: If you choose to allow the secret to expire, after expiration another secret will need to be generated and the integration will need to be reconfigured.

      After the secret is generated, you will want to save the secret. If you navigate away from the page, the secret will be obscured and you will not be able to copy the secret to the clipboard. If you do not save the secret or it is obscured, you can always generate another one. Keep in mind that if the secret entered in Hook Security is deleted from the application registration or expires the integration will have to be reconfigured.

      secret-key.PNG

      Now that you have configured the application and have the IDs and secret at hand, your Azure AD can be integrated with Hook Security.

       

      Sharing Information with Hook Security

      Once the steps above have been completed, please have your App ID, Tenant ID, and Secret readily available. Let your Client Success Manager (support@hooksecurity.co) know you are ready to complete the AD Sync, and they will provide an encrypted link via SendSafely. Once the link is received, copy and paste your App ID, Tenant ID, and Secret into the encrypted email. Also let us know which groups we are syncing in AD.