Let us know if this article was helpful. It would help us improve our content for you and other customers in the future.
Microsoft Security Group Synchronization
The Security Group feature allows customers to import employees directly from a specified Microsoft Security Group that includes all employees to receive WiseStamp signatures. Once implemented, this feature provides seamless import and synchronization of employees within the designated Security Group.
Feature details and requirements
- This feature is only available with Microsoft domains.
- This feature is available exclusively to ENTERPRISE customers.
- Customers need to create one security group containing all their employees to receive WiseStamp signatures, which WiseStamp then syncs with to acquire employee information.
- The security group cannot use nested groups. The employees must be explicitly named as a member in the group.
- This feature can be enabled during the trial by contacting a WiseStamp representative.
- If the plan changes to a non-enterprise plan after enabling this feature, a warning alert will appear. Should the downgrade proceed, sync settings will revert to their prior configuration (e.g., if the sync was by department, employees will again be synced by department).
Security Group synchronization configuration overview
The process to enable Security Group synchronization requires the following procedures:
- Customer grants WiseStamp the GroupMember.Read.All permission on the Microsoft server.
- Customer provides WiseStamp with the Microsoft Security Group ID for synchronization.
- WiseStamp enables the Security Group feature and enters the Security Group ID.
Grant WiseStamp permission
The process to grant WiseStamp the GroupMember.Read.All permission requires using Microsoft Graph to retrieve information from your system and then enable the permission using a POST request with the acquired information. The information required is as follows:
- Principal ID <PrincipalId>
- Service Principal Object ID <ServicePrincipalObjectId>
- Application Role ID <AppRoleId>
To retrieve the Principal ID:
This is retrieved from your WiseStamp for Outlook 365 application.
- Sign in to the Microsoft Entra (formerly known as Microsoft Azure) admin center.
- Go to Identity > Applications > Enterprise applications > All applications.
- Click the WiseStamp for Outlook 365 application.
- In the Properties section, the value for the Object ID is the Principal ID.
- Save this value for the POST request variable PrincipalId.
To retrieve the Service Principal Object ID:
This is retrieved using Microsoft Graph.
- Sign in to Microsoft Graph Explorer.
- Send a GET request to the following URL. The following link opens Microsoft Graph with this GET request:
https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId+eq+'00000003-0000-0000-c000-000000000000' - Run the Query, and the value for ID in the beginning of the response is the Service Principal Object ID.
- Save this value for the POST request variable ServicePrincipalObjectId.
To retrieve the Application Role ID:
- In the same response from the previous procedure, search for GroupMember.Read.All.
- Find the section that includes the following:
"origin": "Application"
"value": "GroupMember.Read.All" - In this section, the value for ID is the Application Role ID.
- Save this value for the POST request variable AppRoleId.
To grant WiseStamp the GroupMember.Read.All permission:
- Sign in to Microsoft Graph Explorer.
- In Microsoft Graph Explorer, send a POST request to the following URL. The following link opens Microsoft Graph with this POST request:
https://graph.microsoft.com/v1.0/servicePrincipals/{PrincipalId}/appRoleAssignments
Where, {PrincipalId} is retrieved from the procedure To retrieve the Principal ID. - In the request body, enter the following:
{
"principalId": "<PrincipalId>",
"resourceId": "<ServicePrincipalObjectId>",
"appRoleId": "<AppRoleId>"
}
Where:- <PrincipalId> is retrieved from the procedure To retrieve the Principal ID.
- <ServicePrincipalObjectId> is retrieved from the procedure To retrieve the Service Principal Object ID.
- <AppRoleId> is retrieved from the procedure To retrieve the Application Role ID.
- Click Run Query to grant the permission.
- Once the request is successfully processed, you will receive a response with a status code (201 Created), indicating that the permission was granted.
Provide Security Group ID
WiseStamp requires the Security Group ID to synchronize all employees within the group. You can retrieve this information from your Microsoft Entra (formerly known as Microsoft Azure) admin center as follows:
- Sign in to the Microsoft Entra admin center.
- Go to Identity > Groups > All groups.
- Click the Security group you wish to sync. The overview of the Security Group is displayed.
- Copy the value for the Object ID. This is the Security Group ID.
- Send the Security Group ID to WiseStamp.
- Once WiseStamp receives this ID, they can enable the Security Group feature.