• You have an Employee Email account with the required access enabled
  Staffbase recommends using an Admin or Parent Admin account
  
  Note: Starting November 9, 2022, if enabled, new Feature Access settings let you allow users to Create and edit integrations while restricting their ability to Edit field mapping and exclusions.
  Both of these permissions are required for a user to connect Employee Email to Azure AD.
  Ask your Customer Success Manager for details.
• Your organization has an Azure AD environment
  
  Note: If your organization currently uses an on-premises (on-prem) version of Active Directory, you can still sync your user accounts to Employee Email via Azure AD Connect, a tool provided by Microsoft for free as part of your Azure subscription that enables you to sync identity data between your on-prem environment and the Azure cloud.
• You have an Azure AD account that can be used to maintain the sync
  Staffbase recommends using a service account rather than an individual user’s account
• You have the ability to approve access for the service account with Global Administrator credentials

1. In a new Incognito or InPrivate browser window, sign into the Employee Email web app.
2. Navigate to Contacts > Import.
3. Click the Azure tile.
4. Enter a unique title for your organization's Azure AD that will be easy to recognize later.
5. Click Create.
   A success message displays confirming that your integration has been created.
6. Click Connect Active Directory.
7. Ensure that your browser allows pop-ups from your Employee Email web app.
   A new dialog displays, prompting you to sign in with Microsoft credentials.
8. Sign in with the Azure AD account that will be used to maintain the sync.
   Staffbase recommends using a service account with Global Reader access.
   You are prompted for admin approval.
9. Sign in with Azure AD Global Administrator credentials.
   
   
   Note: If the prompt for admin approval does not display automatically, troubleshoot by starting again from step 1 and ensure you are using an Incognito or InPrivate browser window.
   Contact your Technical Onboarding Engineer or Onboarding Project Lead for further assistance.
   The Microsoft sign-in dialog closes and your integration displays as Connected.
   
   
10. Click Next to continue the import process.

When you sign into Azure AD through Employee Email, we are going through this process:
Get access on behalf of a user - Microsoft Graph

Authorization from a Global Admin is required to establish the Azure enterprise tile app in your environment and grant the following scopes to your service account:

Directory.Read.All
openid
offline_access

For interacting with the directory, we go through two different graph endpoints (one for users, one for groups), both using the access token we acquired from the first step.

• List users - Microsoft Graph v1.0 - Retrieve a list of user objects.
• List groups - Microsoft Graph v1.0 - List all the groups available in an organization.
  This includes but is not limited to Microsoft 365 Groups.
  

Optionally, choose existing Azure AD distribution lists to import into Employee Email. All of your organization's Microsoft 365 Groups and mail-enabled security groups will be available to select.

If your organization has more than one thousand groups available to choose from, you are prompted to use the Bulk Selector and upload a CSV file containing only the Display Name of each list that you want to sync. Do not include a header row in this spreadsheet.

The Map fields tab opens, and employee attributes stored in your Azure AD, like names, titles, office locations, etc., are auto-populated under the Imported Field section.

Attributes are the characteristics that differentiate one recipient from another, which enable you to segment your audience and target your communications to specific groups.

1. From the dropdown menu corresponding to each value, select a field name to map the attributes from your Azure AD to fields in Employee Email.
   Tip: Some fields are mapped automatically but can be adjusted based on your preference.
   Starting November 9, 2022, Employee Email will also expose your Azure AD custom attributes (1-15). When syncing or mapping contact data, you will be prompted to decide whether to map or skip these fields.
   Optionally, select Skip this field for any of your imported fields except the Unique Contact ID, which defaults to Email.
   If there is no existing option in the dropdown that matches your imported field(s), create a new Text, Number, or Date field.
   
   
2. Optionally, find and import additional custom fields from your Azure AD.
   You will need to know which fields you want to import. An Azure AD Global Admin in your organization will be required to help find the Field unique ID(s) for these fields.

Optionally, create filters to exclude some categories of Azure AD contacts from your import.

For example, exclude employees who are currently on leave with an Inactive status, or belong to a division that does not need to receive communication emails.

1. Click Sync to import your contact data and complete the configuration.
   A new page displays, showing a progress bar for your import.
   
   
   Note: The import process usually takes 10-30 minutes but may require a number of hours for a very large organization. It cannot be stopped or restarted.
   You are free to navigate around the Employee Email web app while you wait. This will not disrupt the import.
   
   
2. Navigate to Contacts > Directory to view your imported data.
   The All Contacts list opens.
3. Click Distribution Lists to view any lists you have imported.
   
   
   
   These distribution lists will be updated automatically each time your Azure AD users are synced to Employee Email. 
   If you want to make changes to them, do this in your Azure AD and not in the Employee Email web app.
4. To check for and fix any potential errors with your import, navigate to Sources > Integrations.
   
   

1. In the Employee Email web app, navigate to Contacts > Sources > Integrations.
   
   
2. Click the three dots next to an integration.

Any Employee Email user with the required access enabled can manually sync Azure AD contacts from the integration that you have created or edit its field mappings.

Only the Employee Email account that configured an integration, or a Parent Admin, can delete that integration.