If your organization uses Microsoft Entra (previously Azure) as well as Employee Email, you have the option to sync user information from your Microsoft Entra ID instances to your list of Employee Email contacts.
You can also sync Workday users as Employee Email contacts.
- Your synced contact information is updated automatically on a regular schedule.
- Use your imported contacts to build custom distribution lists in the web app.
- Optionally, sync your organization's existing Microsoft Entra synced distribution lists directly from your Microsoft Entra ID instances.
- You can set up multiple integrations with Microsoft Entra to sync different collections of user data to Employee Email or sync from different instances within your organization.
Note: This functionality is only available if you send emails directly from the Employee Email web app. This article is not relevant if you have installed an add-in or extension and you send tracked emails from your email client.
If you have the Staffbase App/Intranet integrated with Employee Email, the most efficient way to set up your contacts is by creating users in your App/Intranet, and then configuring how your employees are synced as email contacts.
Prerequisites
- You have an Employee Email account with the required access enabled.
Staffbase recommends using an Admin or Parent Admin account.
Note: If enabled, new Feature Access settings allow users to Create and edit integrations while restricting their ability to Edit field mapping and exclusions.
A user must have both permissions to connect Employee Email to Microsoft Entra.
Contact Staffbase Support or your Customer Success Manager for details. - Your organization has a Microsoft Entra environment.
Note: If your organization currently uses an on-premises (on-prem) version of Microsoft Entra ID, you can still sync your user accounts to Employee Email via Microsoft Entra Connect Sync (previously Azure AD Connect, a tool provided by Microsoft for free as part of your Microsoft Entra subscription that enables you to sync identity data between your on-prem environment and the Microsoft Entra cloud. - You have a Microsoft Entra account to maintain the sync.
Staffbase recommends using a service account with a Cloud Application Administrator role rather than an individual user's account. Once the enterprise application is created and the user has access, the Cloud Application Administrator rights are no longer necessary and can be set to Default.
Connecting Employee Email to Microsoft Azure AD
- In a new Incognito or Private browser window, sign into the Employee Email web app.
- Navigate to Contacts > Import.
- Click the Azure tile.
- Enter a name you want to use to recognize the instance of the application. In this example, we use "Azure AD".
- Click Create.
A success message displays, confirming that your integration has been created.
- Click Connect Active Directory.
- Ensure that your browser allows pop-ups from your Employee Email web app.
A new dialog opens, prompting you to sign in with Microsoft OAuth credentials.
- Staffbase recommends using a service account with a Cloud Application Administrator role. Sign in with these Cloud Application Administrator credentials to maintain the sync.
- Accept the permissions requested for Azure AD. Your integration displays as Connected. For more information, see the Microsoft documentation.
- Next.
- Click the Active Assignments tab to see the Cloud Application Administrator role.
Creating an Enterprise application
- In the Microsoft Entra admin center as a Cloud Application Administrator, navigate to Identity > Applications > Enterprise applications > All applications.
- Select New application.
- Enter a name for the application.
- Click Create.
Assigning a User Account
- In the Microsoft Entra admin center as a Cloud Application Administrator, navigate to Identity > Users and Groups and select Add Use.
- Search for Azure AD Integration and select it.
Review Permissions
- Navigate to Identity > Applications > Enterprise applications > All applications.
- Select the enterprise application that you want to restrict access to.
- Select Permissions.
- Select the User consent tab and ensure the following permissions for Microsoft Graph are set:
- Directory.Read.All
- Openid
- Offline_access
Acessing the Directory
To interact with the directory, we go through two different graph endpoints (one for users, one for groups).
- List users - Microsoft Graph v1.0 - Retrieve a list of user objects.
- List groups - Microsoft Graph v1.0 - List all the groups available in an organization.
This includes but is not limited to Microsoft 365 Groups.
Importing Distribution Lists from Your Microsoft Entra ID
Optionally, choose existing Microsoft Entra distribution lists to import into Employee Email. All your organization's Microsoft 365 Groups and mail-enabled security groups will be available to select.
If your organization has more than one thousand groups available, you are prompted to use the Bulk Selector and upload a CSV file containing only the Display Name of each list you want to sync. Do not include a header row in this spreadsheet.
Mapping Your Microsoft Entra ID Fields
The Map fields tab opens, and employee attributes stored in your Microsoft Entra ID, like names, titles, office locations, etc., are auto-populated under the Imported Field section.
Attributes are the characteristics that differentiate one recipient from another, which enable you to segment your audience and target your communications to specific groups.
- From the dropdown menu corresponding to each value, select a field name to map the attributes from your Microsoft Entra ID to fields in Employee Email.
Tip: Some fields are mapped automatically but can be adjusted based on your preference.Optionally, select Skip this field for any of your imported fields except the Unique Contact ID, which defaults to Email.
Employee Email also exposes your Microsoft Entra ID custom attributes (1-15). When syncing or mapping contact data, you are prompted to decide whether to map or skip these fields.
If no option in the dropdown matches your imported field(s), create a new Text, Number, or Date field.
- Optionally, find and import additional custom fields from your Microsoft Entra ID.
You must know which fields you want to import. A Microsoft Entra ID Global Admin in your organization must help you find the Field unique ID(s) for these fields.
Excluding Contacts From Syncing
Optionally, create filters to exclude some categories of Microsoft Entra ID contacts from your import.
For example, exclude employees currently on leave with an Inactive status or belonging to a division that does not need to receive communication emails.
Note: The manually typed values must match those used in your Microsoft Entra.
The fields are case-sensitive.
Completing and Confirming Your First Sync
- Click Sync to import your contact data and complete the configuration.
A new page displays, showing a progress bar for your import.
Note: The import process usually takes 10-30 minutes but may require several hours for a very large organization. It cannot be stopped or restarted.You can navigate the Employee Email web app while you wait. This will not disrupt the import.
- Navigate to Contacts > Directory to view your imported data.
The All Contacts list opens. - Click Distribution Lists to view any lists you have imported.
These distribution lists will be updated automatically each time your Microsoft Entra users are synced to Employee Email.
To change them, go to your Microsoft Entra ID, not to the Employee Email web app. - To check for and fix any potential errors with your import, navigate to Sources > Integrations.
Editing or Deleting a Synced Microsoft Entra ID Instance
-
In the Employee Email web app, navigate to Contacts > Sources > Integrations.
- Click the three dots next to an integration.
Any Employee Email user with the required access enabled can manually sync Microsoft Entra ID contacts from the integration you created or edit its field mappings.
Note: If enabled, new Feature Access settings allow users to Create and edit integrations while restricting their ability to Edit field mapping and exclusions.
Both permissions are required for a user to connect Employee Email to Microsoft Entra ID.
Ask Staffbase Support or your Customer Success Manager for details.
When syncing or mapping contact data, Employee Email will also expose your Microsoft Entra ID custom attributes (1-15). You will be prompted to decide whether to map or skip these fields.
Only the Employee Email account configuring an integration, or a Parent Admin, can delete that integration.
Unless they are removed from Microsoft Entra ID or excluded from syncing, these contacts will appear in the web app again after the next sync.
Comments
0 comments
Please sign in to leave a comment.