Microsoft Entra ID - FAQ

Import, activation and deactivation of the integration

Q:	Should Microsoft Entra ID be activated before or after importing employees?
A:	Microsoft Entra ID does not affect employees but only synchronizes users/calendars. Therefore, the employee must be created with the same company email as in Microsoft Entra ID before Microsoft Entra ID is set to synchronize users to Emply People. Otherwise, the user in Microsoft Entra ID and Emply People will not be connected.
Q:	Is it subsequently possible to add more Entra ID groups to integration, and can a user have several Entra ID group membership?
A:	Yes. If you wish to give more roles to a user, you can connect different Entra ID groups with each their own role, for example, Employees, Managers, etc. It is required that Synchronize roles is activated in the integration.
Q:	What happens if I remove the Microsoft Entra ID integration?
A:	The calendar synchronization stops, the Outlook events will no longer be visible in Emply People after next synchronization, new users connected to an Entra ID group will not be created in Emply People. If you have configured Emply People to update Microsoft Entra ID users, this will stop.

Tenants

1.	Can I integrate multiple tenants?
	No, it is only possible to integrate one tenant, but it is possible to have multiple domains in one tenant.

Hybrid setup

1.	What is a hybrid setup?
	Many of our customers have a hybrid setup, which means that they have their Entra ID installed on a server on-prem, but synchronize data to Microsoft Entra ID in the cloud. In other words, they run both on-prem and in the cloud and this is called hybrid Microsoft Entra ID. The customer started out with an on-prem Entra ID, but in order to access newer features in Microsoft Entra ID, they have chosen to synchronize data to the cloud. Some will eventually switch completely to the cloud (Microsoft Entra ID), but it can be a major process to get started.
2.	Can I use the Microsoft Entra ID integration when I have a hybrid setup?
	It is possible to set up the integration, but it can only synchronize data from Microsoft Entra ID to Emply People. This means that the three extra options (create, update, delete) are not possible to enable. If the calendar is synchronized to the cloud, it is possible to enable this in the integration.

Creation of users

Can I manually create users and will this be impacted by user synchronization?

Yes, you can. If a user has the same username or the same e-mail it will automatically connect to Microsoft Entra ID's user and be synchronized.

External users that are not part of the connected Microsoft Entra ID can be created in Emply People.

Why do the users not receive the expected roles, but only a single one?

Synchronize roles must be activated in the Microsoft Entra ID integration from Emply People and the Entra ID user must be part of the configured Entra ID groups.

Skærmbillede 2024-07-18 kl. 10.58.01.png

Can we add guest users (B2B) in Entra ID?

Yes, if a user does not have an email address with the company’s domain, you can invite them as a guest user in Entra ID. This is a standard part of Microsoft Entra’s B2B collaboration model. Guest users can have any email address (e.g., @gmail.com, @partnercompany.dk). Once they are added as a guest, they can:

Sign in using their own identity (Microsoft, Google, etc.)
Be assigned to groups
Access applications via SSO

When a guest user is created in your Entra ID tenant, you can:

Add them manually to a security group.
Use dynamic groups (with limitations – dynamic groups do not support guests in the same way as regular users).
Use PowerShell, the portal, or Graph API to manage this programmatically.

Can guest users access system through single sign-on (SSO)?

Yes, assuming the system the guest user need to access supports guest users in your Entra ID tenant, and the relevant groups are linked to access management (e.g., via an Enterprise App), they will be able to sign in using SSO.

Profile pictures

1.	How does the synchronization of profile pictures from Microsoft Entra ID to Emply People work?
	he profile picture can only synchronize from Microsoft Entra ID to Emply People on users that are not connected to an employee, as it is the employee who controls the user, once they are connected. If changes need to be made to, for example, the user's master data, this must be done on the employee profile in Emply People.
2.	Is it possible to have the profile pictures synchronize between Emply People and Microsoft Entra ID?
	No, it is not possible. If you only want the profile picture to upload and connect the picture to Emply People, you can use Emply People's API instead. Here it can also push the image from Emply People, through the API and into the Entra ID.

Calendars

How do I synchronize the calendar with Microsoft 365?

In the integration setup you must activate synchronization of the calendar. When the synchronization is activated the data can be used in Emply People's calendar functionality. Additionally, Emply People can create events in the Microsoft 365 calendar.

Why is Emply People not synchronized with the calendar of a user?

Check if the calendar is deactivated under the relevant user.

Skærmbillede 2024-07-18 kl. 12.54.14.png

Synchronization must be enabled.

Once enabled, the integration will add all Entra ID calendars where the Entra ID user has editing rights or higher to Emply People automatically. The Entra ID user's own default calendar will be added without the Disable button but all additional calendars will be added with the "Disable/Enable" buttons.

Additional calendars will be added to Emply People as Disabled by default. If a user wishes to enable event synchronization to one of these calendars, they must click the Enable button in their user settings.

Sync and update of users between Microsoft Entra ID and Emply People

How do I ensure that the Microsoft Entra ID user synchronizes with the user profile in Emply People?

Emply People files user and employee connected to an e-mail address, therefore the two e-mails must be identical.

How often is Microsoft Entra ID synchronized?

The Entra ID is synchronized every 30 minutes.

What happens to a synchronized user when it is removed from the Entra ID group?

It is deactivated in Emply People and can be found under deactivated users.

What happens if I remove a Entra ID group from the Microsoft Entra ID integration?

If Syncronize roles is enabled, special roles that have been configured for the removed group will no longer be updated.

Emply People updates data in Microsoft Entra ID. How can this be avoided?

This is caused by an option in the Microsoft Entra ID integration set up that has been activated to allow Emply People to update data in Microsoft Entra ID. In this case you need to remove the check mark and Save to avoid updates from Emply People in the future.

Skærmbillede 2024-07-18 kl. 10.58.011.png

What is the logic applied with the Synchronize roles toggle after first sync?

When the Synchronize role toggle is enabled, the system will apply the following logic, based on two different cases:

the user has an employee profile
the user does not have an employee profile

Example 1. Example

Your platform has the following roles in Emply People:

Employee role that is mapped to Microsoft Entra ID group Employee
HR role that is mapped to Microsoft Entra ID group HR
Manager role that is not mapped to any Microsoft Entra ID group
New employee role that is not mapped to any Microsoft Entra ID group currently

User Ray Ross is part of the Microsoft Entra ID group Employee and HR. In Emply People he has the roles Employee, HR, Manager, and he has an employee profile in Emply People.

User Megan Jordan is part of the Microsoft Entra ID group Employee, and HR. In Emply People she has the roles Employee, HR, Manager. and she does not have an employee profile in Emply People.

Ray Ross case

For user Ray Ross, the roles will not be synced through the integration. If the user has an employee profile, the only thing that can be done through sync is modifying the status of the user (active / not active).

Megan Jordan cases

IF user Megan Jordan is part of the Entra ID groups Employee and HR, and has roles Employee, HR and Manager in Emply People, the system will not update any role, as the roles she has in Emply People match the groups she is part of in Entra ID.

Result: After synchronization roles will not change: Megan Jordan will still have roles Employee, HR and Manager.

IF user Megan Jordan is removed from the Entra ID group HR, the sync will not change the roles for the user in Emply People. The HR role in Emply People will simply be considered to be a role as the Manager one for her.

Result: After synchronization roles will not change: Megan Jordan will still have roles Employee, HR and Manager.

IF we remove roles Employee and HR in Emply People from user Megan Jordan, but she is still part of the Entra ID groups HR and Employee, the sync will update the user in Emply People with the roles matching the Entra ID groups, and remove the extra role that is not mapped to Entra ID.

Result: After synchronization roles will be updated to the ones matching the Entra ID groups: Megan Jordan will therefore have roles Employee, HR and will lose the role Manager.

IF we change the mapping of Entra ID Group Employee in Emply People to match another Emply People role called New employee, the sync will change the roles for Megan Jordan to match the new mapping.

Result: After synchronization roles will be changed according to the new mapping: Megan Jordan will therefore have roles New Employee, HR and Manager.

Why is there an error in synchronization of users?

When connecting an employee profile in Emply People with a user in Microsoft Entra ID, you must create an account for the employee first. So long as the e-mail used for the two users is identical, they should be connected automatically.

Why are users in Emply People being deactivated?

There can be multiple reasons as to why the connection between Entra ID and Emply People is being interrupted:

The Entra ID user has moved out of the connected Entra ID group(s)
The connected Entra ID group is shut down
The Microsoft Entra ID Tenant has changed
The user domain has been changed

Emply People users with administrator roles are not updated via role synchronization?

This is by design in Emply People so that access to administrators are not unintentionally removed on accident. Should there be a need to remove the administrator role, it must be done through another user with administrator-like access. This covers only the role itself, not the user.

10.

Why is the Emply People user not updated when the connected Microsoft Entra ID user changes information?

Microsoft Entra ID integration is not supported by the updates from Microsoft Emply PeopleEntra ID to . The integration is a one-time sync from Microsoft Entra ID to Emply People and simply creates a user but cannot update it. This is because the employee profile in Emply People is in control of the data, and therefore overwrites changes from Microsoft Entra ID. The updates can occur from Emply People to Microsoft Entra ID.

11.

Why is it not possible to update Microsoft Entra ID users from Emply People?

This can be due to a hybrid Entra ID, where Entra ID OnPrem updates Microsoft Entra ID. Please be aware that MS does not allow transfer to Microsoft Entra ID.

Delete users

1.	How do the rules for deletion of users work?
	By removing a user from Microsoft Entra ID, the Emply People user is deactivated.
	By allowing Emply People to delete the Microsoft Entra ID user, the Microsoft Entra ID user is moved to deleted users in Microsoft Entra ID.
2.	I have deleted a user in Microsoft Entra ID, but the user still exists under Active in Emply People. How can this be?
	If an employee resigns or is terminated, you must remember to enter a resignation date for the employee in Emply People so that the employee is moved to Pending and then Archived when you reach the resignation date.

External users

1.	Can I create users in Emply People, that is not part of a Microsoft Entra ID group?
	Yes, it is possible to have eg. external users created in Emply People that are not part of the synced Entra ID groups. To avoid that these users are created in Entra ID, you must disable create in the integration settings.