Setup Guide: Automated User Management via Entra ID (formerly Azure AD)

Automated User Management via ActivTrak’s Entra ID integration simplifies account administration by leveraging your preferred system for user and group management. With the Entra ID integration, users and groups are automatically configured and updated in a single, centralized location within ActivTrak, eliminating the need for manual changes.

With Automated User Management, Admins can:

• Create and delete Groups
• Add users to the Do Not Track list
• Add and remove users from Groups
• Delete Users

ActivTrak’s Entra ID integration leverages the organizational information for groups and users stored in Entra ID. We recommend using top-level groups—one that defines your groups/members structure for ActivTrak users and another that contains groups/members to add to the Do Not Track list.

You can watch the video tutorial and read the details below to learn how to create and manage users and groups via the Entra ID integration.

Contents

• Requirements
• Setup instructions
  • Create your ActivTrak groups
  • Create your Do Not Track groups
  • Create your Delete groups
  • Enable the integration
  • Data import and automation
• Opt in to automatically sync user attributes through Entra ID integration
• Updating your integration configuration
• Learn more

Requirements

To leverage Automated User Management via the Entra ID integration in ActivTrak, you must meet specific requirements. They include:

• A current ActivTrak paid plan
• Admin role permissions in your ActivTrak account
• One of the following identifiers in User Details for users to sync properly: UPN, email, or employeeID.
• The user configuring the Entra ID integration should have the following roles:
  • Application Administrator
  • Directory Reader

Notes:

• This integration will create an "Application" in Entra ID. If there are issues with connectivity or permissions, please ensure the Application has the following Application (not Delegated) permissions:
  • Application.Read.All
  • Directory.Read.All
  • Group.Read.All
  • GroupMember.Read.All
  • User.Read.All
  • User.ReadBasic.All
• The above permissions list may differ from the defaults we configure, but has been vetted to ensure proper connectivity.
• To update your Entra ID integration configuration and add a 'Delete' parent group name, or update any existing parent group names, delete the integration and re-enable it.

Setup instructions

You will need to complete the following preparation activities within your Azure AD instance:

Create your ActivTrak groups

1. Create a group that will contain your ActivTrak groups. This is your ActivTrak parent group.
2. Within this group, initially set up 1-2 child groups with 5-10 total users. These are the groups that the integration will create. Ideally, these users will already have the ActivTrak Agent installed on their devices and be reporting data, allowing you to easily validate the users and groups you’re creating. Over time, you can progressively increase the number of desired groups and users.
3. This solution supports both static and dynamic Security groups, allowing group nesting (where groups can be added as members of other groups). Microsoft 365 groups are not supported because they lack group nesting functionality.

Create your Do Not Track groups

1. Create a group containing users you do not wish to track in ActivTrak. This will be your Do Not Track parent group.
2. Within this group, set up 1-2 child groups of approximately 2-3 additional users to add to the Do Not Track list, so you can easily validate the users you have added. Over time, you can progressively increase your desired number of groups and users under the Do Not Track parent group.
3. Note: Users in the DNT group will be moved to the DNT list but will remain under User Agents and continue to consume a license. They will appear in both Settings > Users & Groups > Do Not Track and Settings > Users & Groups > User Agents. This is ideal for users who should no longer be tracked but whose historical data needs to remain in ActivTrak.

Create your Delete groups

1. Create a group that contains the users you wish to delete in ActivTrak. This will be your 'Delete' parent group.
2. Within this group, set up 1-2 child groups with approximately 2-3 users each to be deleted, so you can easily verify when the deletion is complete. Allow up to 12 hours for verification that deletion is complete. Over time, you can progressively increase the number of desired groups and users under the Delete parent group.
3. Note: Users in the Delete group will be moved to the DNT list and also deleted from the User Agents list, thereby freeing their license. They will only appear under Settings > Users & Groups > Do Not Track. This is ideal for users who should no longer be tracked and whose historical data does not need to be retained within ActivTrak.

Enable the integration

1. Within the ActivTrak app, navigate to API & Integrations > Integrate.
2. Click the Add Instance button on the Azure AD (Legacy) card, as shown below.

3. The Azure AD drawer will open. Input the Instance Name, ActivTrak Group, ActivTrak Do Not Track Group, and the ActivTrak Delete Group. Authenticate the integration by connecting to Azure. Then click Save.

4. Once the process is complete, the card will display the View Instance button.

Data import

1. Initially, Groups/Do Not Track/Users will be reflected in your ActivTrak account within 24 hours.
2. Subsequent updates will be reflected daily.
3. To trigger an immediate data resync, click "Disable" in the integration settings and then click the "Integrate" button. The sync will be completed within an hour.
4. Verify within the app that Users, Do Not Track, and ActivTrak groups are configured similarly to your Entra ID groups.

Automation

1. The integration initially attempts to link the received Entra ID user profiles to their Agent data. Once this is successful, the integration automatically synchronizes the groups, the Do Not Track list, and/or the deletion from the Users list.
2. Only groups with linked users are created in ActivTrak.
3. Removing users from the Entra ID 'Do Not Track' parent group does not remove them from the ActivTrak 'Do Not Track' list. To remove users from the Do Not Track list, we recommend using the ActivTrak app.
4. Users in the Do Not Track group in Entra ID will be added to ActivTrak’s Do Not Track list, and they will no longer be tracked. However, their historical data will be kept in ActivTrak, and they will continue to use a license.
5. Placing users in the Entra ID delete group will delete the user and add them to the ActivTrak Do Not Track list.

Opt in to automatically sync user attributes through the Entra ID integration

To facilitate integration, use and manage the presentation of Users in ActivTrak, user attributes such as display name and identifiers can be automatically updated through the integration and viewed on the Users page. This feature is currently available as an opt-in option. Please contact ActivTrak Support to enable this for your account.

Updating your integration configuration

To update the configuration of your Entra ID integration (e.g., adding a Delete parent group name or updating any existing parent group names), the integration must be deleted and re-enabled to accept the updated parent group name values. To delete the Entra ID integration, click the View Instance button, then click the delete icon. After deleting it, please follow the steps below to set up the integration.

For additional questions or help with the Azure AD integration, please contact ActivTrak’s Support team.

Learn more

• How to Delete Users and Computers

• Do Not Track (DNT) List
• ActivTrak User and License Management