Choose your language

Choose your login

Support

How can we help?

Lightbulb icon
Lightbulb icon

Here’s your answer

Sources:

Lightbulb icon

Oops!

We currently don’t have an answer for this and our teams are working on resolving the issue. If you still need help,
User reading a resource

Popular resources

Conversation bubbles

Contact us

Overview of synchronizing user and group details with Microsoft Entra ID (Azure AD)

This page applies to:

Options for syncing PaperCut NG/MF with Microsoft Entra ID

There are three options to integrate Microsoft Entra ID (Azure AD) cloud identity with PaperCut NG/MF (summarized below, or for details see Deciding which cloud-only sync method is right for you ). When you’re ready to select the sync source you want to use:

  1. Go to Options > User/Group Sync.

  2. In the Sync Source section, in the Primary sync source dropdown, select the sync source you require.

Option 1 - Using a local domain controller

Set the PaperCut sync source according to your operating system:

  • macOSX/Linux: LDAP > Active Directory
  • Windows: Windows Active Directory

A common option is to use Microsoft’s Hybrid Identity model , with at least one Active Directory Domain Controller server in the local environment. This Domain Controller (using Azure AD Connect to communicate with Azure AD in the cloud) is then available to serve identity and authentication requests from the PaperCut application server - acting as a go-between PaperCut and Microsoft Entra ID. This method uses the regular Windows Active Directory sync method . For all setup details, see Windows Active Directory sync method .

Option 2 - Using Microsoft Entra ID (Azure AD) through Secure LDAP

Set the PaperCut sync source to Azure AD Secure LDAP.

This method allows the PaperCut Application Server to communicate directly with Microsoft Entra ID using the secure LDAP protocol. However, note that Microsoft charges a monthly subscription fee to enable secure LDAP connections (requiring Entra ID Domain Services) for an Entra/M365 tenancy.

Option 3 - Using ‘standard’ Microsoft Entra ID (Azure AD)

Set the PaperCut sync source to Azure AD.

This method uses the Microsoft Graph API endpoints included with every Microsoft 365 subscription at no extra cost. The PaperCut Application Server communicates directly with the Graph endpoints in Microsoft Entra ID to perform authentication using the OAuth2 protocol.

Considerations when using ‘standard’ Microsoft Entra ID (Azure AD) with MFA

Many organizations enable Multi-Factor Authentication (MFA) in their Microsoft Entra ID tenancy to meet security compliance or policy requirements. PaperCut NG/MF supports authentication of users whether MFA is enforced or bypassed; however, consider the following:

When MFA is enabled in Microsoft Entra ID for PaperCut NG/MF:

  • From PaperCut NG/MF version 23.0.1, users can log in to all web-based authentication pages (admin and web applications, Mobile Release web client, and Web accessibility user client) using either their Microsoft Entra ID username and password or the Sign in with Microsoft button and be redirected to the MFA flow.
  • From PaperCut NG/MF version 23.0.3 users can also access the PaperCut user client and be redirected to the MFA flow.
  • Username/password authentication is not available at the MFD but users can log in with an access card or ID number that’s already associated with them.
  • From PaperCut NG/MF version 23.0.8 users can self-associate a card at the MFD through the “ Card Association User Notification ” option, which will email the user to complete the card association.
    • Note that users self-associating their card on a ‘web-services’ device (e.g. Canon, Fujifilm, HP, KM, Sharp, Toshiba, Xerox and others) will see a message on the MFD asking them to check their email to continue the self-association process.
    • Users self-associating their card on a non ‘web-services’ device (e.g. Kyocera, Ricoh and others) will see an error message (“Invalid username/password” type of message) on the MFD, but if they check their email they will be able to continue the self-association process.

Consider this option when optimizing for authentication compliance.

When MFA is disabled or bypassed in Microsoft Entra ID for PaperCut NG/MF:

  • From PaperCut NG/MF 21.2, users can log in to any PaperCut interface including all web applications, user clients, and using self-association at the MFD, without the added security of MFA.

Consider this option when optimizing for ultimate compatibility with PaperCut NG/MF features over strict authentication compliance.

Deciding which sync option is right for you

The table below highlights the different features of the cloud-only sync options described above, as well as some of the implications of choosing a particular sync option.

 

Option 2
Azure AD Secure LDAP

Option 3
Azure AD with MFA enabled 

(version 23.0.1 or later)

Option 3
Azure AD with MFA disabled

(version 21.2 or later)

PaperCut Core

 

 

 

Synchronize users and groups to PaperCut database 1

Yes
(PaperCut username is the MailNickName - user)

Yes
(PaperCut username is the UPN - user@domain)

Yes
(PaperCut username is the UPN - user@domain)

MFD/Copier swipe card authentication 1

Yes

Yes

Yes

MFD/Copier swipe card self-association 2

Yes

Yes 7
(23.0.8 or later)

Yes

MFD/Copier username/password authentication

Yes

No

Yes

User or Admin User Web Interface username/password authentication

Yes

Yes

Yes

“Sign On with Microsoft” button (Azure SSO) on Admin or User Web Interface 3

Yes

Yes

Yes

Mobile Web Client username/password authentication

Yes

Yes

Yes

PaperCut User Client username/password Authentication

Yes

Yes
(23.0.3 or later)

Yes

“Sign On with Microsoft” button (Azure SSO) on the PaperCut user client 3

No

No

No

Release Station swipe card authentication 1

Yes

Yes

Yes

Release Station username/password authentication

Yes

No

Yes

Print Deploy

 

 

 

Print Deploy User Client username/password authentication

Yes

No

Yes

“Sign On with Microsoft” button (Azure SSO) on Print Deploy client 3

No

Yes

Yes

Mobility Print

 

 

 

Mobility Print client username/password authentication

Yes

No

Yes

Mobility Print Web Admin username/password authentication

Yes

No

Yes

“Sign On with Microsoft” button (Azure SSO) on Mobility Print client 3

No

No

No

Other differences

 

 

 

Cost

Microsoft charge an additional fee for enabling Secure LDAP through Azure Active Directory Domain Services

Free

Free

Username in PaperCut

sAMAccountName - which Azure may call MailNickName (e.g. alex.test)

UPN (e.g. alex.test@papercut.com)

UPN (e.g. alex.test@papercut.com)

Support 2FA / MFA through the PaperCut sync source

No

Yes

No

Ability to sync card numbers with Azure

Yes

Yes

Yes 4

Ability to sync user aliases with Azure

Yes

Yes 

Yes
(22.0.9 or later)

Ability to sync users that sit within nested groups 6

No

No

No

1 Swipe card authentication – use a swipe card with a card reader to log in to the device or release station. Since this only uses the card number (and optional PIN), username/password authentication is not involved.

2 Swipe card self-association – use a brand new swipe card with a card reader to log in to the device. Since PaperCut does not recognize the card number, it will ask the user to log in with their username and password, to ‘self-associate’ the new card with their user record.

3 When enabled, ‘Single Sign on with Microsoft’ provides the user the option to log in using their Microsoft credentials via a Sign in with Microsoft button. To enable this, in the Admin web interface go to Options > User/Group Sync > Single Sign on with Microsoft. Select the Enable the ‘Sign in with Microsoft in the Admin and User web interfaces checkbox and follow the prompts. To enable this for Print deploy, go to Enable Printing > Print Deploy > Settings > Authentication methods and select Microsoft.

4 From PaperCut NG/MF version 22.0.9, you can set up card ID sync for Azure AD/Microsoft Entra ID Standard through the admin interface UI options. This is in line with existing card ID sync options for other sync source types. Prior to this version, if you wanted to sync a primary card number, you needed to set the config key user-source.update-user-details-card-id to Y. On the next sync, the Employee ID number from Azure AD would be synced into the Primary Card Number field in PaperCut.

5 An alternative option for the standard Microsoft Entra ID method to update the user alias fields is to use the batch import and update user process - however that leads to an ongoing maintenance overhead.

6 If you want to sync a group of users (for example, Group B) that’s nested under another group (for example, Group A), when you configure the sync source settings be sure to explicitly target the nested group (Group B). If you target the higher-level group, no users will be synced. Always explicitly target sync sources.

7 The “ Card Association User Notification ” feature must be enabled for users to receive the email notification..

Recommendations when using the standard Microsoft Entra ID sync method

Standard Microsoft Entra ID uses UPNs. To ensure a successful migration or deployment in any of the environments listed below, we highly recommend that you review the implications of using UPNs as usernames, and test print job ownership in your environment .

If you’re printing from workstation > print queue

If you’re doing ‘regular’ network printing then PaperCut normally will just use the locally logged in username of the workstation sending the print job. With Azure standard sync, this can mean a mismatch between the username that the PaperCut App server knows about (the UPN) and the username sending the print job (will normally be the MailNickName).

In this case, one option is to configure the Print Provider to construct the UPN from the MailNickName, by following the instructions in Configure PaperCut NG/MF Secondary or Site Servers . This lets you specify a ‘UPNSuffix=’ configuration for each Print Provider / Secondary Server, so that, for example, alex.test then becomes alex.test@organization.com . In this instance you’d want to make sure that you don’t have different domains using the same Print Provider.

Another alternative here is to configure a user alias for each user, containing their MailNickName (as mentioned above). However this method is quite manual and would need some maintenance overhead.

If you’re using Print Deploy

We recommend not using the ‘TRUST’ mode for Print Deploy client authentication . It will pick up the locally configured username logged into the workstation, which could be different to the UPN username configured in PaperCut (see above).

When Microsoft Entra ID MFA is disabled or bypassed for PaperCut MF, use the ‘PROMPT’ method of authentication so that users can enter their UPN and password when the Print Deploy client starts (from version 21.2) to authenticate.

Otherwise, if MFA is enabled, you must use the Sign in With Microsoft in the Print Deploy client to authenticate.

If you’re using Print Deploy to deploy Print Server queues to your workstations, then it’s also worth checking the ‘workstation > print queue’ requirement details above.

If you’re using Mobility Print
When Microsoft Entra ID MFA is disabled or bypassed for PaperCut MF, users can enter their UPN and password when adding printers using the Mobility Print client (from version 21.2) to authenticate. Otherwise if MFA is enabled, you cannot authenticate Mobility Print with Microsoft Entra ID. We are working on support for TRUST mode in a future release of Mobility Print. .
If you’re using Universal Print
Since Universal Print was designed around UPN usernames, there shouldn’t be any additional considerations when integrating the Universal Print Connector for PaperCut NG/MF .

Setting up Microsoft Entra ID sync or Microsoft Entra ID Secure LDAP sync

For more information and steps on how to set up each integration, see:

FAQs

Is there anything I should do to prepare for using standard Azure AD for syncing?
Yes. That’s because standard Azure AD uses UPNs when syncing usernames, so you need to review the implications of using UPNs as usernames, and test print job ownership in your environment to ensure a successful migration or deployment.
Why am I receiving a failed to authenticate with error: AADSTS50076 or AADSTS50079 message?
These errors indicate that the user is attempting to log in using a method that is not supported (for example, attempting to authenticate using a username and password on an MFD with MFA enabled, or using a username and password on a web interface on a version of MF/NG prior to 23.0.1). Please check your Azure AD MFA settings and refer to the table above to understand which log in methods are supported for your configuration.
Why does the username in PaperCut appear as the UPN when using the standard Azure AD sync method?

The UPN is what uniquely identifies users in Azure, and having the full domain component in the username prevents username clashes that might otherwise occur when multiple domains are in use.

One potential problem with this approach is that some components of PaperCut - such as the User Client and the Print Deploy client - often get the username of the user logged into the OS. Even when you join a Windows device to an Azure AD domain and log in with a UPN, the Print Deploy Client, for example, might not identify the OS user as their full UPN. It will typically identify them as their MailNickName. For example, if the user’s UPN is alex@papercut.com , the MailNickName is probably going to be alex.

For alternatives to tackling this username mismatch, see step 3 in the KB article Preparing to use UPN usernames with PaperCut when synching with the standard Azure AD sync method .

How do I migrate from using sAMAccountName to User Principal Name (UPN) for all my PaperCut usernames?
Can I sync MailNickName instead of UPN with the standard Azure AD method?
There is currently no option to sync the MailNickName (instead of the UPN), using the standard Azure AD sync method.
What does the key user-source.ad.upn-as-username do?

When using on-prem AD sync (that is, the sync source set to ‘Windows AD’ in PaperCut), you can use this key to toggle between:

  • N, the default – the username is pulled into PaperCut as the sAMAccountName

  • Y, which will sync the UPN as the PaperCut username instead.

When the key is set to Y, it also means that when matching usernames of logins or print jobs, PaperCut will not truncate the UPN into a sAMAccountName.

When using Azure AD Secure LDAPas the sync source, this key doesn’t alter the behavior of the PaperCut username created. The sync will always use sAMAccountName as the PaperCut username.

When using the standard Azure ADmethod, this key doesn’t alter the behavior of the PaperCut username created. The sync will always use UPN as the PaperCut username (apart from in one scenario, detailed in the next question). However, when the key is set to Y, when matching usernames of logins or print jobs, PaperCut will not truncate the UPN into a sAMAccountName. So when using this sync method, this key must be set to Y (as detailed in the manual page).

Why do half of my users have the UPN for their username, and the other half have MailNickName as their username?

If a customer was originally using a sync method that pulled in the ‘MailNickName’ as the usernames in PaperCut (for example, ‘alex.test’) and then switched to use the standard Azure AD sync method, PaperCut sees that the email address associated with that user matches the UPN, and doesn’t create a new user. However, for any new users synced it will create the username as the UPN – in which case there could be a mixture of PaperCut username formats.

In this case we recommend renaming all accounts with the sAMAccountName to the UPN.

Can I sync card numbers/PINs using the standard Azure AD sync method?

It is possible to sync a primary card number into PaperCut NG/MF when using the standard Azure AD sync method (see footnote 4 under the table above). However, it is not possible to sync additional card numbers or PINs at this time. When using the Azure AD Secure LDAP method, there are additional sync options for multiple card numbers.

Note that with PaperCut MF/NG version 22.0.9 or later, you can now set up additional Card/ID sync options through the Azure AD sync options (under **Options > User/Group Sync > Sync Source**).

Can I sync Office and Department fields using the standard Azure AD sync method?
Yes! The Office and Department fields will sync into PaperCut NG/MF when using the standard Azure AD sync method. Note that the ability to sync the Department field was added in version 21.2.
Why does the PaperCut User Client not recognize me when I start it up?

If you normally start your PaperCut User Client and it silently starts and shows you your balance window, you may see an identification popup the first time you launch the user client after migrating to UPNs.

Take a look at the question ‘Why does the username in PaperCut NG/MF appear as the UPN when using the standard Azure AD sync method?’ above for more information. In summary, because the User Client might be seeing the Windows username as ‘alex.test’, whereas the username in PaperCut is alex.test@organization.com , so there will be a mismatch.

What should happen is that the client (if using version 21.2 or later) should let the user identify themselves with the UPN and password authentication, and the client should then start normally.

Is PaperCut looking at adding a ‘Sign in with Microsoft’ button to the Mobility Print client to make authentication smoother?
Hopefully! We have this on our list of things to do. If you have any questions, please quote MOB-2650.

Comments