Options for syncing PaperCut NG/MF with Microsoft Entra ID
There are three options to integrate Microsoft Entra ID (Azure AD) cloud identity with PaperCut NG/MF (summarized below, or for details see Deciding which cloud-only sync method is right for you ). When youâre ready to select the sync source you want to use:
-
Go to Options > User/Group Sync.
-
In the Sync Source section, in the Primary sync source dropdown, select the sync source you require.
Option 1 - Using a local domain controller
Set the PaperCut sync source according to your operating system:
- macOSX/Linux: LDAP > Active Directory
- Windows: Windows Active Directory
A common option is to use Microsoftâs Hybrid Identity model , with at least one Active Directory Domain Controller server in the local environment. This Domain Controller (using Azure AD Connect to communicate with Azure AD in the cloud) is then available to serve identity and authentication requests from the PaperCut application server - acting as a go-between PaperCut and Microsoft Entra ID. This method uses the regular Windows Active Directory sync method . For all setup details, see Windows Active Directory sync method .
Option 2 - Using Microsoft Entra ID (Azure AD) through Secure LDAP
Set the PaperCut sync source to Azure AD Secure LDAP.
This method allows the PaperCut Application Server to communicate directly with Microsoft Entra ID using the secure LDAP protocol. However, note that Microsoft charges a monthly subscription fee to enable secure LDAP connections (requiring Entra ID Domain Services) for an Entra/M365 tenancy.
Option 3 - Using âstandardâ Microsoft Entra ID (Azure AD)
Set the PaperCut sync source to Azure AD.
This method uses the Microsoft Graph API endpoints included with every Microsoft 365 subscription at no extra cost. The PaperCut Application Server communicates directly with the Graph endpoints in Microsoft Entra ID to perform authentication using the OAuth2 protocol.
Considerations when using âstandardâ Microsoft Entra ID (Azure AD) with MFA
Many organizations enable Multi-Factor Authentication (MFA) in their Microsoft Entra ID tenancy to meet security compliance or policy requirements. PaperCut NG/MF supports authentication of users whether MFA is enforced or bypassed; however, consider the following:
When MFA is enabled in Microsoft Entra ID for PaperCut NG/MF:
- From PaperCut NG/MF version 23.0.1, users can log in to all web-based authentication pages (admin and web applications, Mobile Release web client, and Web accessibility user client) using either their Microsoft Entra ID username and password or the Sign in with Microsoft button and be redirected to the MFA flow.
- From PaperCut NG/MF version 23.0.3 users can also access the PaperCut user client and be redirected to the MFA flow.
- Username/password authentication is not available at the MFD but users can log in with an access card or ID number that’s already associated with them.
- From PaperCut NG/MF version 23.0.8 users can self-associate a card at the MFD through the “
Card Association User Notification
” option, which will email the user to complete the card association.
- Note that users self-associating their card on a ‘web-services’ device (e.g. Canon, Fujifilm, HP, KM, Sharp, Toshiba, Xerox and others) will see a message on the MFD asking them to check their email to continue the self-association process.
- Users self-associating their card on a non ‘web-services’ device (e.g. Kyocera, Ricoh and others) will see an error message (“Invalid username/password” type of message) on the MFD, but if they check their email they will be able to continue the self-association process.
Consider this option when optimizing for authentication compliance.
When MFA is disabled or bypassed in Microsoft Entra ID for PaperCut NG/MF:
- From PaperCut NG/MF 21.2, users can log in to any PaperCut interface including all web applications, user clients, and using self-association at the MFD, without the added security of MFA.
Consider this option when optimizing for ultimate compatibility with PaperCut NG/MF features over strict authentication compliance.
Deciding which sync option is right for you
The table below highlights the different features of the cloud-only sync options described above, as well as some of the implications of choosing a particular sync option.
| Option 2 | Option 3 | Option 3 |
|---|---|---|---|
PaperCut Core |
|
|
|
Synchronize users and groups to PaperCut database 1 | Yes | Yes | Yes |
MFD/Copier swipe card authentication 1 | Yes | Yes | Yes |
MFD/Copier swipe card self-association 2 | Yes | Yes 7 | Yes |
MFD/Copier username/password authentication | Yes | No | Yes |
User or Admin User Web Interface username/password authentication | Yes | Yes | Yes |
âSign On with Microsoftâ button (Azure SSO) on Admin or User Web Interface 3 | Yes | Yes | Yes |
Mobile Web Client username/password authentication | Yes | Yes | Yes |
PaperCut User Client username/password Authentication | Yes | Yes | Yes |
âSign On with Microsoftâ button (Azure SSO) on the PaperCut user client 3 | No | No | No |
Release Station swipe card authentication 1 | Yes | Yes | Yes |
Release Station username/password authentication | Yes | No | Yes |
Print Deploy |
|
|
|
Print Deploy User Client username/password authentication | Yes | No | Yes |
âSign On with Microsoftâ button (Azure SSO) on Print Deploy client 3 | No | Yes | Yes |
Mobility Print |
|
|
|
Mobility Print client username/password authentication | Yes | No | Yes |
Mobility Print Web Admin username/password authentication | Yes | No | Yes |
âSign On with Microsoftâ button (Azure SSO) on Mobility Print client 3 | No | No | No |
Other differences |
|
|
|
Cost | Microsoft charge an additional fee for enabling Secure LDAP through Azure Active Directory Domain Services | Free | Free |
Username in PaperCut | sAMAccountName - which Azure may call MailNickName (e.g. alex.test) | UPN (e.g. alex.test@papercut.com) | UPN (e.g. alex.test@papercut.com) |
Support 2FA / MFA through the PaperCut sync source | No | Yes | No |
Ability to sync card numbers with Azure | Yes | Yes | Yes 4 |
Ability to sync user aliases with Azure | Yes | Yes | Yes |
Ability to sync users that sit within nested groups 6 | No | No | No |
1 Swipe card authentication â use a swipe card with a card reader to log in to the device or release station. Since this only uses the card number (and optional PIN), username/password authentication is not involved.
2 Swipe card self-association â use a brand new swipe card with a card reader to log in to the device. Since PaperCut does not recognize the card number, it will ask the user to log in with their username and password, to âself-associateâ the new card with their user record.
3 When enabled, âSingle Sign on with Microsoftâ provides the user the option to log in using their Microsoft credentials via a Sign in with Microsoft button. To enable this, in the Admin web interface go to Options > User/Group Sync > Single Sign on with Microsoft. Select the Enable the âSign in with Microsoft in the Admin and User web interfaces checkbox and follow the prompts. To enable this for Print deploy, go to Enable Printing > Print Deploy > Settings > Authentication methods and select Microsoft.
4 From PaperCut NG/MF version 22.0.9, you can set up card ID sync for Azure AD/Microsoft Entra ID Standard through the admin interface UI options. This is in line with existing card ID sync options for other sync source types. Prior to this version, if you wanted to sync a primary card number, you needed to set the config key user-source.update-user-details-card-id to Y. On the next sync, the Employee ID number from Azure AD would be synced into the Primary Card Number field in PaperCut.
5 An alternative option for the standard Microsoft Entra ID method to update the user alias fields is to use the batch import and update user process - however that leads to an ongoing maintenance overhead.
6 If you want to sync a group of users (for example, Group B) thatâs nested under another group (for example, Group A), when you configure the sync source settings be sure to explicitly target the nested group (Group B). If you target the higher-level group, no users will be synced. Always explicitly target sync sources.
7 The “ Card Association User Notification ” feature must be enabled for users to receive the email notification..
Recommendations when using the standard Microsoft Entra ID sync method
Standard Microsoft Entra ID uses UPNs. To ensure a successful migration or deployment in any of the environments listed below, we highly recommend that you review the implications of using UPNs as usernames, and test print job ownership in your environment .
If youâre printing from workstation > print queue
If youâre doing âregularâ network printing then PaperCut normally will just use the locally logged in username of the workstation sending the print job. With Azure standard sync, this can mean a mismatch between the username that the PaperCut App server knows about (the UPN) and the username sending the print job (will normally be the MailNickName).
In this case, one option is to configure the Print Provider to construct the UPN from the MailNickName, by following the instructions in Configure PaperCut NG/MF Secondary or Site Servers . This lets you specify a âUPNSuffix=â configuration for each Print Provider / Secondary Server, so that, for example, alex.test then becomes alex.test@organization.com . In this instance youâd want to make sure that you donât have different domains using the same Print Provider.
Another alternative here is to configure a user alias for each user, containing their MailNickName (as mentioned above). However this method is quite manual and would need some maintenance overhead.
If youâre using Print Deploy
We recommend not using the âTRUSTâ mode for Print Deploy client authentication . It will pick up the locally configured username logged into the workstation, which could be different to the UPN username configured in PaperCut (see above).
When Microsoft Entra ID MFA is disabled or bypassed for PaperCut MF, use the âPROMPTâ method of authentication so that users can enter their UPN and password when the Print Deploy client starts (from version 21.2) to authenticate.
Otherwise, if MFA is enabled, you must use the Sign in With Microsoft in the Print Deploy client to authenticate.
If youâre using Print Deploy to deploy Print Server queues to your workstations, then itâs also worth checking the âworkstation > print queueâ requirement details above.
If youâre using Mobility Print
If youâre using Universal Print
Setting up Microsoft Entra ID sync or Microsoft Entra ID Secure LDAP sync
For more information and steps on how to set up each integration, see:
- Synchronize user and group details with standard Microsoft Entra ID (Azure AD)
- Synchronize user and group details with Microsoft Entra ID (Azure AD) Secure LDAP
FAQs
Is there anything I should do to prepare for using standard Azure AD for syncing?
Why am I receiving a failed to authenticate with error: AADSTS50076 or AADSTS50079 message?
Why does the username in PaperCut appear as the UPN when using the standard Azure AD sync method?
The UPN is what uniquely identifies users in Azure, and having the full domain component in the username prevents username clashes that might otherwise occur when multiple domains are in use.
One potential problem with this approach is that some components of PaperCut - such as the User Client and the Print Deploy client - often get the username of the user logged into the OS. Even when you join a Windows device to an Azure AD domain and log in with a UPN, the Print Deploy Client, for example, might not identify the OS user as their full UPN. It will typically identify them as their MailNickName. For example, if the userâs UPN is alex@papercut.com , the MailNickName is probably going to be alex.
For alternatives to tackling this username mismatch, see step 3 in the KB article Preparing to use UPN usernames with PaperCut when synching with the standard Azure AD sync method .
How do I migrate from using sAMAccountName to User Principal Name (UPN) for all my PaperCut usernames?
Can I sync MailNickName instead of UPN with the standard Azure AD method?
What does the key user-source.ad.upn-as-username do?
When using on-prem AD sync (that is, the sync source set to âWindows ADâ in PaperCut), you can use this key to toggle between:
-
N, the default â the username is pulled into PaperCut as the sAMAccountName
-
Y, which will sync the UPN as the PaperCut username instead.
When the key is set to Y, it also means that when matching usernames of logins or print jobs, PaperCut will not truncate the UPN into a sAMAccountName.
When using Azure AD Secure LDAPas the sync source, this key doesn’t alter the behavior of the PaperCut username created. The sync will always use sAMAccountName as the PaperCut username.
When using the standard Azure ADmethod, this key doesn’t alter the behavior of the PaperCut username created. The sync will always use UPN as the PaperCut username (apart from in one scenario, detailed in the next question). However, when the key is set to Y, when matching usernames of logins or print jobs, PaperCut will not truncate the UPN into a sAMAccountName. So when using this sync method, this key must be set to Y (as detailed in the manual page).
Why do half of my users have the UPN for their username, and the other half have MailNickName as their username?
If a customer was originally using a sync method that pulled in the âMailNickNameâ as the usernames in PaperCut (for example, âalex.testâ) and then switched to use the standard Azure AD sync method, PaperCut sees that the email address associated with that user matches the UPN, and doesnât create a new user. However, for any new users synced it will create the username as the UPN â in which case there could be a mixture of PaperCut username formats.
In this case we recommend renaming all accounts with the sAMAccountName to the UPN.
Can I sync card numbers/PINs using the standard Azure AD sync method?
It is possible to sync a primary card number into PaperCut NG/MF when using the standard Azure AD sync method (see footnote 4 under the table above). However, it is not possible to sync additional card numbers or PINs at this time. When using the Azure AD Secure LDAP method, there are additional sync options for multiple card numbers.
Note that with PaperCut MF/NG version 22.0.9 or later, you can now set up additional Card/ID sync options through the Azure AD sync options (under **Options > User/Group Sync > Sync Source**).
Can I sync Office and Department fields using the standard Azure AD sync method?
Why does the PaperCut User Client not recognize me when I start it up?
If you normally start your PaperCut User Client and it silently starts and shows you your balance window, you may see an identification popup the first time you launch the user client after migrating to UPNs.
Take a look at the question âWhy does the username in PaperCut NG/MF appear as the UPN when using the standard Azure AD sync method?â above for more information. In summary, because the User Client might be seeing the Windows username as âalex.testâ, whereas the username in PaperCut is alex.test@organization.com , so there will be a mismatch.
What should happen is that the client (if using version 21.2 or later) should let the user identify themselves with the UPN and password authentication, and the client should then start normally.
Comments