Synchronize user and group details with standard Entra ID

To synchronize with a standard Entra ID tenant (formerly called Azure AD), you need to create a new application in your Entra Tenant. 

• Requirements
• Step 1. Create your Entra application
• Step 2. Give your application permissions to read users and groups
• Step 3. Configure your application’s authentication
• Step 4. Generate an application client secret value
• Step 5. Synchronize user and group details with standard Entra ID

Requirements

• An Entra ID tenant
• PaperCut configured with SSL

Step 1. Create your Entra ID application

1. Log in to Entra as an application administrator.
2. In the Search bar, search for and select Microsoft Entra.
3. In the navigation pane, under Manage, select App Registrations.
4. Click New registration.
5. Fill in the basic information for your application.
   • Set Name as something you can easily identify, for example, PaperCut Entra ID Sync.
   • Set the supported account type to Accounts in this organizational directory only.
6. Click Register.

Step 2. Give your application permissions to read users and groups

1. In the navigation pane, under Manage, select API Permissions and click Add a permission.
2. In the right pane, select Microsoft Graph, and click Delegated permissions.
3. Use the search bar to locate and add the following permissions:
   • User.Read
4. Click Application permissions.
5. Use the search bar to locate and add the following permissions:
   • GroupMember.Read.All
   • User.Read.All
   • Group.Read.All  (only required if you want to sync Groups)
6. Under Configured Permissions, click Grant admin consent, and then click Yes to confirm.

Step 3. Configure your application’s authentication

1. In the navigation pane, under Manage, select Authentication.
2. Under Platform configurations, click Add a platform.
3. In the right side pane, select Web.
4. Fill in the platform configuration with the following values:

   • Redirect URIs: set to : https://type-our-own-papercut-server-address-here:9192/api/oauth2callback

     For example: https://papercut.school.com:9192/api/oauth2callback

   • Leave the front-channel logout URL blank.

   • Under Implicit grant and hybrid flows, select ID Tokens.

5. Click Configure.

Step 4. Generate an application client secret value

1. In the navigation pane, under Manage, select Certificates & secrets.
2. Under Client Secrets, click New client secret.
3. Complete the following fields:
   • Description: set to something memorable, for example, “PaperCut Sync Secret”.
   • Expires: Choose an appropriate expiry date. Prior to the expiry date you choose, to keep your users synchronized with PaperCut NG/MF you will need to create a new secret in the Entra Portal and also update the secret in the PaperCut Admin web interface (part of Step 5. Configure PaperCut below).
4. Click Add.
5. Copy the client secret value for later use.

Step 5. Configure PaperCut

1. Log in to the PaperCut Admin web interface.

2. Select Options > User/Group Sync.

   The User/Group Sync page is displayed.

3. In the Sync Source area, in Primary sync source, select Entra ID.

4. Fill in the following fields:

   • Tenant ID: The ID of your tenant, as listed in Entra ID.
   • App ID: The ID of the application you registered as part of this setup.
   • Client Secret: The client secret value that you created in Step 4 above.

5. Decide whether to sync the Card/ID numbers from a user field in Entra ID, such as the default employeeId. Card/ID nubmers are used as an alternative to usernames/passwords for authentication at software Release Stations, or at hardware terminals attached to photocopiers. The card/ID number can also be searched in the user quick-find on the User List page. PaperCut can synchronize this information from a field in your directory. Detailed information can be found on our page: Synchronize Card/Identity Numbers from a directory .

6. You may need to sync alternate usernames, called aliases for users. Select Username alias > Sync from AD/LDAP field (this feature requires PaperCut MF/NG version 22.0.9 or later).

   • Enter the attribute name in the AD/LDAP field name text box.

   • Note that for Entra ID, you can find a number of the popular property names in this Entra ID properties table from Microsoft . For example if you’re wanting to sync the Mail Nickname field from Entra, this should be entered as the property mailNickname.
     

7. By default, the Entra ID username and e-mail are one and the same. An organization can now elect to make them different (this feature requires PaperCut MF/NG version 23.0.5 or later). To do this, select Email > Sync from AD/LDAP field 

   • Enter the sync field name in the AD/LDAP field name text box.

8. Click Apply.

9. If you want your users to be able to log in to the Admin and User web interfaces using the Sign in with Microsoft button:

   1. Return to Options > User/Group Sync.
   2. Scroll down the page to find Single Sign on with Microsoft and select the checkbox to enable it.
   3. Fill in the fields with the same information as above.
   4. Click Apply at the bottom of the page.