Importing users & groups from Microsoft Entra ID (formerly called Azure Active Directory) is becoming a more and more popular method of managing users in PaperCut NG/MF as businesses shift infrastructure to the cloud.
The manual page
Synchronize user and group details with standard Azure AD
discusses how to set up PaperCut to synchronize with users in Microsoft’s cloud, and in this article we discuss some of the issues that customers have raised with us when using this sync method.
Zero Users and Groups Synchronized
One issue that gets reported is that after following the setup instructions, the sync appears to be successful with no errors even though no users or groups are imported from Microsoft Entra ID.
When this happens you may also see this error in the server.log file on the PaperCut server: “AADUserDirectory - Error getting response Forbidden (User synchronization).”
This may also be accompanied by two more errors in the server.log file:
- “AADUserDirectory - Error getting response Forbidden”
- “AADUserDirectory - Failed getting all users details”
These errors are due to the API Permissions on the Microsoft Entra ID Application Registration. The correct configuration for these permissions is outlined here: Step 2: Give your application permissions to read users and groups
In particular, when setting User.Read permissions, be sure you are selecting Microsoft Graph → Delegated Permissions and not “Application Permissions” by mistake. Per Step 2 , make sure the permissions are correctly set, then attempt the sync again.
Error contacting Azure/Entra ID
When applying Microsoft Entra ID Sync credentials (Tenant ID, App ID, Client Secret Value), or when hitting the Synchronize Now button, you may be presented with the message: “There was an error contacting Azure using the details provided. Please check all values are correct and try again.”
Along with the above application-level error, you may also see the below error posted in the server.log file; “ERROR AADUserDirectory - No access token received from url: https://login.microsoftonline.com/..."
We see this error because Microsoft Entra ID is rejecting the values that have been set for the Tenant ID, App ID, or the Client Secret Value. Please ensure that all three of these values are correct and correspond with the Tenant and Application Registration you are attempting to connect to.
Entra ID usernames don’t match print job owner usernames
One challenge with Microsoft Entra ID sync is that the username which gets synced into PaperCut may not precisely match the format of username on the workstation.
The outcome of this mismatch is that print jobs might be canceled or users may not see their print job to release.
Thankfully this issue and the solutions are documented in detail in our article Preparing to use UPN usernames with PaperCut when syncing with the standard Azure AD sync method .
Troubleshooting user login issues
If users are experiencing login issues with Microsoft Entra ID and receiving an “Invalid username or password” error, refer to our article: “Invalid Username or Password” when users log into PaperCut NG or MF
This article covers common causes and solutions for various login errors, including those related to multi-factor authentication (MFA) and specific AADSTS error codes.Troubleshooting user login issues
Comments