AD User Synchronization
Another way to create users in MyQ Roger is to set up a synchronization from external services. Currently, Microsoft Entra ID (renamed from MS Azure Active Directory) is supported and Google Active Directory is being developed and should be available in the foreseeable future.
Required Permissions
Pages.Administration.UserSync
Microsoft Entra ID
In order to configure an Microsoft Entra ID in MyQ Roger, you should already have an existing Microsoft Entra ID.
Setup and Configuration
Log in to the Microsoft Azure portal and create a new App registration in your Microsoft Entra ID https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app.
The new app overview page opens. Copy the Application (client) ID and the Directory (tenant) ID, as they are needed for the connection to MyQ Roger.
Go to Certificates & secrets and create a New client secret. Set the expiration date and copy the secret Value (back up the value as it will not be displayed again).
The app registration MUST HAVE the following permissions: User.Read.All, Group.Read.All (in case you want to use only a certain group). To set them, select API permissions, and then click Add a permission. In the window to the right, in the Microsoft APIs tab, select Microsoft Graph. In the next window, select Application permissions, search and select the User.Read.All and Group.Read.All (in case you want to sync a certain group) permissions, and click Add permissions.
Go to MyQ Roger, Edit and fill in the Connector settings in MyQ Roger, Administration, User Synchronization, Microsoft Entra ID:
Application ID*: Add the Application (client) ID you copied during the Microsoft Entra ID setup.
Directory (Tenant) ID*: Add the Directory (tenant) ID you copied during the Microsoft Entra ID setup.
Application secret*: Add the application secret value you copied during the Microsoft Entra ID setup.
Application secret expiration date (optional): Set an expiration date if you want to be notified about the expiring secret. All users with the Pages.Administration.UserSync permissions are notified.
Set Groups options:
None: If this option is selected, all the users from the organization are synchronized.
Selected: Fill in the group identifier if you want to synchronize users from a specific Entra ID group. You can add multiple group identifiers separated by a semicolon (;). The Entra ID group GUID can be located in Microsoft Entra ID > Groups > Labeled as Object ID on the group you wish to synchronize.
Set the Users options:
Selected groups: Synchronize users from the selected and nested groups.
All: Synchronize all the users.
Source fields for aliases: Add the name of the field in the Microsoft Entra ID Graph API that will be used to create an alias for the user. The default field is onPremisesSamAccountName. You can combine specified fields into one alias. Surround each field with the percent (%) sign, e.g. %givenName%. You can specify more combinations using a semicolon (;) as a delimiter, e.g. %givenName%.%surName%;%surName%-%givenName%.
Send PIN emails: Mark the checkbox if you want the newly created users to receive a welcome email with PIN.
Manage existing users: Updates and keeps existing users synchronized. Users are matched with their email address.
Allow use ‘Display name’: The first and last name are mandatory fields in MyQ Roger. Microsoft Entra ID accounts may have have “Displayname” set instead of first and last name.
Also, create aliases without invalid characters: The invalid characters are: “ [ ] : ; | = + * ? < > / \ , . and space. For example, The alias for John Doe will be created as JohnDoe.
Manage user deletion: When enabled, MyQ Roger compares the users before and after synchronization. It deletes the accounts that cannot be retrieved from the remote system. Microsoft Entra ID provides information for accounts that should be deleted for a limited time. You should only enable this option if you have not run a synchronization for an extended period of time or if you have changed the settings.
Click Connect. The connection is tested and if everything was correctly set, you should now see more options (Sync now, Delete, Edit, and Synchronize automatically).
To perform the synchronization, click the Sync now button or enable auto-sync to synchronize users every 24 hours from activation.
Synchronization Rules
If an AD user’s email address does not exist in the MyQ Roger tenant, a new user is created with the "AD synced" tag.
If an AD user is deleted from the AD and synchronization is done, the user is also deleted from MyQ Roger.
If an AD user’s email address already exists in the MyQ Roger tenant, the user creation is skipped.
If they were deleted before, the user is registered again.
If a user’s creation fails, the synchronization continues with other users. For more info, see the notifications chapter.
Login - If a user was synchronized by Microsoft Entra ID they would be required to log in to MyQ Roger by using the ‘Sign in with Microsoft’ option. MyQ Roger does not synchronize user passwords so if the user was synced via AD then it is a requirement to use the sign-in option of the provider. (Microsoft/Google) MyQ Roger login with username and password can only be used if the user was created directly from MyQ Roger.
Notifications
If a synchronization is triggered manually:
The triggering user gets a navbar notification when the job finishes.
In case of any changes (any users deleted, added, or failed), all the users with permissions to manage a synchronization get a navbar notification with short information about the job.
If a synchronization is triggered automatically:
In case of any changes (any users deleted, added, or failed), all the users with permissions to manage a synchronization get a navbar notification with short information about the job.
If there is no change, users are not notified. Only short information about the last run is displayed in administration.
If the Application secret expiration date was set and the job is run 7 days before the expiration, a navbar notification is displayed and an email notification is sent to users with permissions to manage synchronizations.
All synchronization runs are logged with short info. All failed users' syncs are also logged.