sendnrw/netbird-docs
2
0
Fork 0
mirror of https://github.com/netbirdio/docs.git synced 2026-04-16 07:26:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add embedded IdP sync docs

Browse Source
This commit is contained in:
bcmmbaga
2026-04-11 01:37:01 +03:00
parent 38119d2982
commit f6784edb6d
10 changed files with 1021 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
public/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/select-idp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 931 KiB

BIN
public/docs-static/img/manage/team/idp-sync/google-workspace-sync/select-idp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 936 KiB

BIN
public/docs-static/img/manage/team/idp-sync/jumpcloud-sync/select-idp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 929 KiB

BIN
public/docs-static/img/manage/team/idp-sync/keycloak-sync/select-idp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 919 KiB

BIN
public/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/select-idp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 931 KiB

265
src/pages/manage/team/idp-sync/embedded/google-workspace-sync.mdx Normal file
View File

@@ -0,0 +1,265 @@
# Provision Users and Groups From Google Workspace (Embedded IdP)
[Google Workspace](https://workspace.google.com/) provides a comprehensive suite of cloud-based productivity tools that enhance team collaboration and
communication. Notably, its [identity management](https://cloud.google.com/architecture/identity/overview-google-authentication) features streamline user authentication and access control,
ensuring efficiency and security across your organization.
NetBird's Google Workspace integration enhances user management capabilities by synchronizing users and groups from
Google Workspace to NetBird. You can utilize these synchronized groups to configure your network, establish network
access policies, and automate onboarding and offboarding processes, adding significant value to your organizational
workflow and security posture.
The integration process involves two complementary services: Google Workspace and Google Cloud Platform (GCP).
Google Workspace serves as your Identity Provider (IdP), managing user and group identities and providing Single Sign-On (SSO)
capabilities. GCP is used to create a service account, which NetBird uses to authenticate and access Google Workspace
data via the Admin SDK API. This service account uses OAuth 2.0 for secure, authorized access to Workspace information.
import {Note} from "@/components/mdx";
<Note>
Before creating this integration, ensure you have a Google Workspace connector configured in your embedded IdP.
If not, refer to the [Identity Providers](/selfhosted/identity-providers/managed/google-workspace) documentation to set it up.
</Note>
## Get Started with NetBird-Google Workspace Integration
Go to the `Integrations` section in the left menu to access the `Identity Provider` integration. Click the `Google Workspace` button.
Select your **Google Workspace** identity provider connector for this integration and click **Continue** to proceed.
<p>
<img src="/docs-static/img/manage/team/idp-sync/google-workspace-sync/select-idp.png" alt="select-identity-provider" className="imagewrapper-big"/>
</p>
This will open a pop-up window featuring an intuitive wizard to guide you through the synchronization process between NetBird and Google Workspace.
![NetBird Connect NetBird with Google Workspace](/docs-static/img/manage/team/idp-sync/google-workspace-sync/q1aq98X.png)
## Prerequisites
The NetBird-Google Workspace integration process involves:
* Creating a project on the Google Cloud Platform.
* Setting up a service account within that GCP project.
* Creating a secret key for the service account.
* Creating a new role in Google Workspace for the service account.
* Granting the service account the appropriate role in Google Workspace.
You'll need a Google Workspace user account with sufficient permissions to create and manage user and group access. User roles that have these permissions include:
* Super Admin
* Groups Admin
* User Management Admin
To [check your user permissions](https://support.google.com/a/answer/7519580?hl=en) within Google Workspace:
* Sign in to your Google Admin console
* Navigate to `Directory` > `Users`.
* Select your user account and click on `Admin roles and privileges` to view assigned roles and permissions.
Confirm that you have one of the required roles before proceeding with the integration:
![Google Workspaces User Permissions](/docs-static/img/manage/team/idp-sync/google-workspace-sync/Ky8bguM.png)
If you lack the required permissions, please contact your workspace administrator to request them.
Because Google Cloud automatically provision new organizations with [Secure by Default enforcements](https://cloud.google.com/resource-manager/docs/secure-by-default-organizations), you'll also need a GCP user account with enough permissions to create service account keys. User roles that have these permissions include:
* Organization Administrator
* Organization Policy Administrator
To [check your organization-level permissions](https://cloud.google.com/resource-manager/docs/access-control-org) within Google Cloud:
* Sign in to [Google Console](https://console.cloud.google.com)
* In the top bar, click on the dropdown. Find and select your organization in the list.
* Once you've selected the organization, go to `IAM & Admin` > `IAM` in the left sidebar. This will show you a list of all users (principals) and service accounts with roles at the organization level.
* Look for users with roles like `Organization Administrator`, `Organization Policy Administrator`, or other high-level roles.
> NOTE: Verifying your GCP permissions is mandatory before proceeding with the integration since you might need to disable the `iam.disableServiceAccountKeyCreation` constraint temporarily during the process.
![Google Workspace IAM & Admin](/docs-static/img/manage/team/idp-sync/google-workspace-sync/9ECRJqC.png)
If you lack the required role, contact your organization's IT department or the person who set up your Google Cloud account.
## Creating the NetBird Project
Once you have the necessary permissions, you can create the NetBird project in GCP.
![NetBird Create NetBird Project](/docs-static/img/manage/team/idp-sync/google-workspace-sync/GBbcnt3.png)
Let's go through the required steps:
* Sign in to [Google Console](https://console.cloud.google.com)
* Click the project dropdown at the top of the page.
* Click `New Project` in the dropdown menu.
* Enter `NetBird` as the project name.
* Ensure the proper organization is selected in the `Organization` field.
* Click `CREATE`.
![Google Workspace New Project](/docs-static/img/manage/team/idp-sync/google-workspace-sync/sGLG0tX.png)
To let `NetBird` authenticate and access Google Workspace, you must enable the `Admin SDK API`. Here's how to do it:
* Ensure you're in the correct project.
* Navigate to [https://console.cloud.google.com/apis/library/admin.googleapis.com](https://console.cloud.google.com/apis/library/admin.googleapis.com)
* Click the `Enable` button.
![Google Workspace Admin SDK API](/docs-static/img/manage/team/idp-sync/google-workspace-sync/ij3niha.png)
## Creating the NetBird Service Account
Once you create the project, you can set up the `NetBird` service account. On NetBird, click `Continue →`. That will show you a summary of the required steps.
![NetBird Create Service Account](/docs-static/img/manage/team/idp-sync/google-workspace-sync/tRbBQsR.png)
Here are the step-by-step instructions:
Navigate to [https://console.cloud.google.com/apis/credentials](https://console.cloud.google.com/apis/credentials), click `CREATE CREDENTIALS` at the top menu and select `Service account` from the dropdown list.
![Google Workspace Service Account](/docs-static/img/manage/team/idp-sync/google-workspace-sync/rDU0Puv.png)
Complete the form with the supplied values:
* `NerBird` for the service account name
* `netbird` for the service account ID
Click `DONE` when ready.
![Google Workspace Service Account Details](/docs-static/img/manage/team/idp-sync/google-workspace-sync/WzqMsmW.png)
## Getting Your Service Account Email
On NetBird, click `Continue →`. You'll need to provide the email of the service account.
![NetBird Get Service Account Email](/docs-static/img/manage/team/idp-sync/google-workspace-sync/IBEGQD8.png)
You can copy the email from the `Credentials` page.
![Google Workspace Service Account Email](/docs-static/img/manage/team/idp-sync/google-workspace-sync/Z4CQd9O.png)
## Creating a New Service Account Key
Back on NetBird, click `Continue →`. You'll see a summary of how to create a service account key.
![NetBird Create Service Account Key](/docs-static/img/manage/team/idp-sync/google-workspace-sync/MGgCzky.png)
First, click on the service account email to show its details.
![Google Workspace Service Account Details](/docs-static/img/manage/team/idp-sync/google-workspace-sync/JWdAg4R.png)
Next, click the `Keys` tab. Open the `ADD KEY` drop-down menu and select `Create new key` from the list.
![Google Workspace Create New Key](/docs-static/img/manage/team/idp-sync/google-workspace-sync/gUQ4XAd.png)
A new pop-up window will open, select `JSON` as indicated below:
![Google Workspace New Key Format](/docs-static/img/manage/team/idp-sync/google-workspace-sync/WZWFp1Z.png)
The key will automatically download to your local device. The new key will also appear as `active` in the `KEYS` tab.
![Google Workspace Copy New Key](/docs-static/img/manage/team/idp-sync/google-workspace-sync/bSakeRS.png)
During service account key creation, you may encounter the following error:
![Google Workspace Key Creation Error](/docs-static/img/manage/team/idp-sync/google-workspace-sync/mU2qAwe.png)
If that's the case, activate Google Cloud Shell on the top menu (shell icon) and enter the following command:
```
gcloud org-policies delete iam.disableServiceAccountKeyCreation --organization=ORGANIZATION_ID
```
Remember to replace `ORGANIZATION_ID` with your organization ID.
Now, you can upload the service account key to NetBird. After a successful upload, you'll see the key listed in the NetBird interface.
![NetBird Paste New Key](/docs-static/img/manage/team/idp-sync/google-workspace-sync/g8omqCt.png)
## Creating a New Admin Role in Google Workspace
After creating the service account in GCP and uploading its secret key, return to NetBird and click 'Continue →'. The next steps will guide you through creating a role in Google Workspace for this service account
![NetBird Create Admin Role](/docs-static/img/manage/team/idp-sync/google-workspace-sync/F80lm4H.png)
Navigate to Google Workspace [Admin Console](https://admin.google.com/ac/home). Select `Account` on the left menu and then click `Admin Roles`
![Google Workspace Admin Roles](/docs-static/img/manage/team/idp-sync/google-workspace-sync/X1CYEHq.png)
Click `Create new role`
![Google Workspace Create New Role](/docs-static/img/manage/team/idp-sync/google-workspace-sync/pmeCOd4.png)
Fill in the form with the values provided in NetBird:
* Name: `User and Group Management ReadOnly`
* Description: `User and Group Management ReadOnly`
When done, click `CONTINUE`
![Google Workspace Create Role](/docs-static/img/manage/team/idp-sync/google-workspace-sync/HLddKPh.png)
## Granting Role Privileges
Return to NetBird and click `Continue →`. The next screen shows the privileges needed for the Admin API.
![NetBird Add Role Privileges](/docs-static/img/manage/team/idp-sync/google-workspace-sync/IZn8XWY.png)
Back to Google Workspace, enter `admin api` in the search bar and enable the following privileges for the Admin API:
* Users: `Read`
* Groups: `Read`
Then, click `CONTINUE`
![Google Workspace Select Privileges](/docs-static/img/manage/team/idp-sync/google-workspace-sync/nKLJX2H.png)
Review the Admin API privileges to verify they are correct and click `CREATE ROLE` when ready.
![Google Workspace Review Privileges](/docs-static/img/manage/team/idp-sync/google-workspace-sync/METhl2T.png)
## Assigning Admin API Privileges to Google Cloud Service Account
In NetBird, click `Continue →`. For convenience, you can copy the service account Email from this screen and use it to grant it the necessary permissions in Google Workspace.
![NetBird Assign Service Account](/docs-static/img/manage/team/idp-sync/google-workspace-sync/jhgTfsk.png)
Then, in Google Workspace, click on `Assign service accounts` as shown below:
![Google Workspace Assign Service Account](/docs-static/img/manage/team/idp-sync/google-workspace-sync/HHzmRAL.png)
Paste the service account Email address and click the `ADD` button.
![Google Workspace Add Service Account](/docs-static/img/manage/team/idp-sync/google-workspace-sync/ZYSw3KZ.png)
Verify the Email and click `ASSIGN ROLE` to grant the role `User and Group Management ReadOnly` to the `NetBird` service account.
![Google Workspace Assign Role](/docs-static/img/manage/team/idp-sync/google-workspace-sync/rPYNLz1.png)
## Entering Customer ID
Go back to NetBird and click `Continue →`. The next screen will prompt you to enter your Google Workspace Customer ID.
![NetBird Enter Customer ID](/docs-static/img/manage/team/idp-sync/google-workspace-sync/q6tuStz.png)
To get your customer ID, navigate to [Account Settings](https://admin.google.com/ac/accountsettings/profile?hl=en_US) and copy the corresponding ID.
![Google Workspace Customer ID](/docs-static/img/manage/team/idp-sync/google-workspace-sync/443kaDt.png)
## Synchronizing Google Workspace Groups and Users
Return to NetBird. The next two screens allow you to select which Google Workspace groups and users you want to synchronize. By default, NetBird synchronizes all groups and users. If you're okay with syncing everything, click `Continue` on both screens.
![NetBird Groups Sync](/docs-static/img/manage/team/idp-sync/google-workspace-sync/gAgKeL0.png)
You can also click on `+ Add group (or user group) filter` to change this settings as you see fit. To finish the integration process, click the `Connect` button.
![NetBird Users Sync](/docs-static/img/manage/team/idp-sync/google-workspace-sync/6Huo7vW.png)
The next screen, should be similar the following one, verifying that the integration was successful:
![NetBird Google Workspace Enabled](/docs-static/img/manage/team/idp-sync/google-workspace-sync/EkPJqpJ.png)
To verify the integration is working correctly, you can also navigate to `Team` > `Users`. Here, you should see your synchronized Google Workspace users listed.
![NetBird Users](/docs-static/img/manage/team/idp-sync/google-workspace-sync/5AcaIqW.png)
The users should be the same listed in Google Workspace Admin console:
![Google Workspace Users](/docs-static/img/manage/team/idp-sync/google-workspace-sync/BPfboem.png)

120
src/pages/manage/team/idp-sync/embedded/jumpcloud-sync.mdx Normal file
View File

@@ -0,0 +1,120 @@
import {Note} from "@/components/mdx";
# Provision Users and Groups From JumpCloud (Embedded IdP)
JumpCloud is a comprehensive cloud-based directory platform that provides identity, access, and device management capabilities.
It offers features like single sign-on (SSO), multi-factor authentication (MFA), and centralized user management
to help organizations secure and manage access to their resources.
NetBird's JumpCloud integration enhances user management by allowing you to utilize JumpCloud as your identity provider.
This integration automates user authentication in your network, adds SSO and MFA support, and simplifies network access management
to your applications and resources.
<Note>
Before creating this integration, ensure you have a JumpCloud connector configured in your embedded IdP.
If not, refer to the [Identity Providers](/selfhosted/identity-providers) documentation to set it up.
</Note>
## Prerequisites
Before you begin the integration process, ensure you have the necessary [admin permissions in JumpCloud](https://jumpcloud.com/support/admin-portal-roles). You need a JumpCloud user account with one of the following roles:
* Administrator (minimum required)
* Administrator with Billing
These roles have the required permissions to configure SSO applications and manage SCIM provisioning.
## Enabling JumpCloud SCIM in NetBird
To enable SCIM synchronization in NetBird, navigate to `Integrations > Identity Provider Sync` in your NetBird dashboard. Click the `Connect Jumpcloud` button.
Select your **JumpCloud** identity provider connector for this integration and click **Continue** to proceed.
<p>
<img src="/docs-static/img/manage/team/idp-sync/jumpcloud-sync/select-idp.png" alt="select-identity-provider" className="imagewrapper-big"/>
</p>
This will open a pop-up window featuring a user-friendly wizard to guide you through the configuration process.
![NetBird Jumpcloud Getting Started](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-scim-getting-started.png)
Click `Get Started` to launch the configuration wizard. You will be guided through several configuration options:
**Groups to be synchronized**
By default, all groups assigned to the NetBird application in JumpCloud will be synchronized. If you want to synchronize only assigned groups that start with a specific prefix, you can specify them in the filter. Keep in mind that the prefix matching is case-sensitive.
![NetBird Jumpcloud Group Filter](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-scim-group-filter.png)
Click `Continue` to proceed to the next step.
**Users to be synchronized**
By default, all users from the groups assigned to the NetBird application will be synchronized. If you want to further filter and synchronize only users from specific assigned groups, you can specify those group names in the filter. The group name matching is case-sensitive.
![NetBird Jumpcloud User Group Filter](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-scim-user-group-filter.png)
Click `Continue` to generate your SCIM credentials.
**SCIM Credentials**
NetBird will generate the SCIM credentials required to configure JumpCloud. Make note of both the **Base URL** and **Token Key** as you will need them in the next section to complete the JumpCloud configuration.
![NetBird Jumpcloud SCIM Credentials](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-scim-credentials.png)
Click `Finish Setup` to complete the NetBird SCIM configuration.
![NetBird Jumpcloud SCIM Enabled](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-scim-enabled.png)
You can now proceed to configure the SCIM application in JumpCloud using the credentials generated above.
## Configure SCIM Application in JumpCloud
In your [JumpCloud admin console](https://console.jumpcloud.com/), go to `SSO Applications`, select your `NetBird`
application, and then select the `Identity Management` tab.
In the **Configuration Settings** section, enter the following SCIM Service Provider details:
* **API Type**: `SCIM API` (default)
* **SCIM Version**: `SCIM 2.0` (default)
* **Base URL**: `https://api.netbird.io/api/scim/v2`
* **Token Key**: Paste the Bearer token you copied from NetBird
* **Test User Email**: Provide a new, unused email address for testing (e.g., `test@yourdomain.com`)
![JumpCloud SCIM Configuration](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-scim-config.png)
* Click `Test Connection` to verify the SCIM connection
If the connection is successful, you'll see a success message. Click `Activate` to enable SCIM provisioning.
![JumpCloud SCIM Test Success](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-scim-activated.png)
## Assigning Groups for SCIM Synchronization
To enable SCIM synchronization of groups and their memberships to NetBird, you need to assign user groups to the NetBird SCIM application.
In your [JumpCloud admin console](https://console.jumpcloud.com/):
* Navigate to your `NetBird` SSO application
* Click on the `User Groups` tab
* Select the groups whose members you want to synchronize to NetBird
* Click `Save` to apply the changes
![JumpCloud Assign Groups](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-assign-groups.png)
Once saved, JumpCloud will automatically synchronize the selected groups and their user memberships to NetBird.
## Verify Synchronization
After assigning groups in JumpCloud, the synchronization will begin automatically. You can verify that users and groups
have been successfully synchronized by navigating to `Team > Users` in your NetBird dashboard.
![NetBird Verify Users](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/netbird-verify-users.png)
<Note>
SCIM provisioning will manage only resources that are created through Jumpcloud. Any resources created directly in NetBird will not be managed by SCIM.
</Note>
<Note>
Synced groups will only be available for membership and will not change the role of user in NetBird
</Note>

209
src/pages/manage/team/idp-sync/embedded/keycloak-sync.mdx Normal file
View File

@@ -0,0 +1,209 @@
import {Note} from "@/components/mdx";
# Provision Users and Groups From Keycloak (Embedded IdP)
Keycloak is an open-source identity and access management solution that provides features like single sign-on (SSO),
multi-factor authentication (MFA), user federation, and centralized identity management to help organizations
secure and manage access to their applications and resources.
NetBird's Keycloak integration enhances user management by allowing you to utilize Keycloak as your identity provider.
This integration automates user authentication in your network, adds SSO and MFA support, and simplifies network access management
to your applications and resources.
<Note>
Before creating this integration, ensure you have a Keycloak connector configured in your embedded IdP.
If not, refer to the [Identity Providers](/selfhosted/identity-providers/keycloak) documentation to set it up.
</Note>
## Prerequisites
Before you begin the integration process, ensure you have the necessary permissions in Keycloak. You need:
* The `scim-admin` or `realm-admin` role assigned to your user to access the SCIM Administration Console
* [SCIM for Keycloak plugin installed](https://scim-for-keycloak.de/)
Once the SCIM plugin is installed, you should see the SCIM section available in your Keycloak admin console.
![Keycloak SCIM Installed](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-installed.png)
## Enabling Keycloak SCIM in NetBird
To enable SCIM synchronization in NetBird, navigate to `Integrations > Identity Provider Sync` in your NetBird dashboard. Click the `Connect Generic SCIM` button.
Select your **Keycloak** identity provider connector for this integration and click **Continue** to proceed.
<p>
<img src="/docs-static/img/manage/team/idp-sync/keycloak-sync/select-idp.png" alt="select-identity-provider" className="imagewrapper-big"/>
</p>
This will open a pop-up window featuring a user-friendly wizard to guide you through the configuration process.
![NetBird Keycloak Getting Started](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-getting-started.png)
Click `Get Started` to launch the configuration wizard. You will be guided through several configuration options:
**Groups to be synchronized**
By default, all groups mapped in the Keycloak SCIM client will be synchronized. If you want to synchronize only groups that start with a specific prefix, you can specify them in the filter. Keep in mind that the prefix matching is case-sensitive.
![NetBird Keycloak Group Filter](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-group-filter.png)
Click `Continue` to proceed to the next step.
**Users to be synchronized**
By default, all users from the mapped groups will be synchronized. If you want to further filter and synchronize only users from specific groups, you can specify those group names in the filter. The group name matching is case-sensitive.
![NetBird Keycloak User Group Filter](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-user-group-filter.png)
Click `Continue` to generate your SCIM credentials.
**SCIM Credentials**
NetBird will generate the SCIM credentials required to configure Keycloak. Make note of both the **Base URL** and **Token Key** as you will need them in the next section to complete the Keycloak configuration.
![NetBird Keycloak SCIM Credentials](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-credentials.png)
Click `Finish Setup` to complete the NetBird SCIM configuration.
![NetBird Keycloak SCIM Enabled](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-enabled.png)
You can now proceed to configure the SCIM client in Keycloak using the credentials generated above.
## Configure SCIM Client in Keycloak
To configure SCIM in Keycloak, you need to access the SCIM Administration Console and create a service provider configuration.
Navigate to the SCIM Administration Console. On the first login screen, enter your realm name (e.g., `netbird`) and click `Start Login`.
![Keycloak SCIM Login](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-login.png)
Once logged in, navigate to the `SCIM Client` menu and click on `Remote SCIM Provider`. Then click the `+` button to add a new service provider configuration.
![Keycloak SCIM Remote Provider](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-remote-provider.png)
In the SCIM Remote Provider Configuration form, fill out the following sections:
**SCIM Provider Details:**
* **Name**: `NetBird`
* **Provider Enabled**: Enable this checkbox
* **Is User Federation Provider active**: Enable this checkbox only if you are using a federation provider like LDAP. Otherwise, leave it disabled
* **Send externalId as id in requests**: Enable this checkbox
**Connection Details:**
* **Base URL**: Paste the Base URL you copied from NetBird (e.g., `https://api.netbird.io/api/scim/v2`)
* **Hostname-Verifier Enabled**: Enable this checkbox
![Keycloak SCIM Configuration](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-config.png)
**Authentication:**
* **Authentication Type**: Select `Long Life Bearer Token Authentication`
* **Bearer Token**: Paste the Token Key you copied from NetBird
Click `Add` to save the configuration.
![Keycloak SCIM Authentication](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-authentication.png)
After adding the configuration, click `Save Configuration` and then click `Use default Configuration` to apply the settings.
The default schema for the SCIM provider will be created automatically.
![Keycloak SCIM Default Schema](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-default-schema.png)
Next, assign the SCIM provider to your realm. Click the `Realm Assignment` tab to view all available realms.
![Keycloak SCIM Realm Assignment](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-realm-assignment.png)
Find your realm (e.g., `netbird`) and click `Assign to Realm` to enable SCIM synchronization for that realm.
![Keycloak SCIM Realm Assigned](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-realm-assigned.png)
## Configure Resource Filtering
By default, the SCIM provider will synchronize all groups and users from your Keycloak realm to NetBird.
To control which specific groups and users should be synchronized, you need to configure resource filtering rules.
Under the `SCIM Client` menu section, click on `Remote SCIM Provider`, then click `Edit` in the NetBird provider row.
Select the `Resource Filtering Rules` tab.
![Keycloak SCIM Resource Filtering](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-resource-filtering.png)
**User Filtering**
To synchronize only users from specific groups, configure the user filtering rule and click `Save Configuration`:
* **Invert Filter Rule**: Leave this checkbox disabled
* **Filter Type**: Select `Group`
* **Group Name**: Enter the name of the group to sync users from
**Group Filtering**
To synchronize only groups that match specific criteria, configure the group filtering rule and click `Save Configuration`:
* **Invert Filter Rule**: Leave this checkbox disabled
* **Filter Type**: Select `Property`
* **Property Name**: Enter `Groupname`
* **Comparator**: Select `Contains`
* **Comparison Value**: Enter the text that should be contained in the group name
![Keycloak SCIM Filtering Configuration](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-filtering-config.png)
## Initial Sync
After configuring the SCIM provider and resource filtering, you need to manually synchronize existing users and groups from Keycloak to NetBird.
### Sync Users
Navigate to the `Synchronization` tab in your SCIM provider configuration and select `User Synchronization`.
Confirm the following settings:
* **Identifier**: Set to `Username`
* **Synchronization Strategy**: Set to `Get and (update or create) Strategy`
![Keycloak SCIM User Sync Settings](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-user-sync-settings.png)
Click `Count local and remote resources` to validate that the **Local User Count** and **Remote User Count** values are as expected.
Once validated, click `Synchronize all resources from startIndex` to sync all users.
### Sync Groups
Navigate to the `Synchronization` tab and select `Group Synchronization`.
Confirm the following settings:
* **Operation Type**: Set to `Create Group`
* **Synchronization Strategy**: Set to `Get and (update or create) Strategy`
![Keycloak SCIM Group Sync Settings](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-group-sync-settings.png)
Click `Count local and remote resources` to validate that the **Local Group Count** and **Remote Group Count** values are as expected.
Once validated, click `Synchronize all resources from startIndex` to sync all groups.
### Sync Group Membership
Navigate to the `Synchronization` tab and select `Group Synchronization`.
Confirm the following settings:
* **Operation Type**: Set to `Update Group Members`
* **Synchronization Strategy**: Set to `Get and (update or create) Strategy`
![Keycloak SCIM Group Membership Sync Settings](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-group-membership-sync-settings.png)
Click `Count local and remote resources` to validate that the **Local Group Count** and **Remote Group Count** values are as expected.
Once validated, click `Synchronize all resources from startIndex` to sync all group memberships.
## Verify Synchronization
After completing the initial sync, you can verify that users and groups have been successfully synchronized by navigating to `Team > Users` in your NetBird dashboard.
![NetBird Verify Users](/docs-static/img/manage/team/idp-sync/keycloak-sync/netbird-verify-users.png)
<Note>
SCIM provisioning will manage only resources that are created through Keycloak. Any resources created directly in
NetBird will not be managed by SCIM.
</Note>
<Note>
Synced groups will only be available for membership and will not change the role of user in NetBird
</Note>

230
src/pages/manage/team/idp-sync/embedded/microsoft-entra-id-scim-sync.mdx Normal file
View File

@@ -0,0 +1,230 @@
import {Note} from "@/components/mdx";
# Provision Users and Groups From Microsoft Entra ID via SCIM (Embedded IdP)
[Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id),
formerly known as Azure Active Directory (Azure AD), is a cloud-based identity and access management service that provides
organizations with secure authentication, single sign-on, and user management capabilities. In the context of network security,
it can be effectively used to control network access based on organizational structure, such as groups and individual user accounts.
NetBird's Microsoft Entra ID SCIM integration allows you to synchronize users and groups from Entra ID to NetBird.
You can then use these synchronized groups to configure your network, create network access policies, and automate
onboarding and offboarding processes.
<Note>
Before creating this integration, ensure you have a Microsoft Entra ID connector configured in your embedded IdP.
If not, refer to the [Identity Providers](/selfhosted/identity-providers/managed/microsoft-entra-id) documentation to set it up.
</Note>
## Enabling Microsoft Entra ID SCIM in NetBird
To enable SCIM synchronization in NetBird, navigate to `Integrations > Identity Provider Sync` in your NetBird dashboard. Click the `Connect Microsoft Entra ID` button.
Select your **Microsoft Entra ID** identity provider connector for this integration and click **Continue** to proceed.
<p>
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/select-idp.png" alt="select-identity-provider" className="imagewrapper-big"/>
</p>
This will open a pop-up window featuring a user-friendly wizard, guiding you through the synchronization process between NetBird and Entra ID.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-scim-getting-started.png" alt="Microsoft Entra ID SCIM Getting Started Wizard" className="imagewrapper-big"/>
## Prerequisites
Before you begin the integration process, ensure you have the necessary admin permissions in Microsoft Entra ID. You need an Azure user account with at least one of these roles:
* Application Administrator
* Cloud Application Administrator
* Global Administrator
## Configure SCIM Provisioning in Microsoft Entra ID
Click on the `Get Started` button to initiate the integration process.
A new wizard screen will appear, offering step-by-step instructions for creating and configuring your Microsoft Entra ID application. To simplify the process, the wizard also provides quick-copy buttons for essential information:
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-configure-scim.png" alt="Microsoft Entra ID SCIM Configuration Setup" className="imagewrapper-big"/>
In the [Azure portal](https://portal.azure.com), navigate to `Azure Active Directory` → `Enterprise applications`.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-enterprise-applications.png" alt="Microsoft Entra ID Enterprise Applications" className="imagewrapper-big"/>
Click `New application` to create a new enterprise application.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-new-application.png" alt="Microsoft Entra ID New Application Creation" className="imagewrapper-big"/>
Click `Create your own application`.
Fill out the application form with the following details:
* **What's the name of your app?**: `NetBird SCIM`
* **What are you looking to do with your application?**: Select `Integrate any other application you don't find in the gallery (Non-gallery)`
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-application-form.png" alt="Microsoft Entra ID Application Form" className="imagewrapper-big"/>
Click `Create`.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-application-created.png" alt="Microsoft Entra ID Application Created Successfully" className="imagewrapper-big"/>
### Enable Provisioning
On the NetBird dashboard click the Continue → button. A new wizard screen will appear, offering step-by-step instructions for enabling provisioning.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-enable-provisioning.png" alt="Microsoft Entra ID Enable Provisioning Setup" className="imagewrapper-big"/>
Once the application is created, you'll be redirected to a getting started page. Click `Get started` in the `Provision User Accounts` section.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-provisioning-get-started.png" alt="Microsoft Entra ID Provisioning Get Started" className="imagewrapper-big"/>
Under the `Create configuration` section, click `connect your application`.
Fill out the `New provisioning configuration` form with the following details:
* **Select authentication method**: `Bearer authentication`
* **Tenant URL**: `https://api.netbird.io/api/scim/v2?aadOptscim062020`
* **Secret token**: Paste the Token Key you copied from the Entra ID SCIM Setup process in the NetBird integration
<Note>
The `?aadOptscim062020` flag appended to the Tenant URL is required to ensure Microsoft Entra ID sends SCIM 2.0 compliant requests.
Without this flag, Entra ID uses non-standard PATCH operations that can cause provisioning issues such as incorrect boolean values and malformed group membership updates.
See [Microsoft's SCIM compatibility documentation](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior) for more details.
</Note>
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-connect-application.png" alt="Microsoft Entra ID Connect Application Configuration" className="imagewrapper-big"/>
Click `Test Connection` to verify the SCIM connection. If the connection is successful, click `Create` to save the configuration.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-connection-success.png" alt="Microsoft Entra ID Connection Success" className="imagewrapper-big"/>
### Configure Attribute Mapping
On the NetBird dashboard click the Continue → button. A new wizard screen will appear, offering step-by-step instructions for configuring attribute mapping.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-configure-attribute-mapping.png" alt="Microsoft Entra ID Configure Attribute Mapping" className="imagewrapper-big"/>
After creating the provisioning configuration, you need to configure the attribute mappings for both groups and users.
Navigate to the `Attribute mapping` section.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/attribute-mapping.png" alt="Microsoft Entra ID Attribute Mapping" className="imagewrapper-big"/>
#### Group Attribute Mapping
Click `Provision Microsoft Entra ID Groups` to configure the group attribute mapping.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-group-attribute-mapping.png" alt="Microsoft Entra ID Group Attribute Mapping" className="imagewrapper-big"/>
In the attribute mappings list, locate the `externalId` row and click `Delete`.
Click `Save` to apply the updated group attribute mapping configuration.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-group-attribute-mapping-updated.png" alt="Microsoft Entra ID Group Attribute Mapping After Deletion" className="imagewrapper-big"/>
#### User Attribute Mapping
Navigate back to the `Attribute mapping` section and click `Provision Microsoft Entra ID Users` to configure the user attribute mapping.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-user-attribute-mapping.png" alt="Microsoft Entra ID Default User Attribute Mapping" className="imagewrapper-big"/>
Remove all attribute mappings except for the following:
* `userName`
* `active`
* `displayName`
* `emails[type eq "work"].value`
* `name.givenName`
* `name.familyName`
* `externalId`
Click `Save` to apply the updated user attribute mapping configuration.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-user-attribute-mapping-clean.png" alt="Microsoft Entra ID Updated User Attribute Mapping" className="imagewrapper-big"/>
In the attribute mappings list, locate the `externalId` row and click `Edit`.
Change the **Source attribute** from `mailNickname` to `objectId`.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-edit-externalid.png" alt="Microsoft Entra ID Edit External ID Attribute" className="imagewrapper-big"/>
Click `Ok` to save the change, then click `Save` to apply the final user attribute mapping configuration.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-user-attribute-mapping-updated.png" alt="Microsoft Entra ID Final User Attribute Mapping" className="imagewrapper-big"/>
## Assign Users and Groups
On the NetBird dashboard click the Continue → button. A new wizard screen will appear, offering step-by-step instructions for assigning users and groups.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-assign-users-and-groups.png" alt="Microsoft Entra ID Assign Users and Groups" className="imagewrapper-big"/>
To enable SCIM synchronization of users and groups to NetBird, you need to assign them to the NetBird enterprise application.
In the Azure portal, navigate to your NetBird enterprise application:
* Click on `Users and groups` in the left menu
* Click `+ Add user/group`
* Select the users and groups you want to synchronize to NetBird
* Click `Assign` to save the assignments
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-assign-users-groups.png" alt="Microsoft Entra ID Assign Users and Groups Interface" className="imagewrapper-big"/>
## Start Provisioning
On the NetBird dashboard click the Continue → button. A new wizard screen will appear, offering step-by-step instructions for starting the provisioning.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-run-provisioning.png" alt="Microsoft Entra ID Run Provisioning" className="imagewrapper-big"/>
After assigning users and groups, navigate back to the provisioning configuration and click the `Start provisioning` button to enable automatic synchronization. The first sync will begin shortly after provisioning is started.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-provisioning-started.png" alt="Microsoft Entra ID Provisioning Started" className="imagewrapper-big"/>
Once started, Microsoft Entra ID will automatically synchronize the assigned users and groups to NetBird.
<Note>
After the initial sync, Microsoft Entra ID runs provisioning cycles approximately every 40 minutes by default.
If you need to synchronize changes immediately, you can use [Provisioning on demand](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/provision-on-demand?pivots=app-provisioning) to provision individual users or groups without waiting for the next cycle.
</Note>
Click `Finish Setup` in the NetBird Dashboard to finalize the integration process.
## Verify Synchronization
After starting provisioning, the synchronization will begin automatically. You can verify that users and groups
have been successfully synchronized by navigating to `Team > Users` in your NetBird dashboard.
<Note>
SCIM provisioning will manage only resources that are created through Microsoft Entra ID. Any resources created directly in NetBird will not be managed by SCIM.
</Note>
<Note>
Synced groups will only be available for membership and will not change the role of user in NetBird
</Note>
## Configuration Settings
You can access some configuration settings inside the NetBird Dashboard. E.g. if you want to regenerate the authentication token or want to filter users and groups based on a specific prefix.
Simply go to the Integrations page and click the settings icon of your integration.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-configuration-options.png" alt="Microsoft Entra ID SCIM Configuration Options" className="imagewrapper-big"/>
### Regenerate Auth Token
If your authentication token has expired or you need to update it, click **Regenerate Auth Token** in the configuration window to generate a new token.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-regenerate-auth-token.png" alt="Microsoft Entra ID Regenerate Authentication Token" className="imagewrapper-big"/>
### Groups to be synchronized
By default, all groups assigned to the NetBird application in Entra will be synchronized. If you want to synchronize only assigned groups that start with a specific prefix, you can specify them in the filter. Keep in mind that the prefix matching is case-sensitive.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-group-prefix.png" alt="Microsoft Entra ID Group Prefix Filter" className="imagewrapper-big"/>
Click `Continue` to proceed to the next step.
### Users to be synchronized
By default, all users from the groups assigned to the NetBird application in Entra will be synchronized. If you want to further filter and synchronize only users from specific assigned groups, you can specify those group names in the filter. The group name matching is case-sensitive.
<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-user-prefix.png" alt="Microsoft Entra ID User Prefix Filter" className="imagewrapper-big"/>

197
src/pages/manage/team/idp-sync/embedded/microsoft-entra-id-sync.mdx Normal file
View File

@@ -0,0 +1,197 @@
# Provision Users and Groups From Microsoft Entra ID via API (Embedded IdP)
[Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id),
formerly known as Azure Active Directory (Azure AD), is a cloud-based identity and access management service that provides
organizations with secure authentication, single sign-on, and user management capabilities. In the context of network security,
it can be effectively used to control network access based on organizational structure, such as groups and individual user accounts.
NetBird's Microsoft Entra ID integration allows you to synchronize users and groups from Entra ID to NetBird.
You can then use these synchronized groups to configure your network, create network access policies, and automate
onboarding and offboarding processes.
<Note>
Before creating this integration, ensure you have a Microsoft Entra ID connector configured in your embedded IdP.
If not, refer to the [Identity Providers](/selfhosted/identity-providers/managed/microsoft-entra-id) documentation to set it up.
</Note>
## Get Started with NetBird-Entra ID Integration
Navigate to `Integrations` in the left menu to access the `Identity Provider` integration. Click the `Entra ID (Azure AD)` button.
Select your **Microsoft Entra ID** identity provider connector for this integration and click **Continue** to proceed.
<p>
<img src="/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/select-idp.png" alt="select-identity-provider" className="imagewrapper-big"/>
</p>
This will open a pop-up window featuring a user-friendly wizard, guiding you through the synchronization process between NetBird and Azure AD.
![NetBird Get Started IdP](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/FkdC8BV.png)
## Prerequisites
Before starting the integration process, verify that you have the required permissions in Microsoft Entra ID (Azure AD).
Specifically, you will need an Azure user account with at least one of these roles:
* Application Administrator
* Cloud Application Administrator
* Global Administrator
To check your permissions:
* Log in to the [Azure portal](portal.azure.com).
* Navigate to Manage Microsoft Entra ID and click `View`.
* Expand the `Manage` tab and click on `Roles and administrators` in the left menu.
* Look for your username and verify if you're assigned any of the above roles.
![EntraID Roles](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/lDyaAeV.png)
If you don't have the required permissions, contact your Azure AD administrator to grant you the appropriate role before proceeding with the NetBird integration.
## Create and Configure a Microsoft Entra ID Application for NetBird Integration
Now that you have the required permissions, return to the NetBird dashboard. Click on the `Get Started` button to initiate the integration process.
A new wizard screen will appear, offering step-by-step instructions for creating and configuring your Microsoft Entra ID application. To simplify the process, the wizard also provides quick-copy buttons for essential information:
* Name
* Account Type
* Redirect Type
* Redirect URI
![NetBird Create Application](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/oI0Pjai.png)
For convenience, click on [Azure Active Directory](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview) (step 1). That will open the Azure dashboard. Navigate to `App registrations` in the left menu and then click `+New registration` as indicated below:
![EntraID App Registration](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/Yxxktk6.png)
Fill in the required information:
![EntraID Register an App](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/1t8qbfK.png)
After entering all required information, click the `Register` button at the bottom of the form to finalize the application registration process.
Upon successful registration, you'll be redirected to a confirmation screen similar to the following:
![EntraID App Registered](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/7WYZMW6.png)
Copy and securely store the generated `Application (client) ID` and `Directory (tenant) ID` as you will need them shortly.
## Configure API Permissions for NetBird-Entra ID Integration
On the NetBird dashboard click the `Continue →` button. A new wizard screen will appear, this time, offering step-by-step instructions for setting up API permissions.
![NetBird Add API Permissions](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/0A98Xm9.png)
Back to Azure, in the `App registrations` screen, click on `Manage` in the left menu to expand it and then click on `API permissions`:
![EntraID API Permissions](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/V0aRf7f.png)
Look for the `+ Add a permission` button, located near the top of the permissions list and click on it.
![EntraID API Permissions Screen](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/Qy9lDMF.png)
A new pop-up window will appear, asking you to select an API. Click on `Microsoft Graph`.
![EntraID Microsoft Graph](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/tP7WqXO.png)
On the next screen, click on the `Application permissions` button, which will let you select the appropriate permissions for NetBird to function correctly with your Microsoft Entra ID environment.
![EntraID Request API Permissions](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/zSkSGAm.png)
To assign user permissions:
* Locate the search bar at the top. Type `User.Read.All` into the search bar and press `Enter`.
* In the search results, click on the `User` tab to expand it and view the available permissions.
* Click on the checkbox to select and enable the `User.Read.All` permission.
![EntraID UserReadAll](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/KHGbhqe.png)
The `User.Read.All` permission allows NetBird to read the full set of profile properties, group memberships, and reports of the signed-in user and other users in your organization.
Next, repeat the procedure. This time, search for `Group.Read.All` and click on the checkbox to enable it as shown below:
![EntraID GroupReadAll](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/XDl3b7u.png)
Once done, click the `Add permissions` button. You will see a few warnings:
![EntraID API Permissions Warnings](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/OGWQWVH.png)
Locate the `Grant admin consent for [Your Organization Name]` button (you'll find it next to `+Add a permission` button). Click on it to grant the required permissions.
A confirmation dialog will appear, asking you to verify this action. Review the permissions listed in the dialog and click `Yes` to confirm. Wait for the process to complete, this may take a few seconds.
Once finished, the status of the permissions should change to `Granted for [Your Organization Name]`. Verify that all selected permissions now show a green checkmark, indicating they've been successfully granted:
![EntraID API Permissions Granted](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/bHb8HVZ.png)
## Create a Client Secret for Secure NetBird-Entra ID Authentication
Back to the NetBird dashboard, click the `Continue →` button. A new wizard screen will appear, showing instructions for generating a client secret in Entra ID.
![NetBird Generate Client Secret](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/xvLskEg.png)
On Azure, click on the `Certificates & secrets` button in the left menu to open the management page. Click on `+New client secret` as shown below. Choose an expiration time that suits your security needs and click the `Add` button.
![EntraID Add a Client Secret](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/WIercn5.png)
A new client secret will be generated and displayed on the screen. Copy and securely store the `Value` field immediately, as you will needed in the next step.
![EntraID Client Secret Value](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/LimVmGI.png)
## Enter Application ID and Directory ID in NetBird
Paste the secret `Value` from the previous step into NetBird and click the `Continue →` button. A new wizard screen will appear, asking for the `Application (client) ID` and the `Directory (tenant) ID` credentials generated previously.
Paste the values and click the `Continue →` button.
![NetBird Application ID and Directory](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/6yiGCtY.png)
## Choose Groups to Synchronize from Entra ID
At this stage, NetBird is set to synchronize all groups from your Microsoft Entra ID by default. You have two options:
* If you want to synchronize all groups, simply click the `Continue →` button.
* To synchronize only specific groups, click the `+ Add group filter` button, which will open a new panel where you can set criteria to include or exclude groups.
![NetBird Group Sync](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/xyLPzxH.png)
## Choose Users to Synchronize from Entra ID
After configuring group synchronization, you'll now set up user synchronization. Similar than before, NetBird is configured to synchronize all users from your Microsoft Entra ID by default.
* If you want to synchronize all users, you don't need to take any action, simply click the `Continue →` button.
* To synchronize only specific users, click the `+ Add user filter` button. This opens a new panel where you can set criteria to include or exclude users.
<Note>
You can modify these synchronization settings later if necessary.
</Note>
![NetBird Users Sync](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/bpwW1Bn.png)
After configuring user and group synchronization, the setup wizard will finalize the process and you'll automatically return to the main Identity Provider screen.
On this screen, you'll see two key indicators of successful integration:
* The Microsoft Entra ID toggle will be switched on (enabled).
* Next to the toggle, you'll see a button with a status message saying `Synced a few seconds ago`.
These indicators confirm that:
* The integration between NetBird and Microsoft Entra ID is active.
* The initial synchronization has been completed successfully.
* NetBird will now automatically sync with your Microsoft Entra ID at regular intervals.
<Note>
You can manually trigger a sync or adjust settings by clicking on the Microsoft Entra ID section in the Identity Provider screen
</Note>
![NetBird Identity Provider Synchronized](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/DH5hxFK.png)
## Verify the Integration
To verify the synchronization, navigate to `Teams > Users` in the left menu.
You should see all the users and groups from your Microsoft Entra ID environment listed in the NetBird dashboard.
![NetBird Checking Integration](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/qlNlfgV.png)
You can now proceed to configure [access control policies](/manage/access-control/manage-network-access#creating-policies) using the synchronized groups to allow or deny access to the
synchronized users.