Migrating existing MaaS360 users and groups to sync from Microsoft Entra ID

You can configure Microsoft Entra ID synchronization to migrate existing user and groups in the MaaS360® Portal from Microsoft Entra ID. This migration helps ensure that group-based distributions are correctly mapped to Microsoft Entra ID groups in advance, avoiding any disruptions during the migration process.

Before you begin

You must have the tenant ID to configure directory synchronization. To get your tenant ID from the Microsoft Entra Portal, complete the following steps.
  1. Sign in to the Microsoft Entra Portal with your Microsoft Entra account.
  2. Click Tenant Properties.
  3. Copy the value in the Tenant ID field.

About this task

If you have already set up user groups in the MaaS360 Portal, importing the same or similar user groups directly from Microsoft Entra ID without following a structured migration process might lead to issues. For example, policies and applications that are linked to these groups might be removed from devices.

Procedure

  1. From the IBM® MaaS360 Portal home page, select Setup > Microsoft Entra ID integration.

  2. In the Configure directory sync window, select Yes to migrate existing users and groups in the MaaS360 Portal to Microsoft Entra ID, and then click Confirm.
  3. Configure the Tenant ID.
    1. On the Directory Sync page, expand the Tenant ID Configuration section.
    2. Enter the Microsoft Entra Tenant ID that you copied from the Microsoft Entra Portal. For more information, see Before you begin.
    3. Select the Integrate with Microsoft Entra GCC high environment checkbox for Microsoft Entra GCC high subscription.
      Note: Only federal customers must enable the Integrate with Microsoft Entra GCC high environment checkbox.
    4. Click Configure.
    5. In the Security Check window, enter the password, and then click Confirm. You are redirected to the Microsoft account login page.
    6. On the Microsoft account login page, log in to your Microsoft Entra account and grant permission for MaaS360 to view your Microsoft Entra ID instance.
      Important: The consent is required to access and manage Microsoft Entra ID user groups in MaaS360.
      • If authentication is successful, a message is displayed, and you are redirected to the MaaS360 Portal Home page.
      • If authentication fails, a message is displayed, and you must review the settings that you configured in the previous steps.
    7. From the IBM MaaS360 Portal Home page, select Setup > Microsoft Entra ID integration, and then click Directory Sync.
      Important: If you click Unconfigure in the Tenant ID Configuration section, you can no longer add Microsoft Entra ID user groups in MaaS360. Also disable the user provisioning application in Microsoft Entra to stop receiving updates from Microsoft Entra ID. However, synchronized users and groups remain active in the MaaS360 Portal until they are deactivated in the Microsoft Entra user provisioning application.
  4. Configure username attribute mapping for user groups.
    1. Expand the Groups management section and click the Username attribute mapping tab.
      • If you selected Yes in the Configure directory sync window, the Groups management section is displayed on the first occurrence to import groups.
      • The Username attribute mapping section retrieves the username attribute from the specified attribute in Microsoft Entra ID.
      • By default, the User Principal Name prefix is set to the Microsoft Entra ID username attribute, which uniquely identifies users in the MaaS360 directory. To customize userName attribute mapping, specify the programmable name of the user profile attribute and click Enter.
    2. Click Save.
      Important:
      • After the changes are saved, the selection cannot be modified later.
      • The User Principal Name (UPN) in Microsoft Entra ID contains a user principal name prefix (user account name) and a user principal name suffix (DNS domain name). The section of the UPN before the @ symbol represents the UPN prefix. For example, in the UPN value: test@example.com, test is the UPN prefix.
      • Add a similar username attribute mapping after the provisioning application is created in Microsoft Entra ID. For more information about user attribute mapping, see 8.g in Configuring user provisioning in the Microsoft Entra Portal.
  5. Import user groups.
    1. Expand the Groups management section, and click the Import groups tab and then click Import groups.
      The Add groups page is displayed with a list of Microsoft Entra ID groups.
    2. On the Add groups page, enter the specific group name in the Search field and select the groups to import from Microsoft Entra ID to the MaaS360 Portal.
      Note: The search list displays only the groups that were not already imported.
    3. For each user group you want to import, click Setup next to the group name to configure policies, distribute applications, and change policies for the selected group. You are redirected to the Groups page to configure groups based on your requirements.
    4. On the Groups page, click Add > User Directory Group integration.
    5. In the Add User Directory Group window, add the required user directory group and copy the required distributions to Microsoft Entra ID user groups that are already present for existing local or on-premises/LDAP AD groups.
      Note: The Microsoft Entra ID user group does not have any users.
      Important: Perform this action for all required groups.
    6. After completing the group configurations, select Setup > Microsoft Entra integration and then click Directory Sync.
    7. Expand the Groups management section, and click the Import groups tab and then click Import groups.
      Note: The Exclusion option is displayed after the Setup option, only if Cloud Extender® is configured.
    8. Click Next. The Exclusion page is displayed with instructions.
      Note:
      • Follow the instructions on the Exclusion page to ensure users/user groups are not synced from both Microsoft Entra ID user provisioning application and Cloud Extender.
      • Ensure that all the user groups are managed with required distributions before you proceed to the next step.
    9. Click Finish. A confirmation message is displayed to proceed with configured groups.
    10. Click Yes.

      A success message is displayed in the Import groups section, and the following options are displayed.

      • Click Refresh import status to view the import progress status.
      • Click View imported groups to view details of the imported groups and to add new groups. An Import Groups window is displayed when you click Add Groups.
      Note: In the Import Groups section, you can add and configure new groups and then continue with user provisioning for the newly added groups.
  6. On the Directory Sync page, expand the User provisioning configuration section and configure the following options.
    1. Copy the URL and secret code in the Tenant URL and Secret code fields, and configure them in the Microsoft Entra Portal.
      For more information, see Microsoft Entra Portal, see Configuring user provisioning in the Microsoft Entra Portal.
      Important:
      • Ensure that you complete the import and configuration of the newly added groups in the Import groups tab in the MaaS360 Portal. Also, you must assign the same user groups in the Users and groups section while configuring the user provisioning application in the Microsoft Entra Portal. This step helps ensure that additional user data sync for specific user groups will continue to happen seamlessly in the future. For more information, see Configuring user provisioning in the Microsoft Entra Portal.
      • To renew the secret code before it expires and to avoid interruptions, click Renew code. If you fail to renew the secret code before it expires, Microsoft Entra user provisioning is quarantined, and no further directory data is synchronized. Renew the secret code every six months, starting from the date the token was generated. The expiry date is displayed in MMM D, YYYY format. For example, Oct 5, 2025.

Results

After integration is configured, all data is synchronized as configured from Microsoft Entra ID to MaaS360. After successful migration, all users and devices are moved to the newly added user groups from Microsoft Entra ID. You can delete the duplicate local groups or on-premises AD groups in the MaaS360 Portal.