You can configure Microsoft Entra
ID synchronization to
migrate existing user and groups in the MaaS360® Portal
from Microsoft Entra
ID.
This migration helps ensure that group-based distributions are correctly mapped to Microsoft Entra
ID groups in advance,
avoiding any disruptions during the migration process.
Before you begin
You must have the tenant ID to configure directory synchronization. To
get your tenant ID from the Microsoft Entra
Portal, complete the
following steps.
- Sign in to the Microsoft Entra
Portal with your
Microsoft
Entra
account.
- Click Tenant Properties.
- Copy the value in the Tenant ID field.
About this task
If you have already set up user groups in the MaaS360 Portal, importing the same or similar user groups directly from Microsoft Entra
ID without following
a structured migration process might lead to issues. For example, policies and applications that are
linked to these groups might be removed from devices.
Procedure
- From the IBM®
MaaS360 Portal home page, select
.
- In the Configure directory sync window, select
Yes to migrate existing users and groups in the MaaS360 Portal to Microsoft Entra
ID, and then click
Confirm.
- Configure the Tenant ID.
- On the Directory Sync page, expand the Tenant ID
Configuration section.
- Enter the Microsoft
Entra Tenant ID that you
copied from the Microsoft Entra
Portal. For more
information, see Before you begin.
- Select the Integrate with Microsoft
Entra GCC high
environment checkbox for Microsoft
Entra GCC high
subscription.
Note: Only federal customers must enable the Integrate with Microsoft
Entra GCC high
environment checkbox.
- Click Configure.
- In the Security Check window, enter the password, and then click
Confirm. You are redirected to the Microsoft account login page.
- On the Microsoft account login page, log in to your
Microsoft
Entra account
and grant permission for MaaS360 to view
your Microsoft Entra
ID
instance.
Important: The consent is required to access and manage Microsoft Entra
ID user groups in MaaS360.
- If authentication is successful, a message is displayed, and you are redirected to the MaaS360 Portal Home page.
- If authentication fails, a message is displayed, and you must review the settings that you
configured in the previous steps.
- From the IBM
MaaS360 Portal
Home page, select , and then click Directory Sync.
Important: If you click Unconfigure in the Tenant ID
Configuration section, you can no longer add Microsoft Entra
ID user groups in MaaS360. Also disable the user provisioning application in
Microsoft
Entra to stop
receiving updates from Microsoft Entra
ID. However,
synchronized users and groups remain active in the MaaS360
Portal until they are deactivated in the Microsoft
Entra user provisioning
application.
- Configure username attribute mapping for user groups.
- Expand the Groups management section and click the
Username attribute mapping tab.
- If you selected Yes in the Configure directory sync
window, the Groups management section is displayed on the first occurrence to
import groups.
- The Username attribute mapping section retrieves the username attribute
from the specified attribute in Microsoft Entra
ID.
- By default, the User Principal Name prefix is set to the Microsoft Entra
ID username
attribute, which uniquely identifies users in the MaaS360 directory. To customize userName attribute
mapping, specify the programmable name of the user profile attribute and click
Enter.
- Click Save.
Important:
- After the changes are saved, the selection cannot be modified later.
- The User Principal Name (UPN) in Microsoft Entra
ID contains a user
principal name prefix (user account name) and a user principal name suffix (DNS domain
name). The section of the UPN before the
@ symbol represents the UPN prefix. For
example, in the UPN value: test@example.com, test is the UPN prefix.
- Add a similar username attribute mapping after the provisioning application is created in
Microsoft Entra
ID. For more
information about user attribute mapping, see 8.g in Configuring user provisioning in the Microsoft Entra Portal.
- Import user groups.
- Expand the Groups management section, and click the
Import groups tab and then click Import
groups.
The Add groups page is displayed with a list of
Microsoft Entra
ID
groups.
- On the Add groups page, enter the specific group name in the
Search field and select the groups to import from Microsoft Entra
ID to the MaaS360 Portal.
Note: The search list displays only the groups that were not already imported.
- For each user group you want to import, click Setup next to the
group name to configure policies, distribute applications, and change policies for the selected
group. You are redirected to the Groups page to configure groups based on your
requirements.
- On the Groups page, click
.
- In the Add User Directory Group window, add the required user
directory group and copy the required distributions to Microsoft Entra
ID user groups that
are already present for existing local or on-premises/LDAP AD groups.
Note: The Microsoft Entra
ID
user group does not have any users.
Important: Perform this action for all required groups.
- After completing the group configurations, select
and then click Directory
Sync.
- Expand the Groups management section, and click the
Import groups tab and then click Import groups.
Note: The Exclusion option is displayed after the
Setup option, only if Cloud Extender® is configured.
- Click Next. The Exclusion page is
displayed with instructions.
Note:
- Follow the instructions on the Exclusion page to ensure users/user groups
are not synced from both Microsoft Entra
ID user provisioning
application and Cloud Extender.
- Ensure that all the user groups are managed with required distributions before you proceed to
the next step.
- Click Finish. A confirmation message is displayed to proceed
with configured groups.
- Click Yes.
A success message is displayed in the Import groups section, and the
following options are displayed.
- Click Refresh import status to view the import progress status.
- Click View imported groups to view details of the imported groups and to
add new groups. An Import Groups window is displayed when you click
Add Groups.
Note: In the Import Groups section, you can add and configure new groups and
then continue with user provisioning for the newly added groups.
- On the Directory Sync page, expand the User provisioning
configuration section and configure the following options.
- Copy the URL and secret code in the Tenant URL and
Secret code fields, and configure them in the Microsoft Entra
Portal.
Important:
- Ensure that you complete the import and configuration of the newly added groups in the
Import groups tab in the MaaS360 Portal. Also, you must assign the same user
groups in the Users and groups section while configuring the user
provisioning application in the Microsoft Entra
Portal. This step helps
ensure that additional user data sync for specific user groups will continue to happen seamlessly in
the future. For more information, see Configuring user provisioning in the Microsoft Entra Portal.
- To renew the secret code before it expires and to avoid interruptions, click Renew
code. If you fail to renew the secret code before it expires, Microsoft
Entra user provisioning
is quarantined, and no further directory data is synchronized. Renew the secret code every six
months, starting from the date the token was generated. The expiry date is displayed in
MMM
D, YYYY format. For example, Oct 5, 2025.
Results
After integration is configured, all data is synchronized as configured from Microsoft Entra
ID to MaaS360. After successful migration, all users and devices are
moved to the newly added user groups from Microsoft Entra
ID. You can delete
the duplicate local groups or on-premises AD groups in the MaaS360 Portal.