Skip to content

Microsoft O365 user sync

This plugin is used to automatically sync users from your Microsoft O365 directories into Enclave. This plugin runs once an hour and will sync all users that have been added, modified, or removed since the last sync.


To configure the plugin, you will need to create a new enterprise application in Azure for your O365 tenant.

  1. Go to the Azure Portal and login with your O365 credentials.
  2. Click on Azure Active Directory in the left navigation.
  3. Click on App Registrations in the left navigation.
  4. Click on New Registration.
  5. Enter a name for your application (Enclave) and click Register.
  6. Click on API Permissions in the left navigation.
  7. Click on Add a permission.
  8. Click on Microsoft Graph.
  9. Click on Application permissions.
  10. Select the following permissions:
    • Group.Read.All
    • GroupMember.Read.All
    • User.ReadBasic.All
  11. Now click on Grant admin consent for <your tenant name>.
  12. Click on Certificates & secrets in the left navigation.
  13. Click on New client secret.
  14. Enter a description and select an expiration date. Click Add.
  15. Copy the client secret value and save it somewhere safe. You will need this value to configure the plugin.

Using the information from these steps. Navigate to Enclave and provide the relevant information to the plugin.


All sensitive information, like your client secret, is encrypted with our KMS in addition to being encrypted at rest.

Syncing users

Enclave syncs users based on the enclaveGroupId which is a group that you define in Microsoft O365. This group will be used to determine which users are to be synced with Enclave. The group name is case sensitive.

Any other groups that that have names which match a label in Enclave will be assigned as labels to their respective users. This is useful for adding users to enclaves based on their group membership.


Enclave uses the primary email address as the unique key for a user. If the primary email address is changed, the user will be removed from Enclave and re-added. Email addresses are always lowercased before being synced.

Syncing labels

Optionally you can choose to sync labels from Microsoft O365. This maps group names to Enclave labels. This is useful for keeping your labels used for users synced with your IAM platform.


If labels are removed from Microsoft O365 but still associated with enclaves/alerts in Enclave, they will not be removed from Enclave. This is to prevent accidental removal.