Import and Sync Users from Entra ID

Overview

IPI Enterprise Server integrates with Entra ID to support centralized user import, synchronization, and optional password rotation.

IPI Enterprise Server also supports multi-domain environments. Users can be synchronized from multiple Entra ID domains and are matched by their email addresses. If two or more users from different domains share the same email, they will be merged into a single profile in IPI Enterprise Server.

Integration Scenarios IPI Enterprise Server supports two scenarios for integrating and managing users from Entra ID:

Scenario 1: Importing Users Only (Without Password Change)

Overview

• Users are synchronized based on membership in the IPI Users Sync group.

• Domain passwords are not changed or updated.

• Assigning IPI Keys is not required.

• You can optionally configure passwordless PC authentication via the IPI Authenticator mobile application.

Prerequisites

Before syncing users from Entra ID, ensure the following conditions are met:

1. You are logged in as a user with administrator rights in IPI Enterprise Server.

2. Integration with Entra ID is properly configured in IPI Enterprise Server.

3. Target users are added to the designated Entra ID group:

   • IPI Users Sync – required for any synchronization.

4. Enable Single Sign-On must be enabled during Entra ID setup.

5. Users have valid email addresses that will receive invitation emails from the server.

6. The workstation is joined to the Entra ID.

7. The IPI Client is installed on the user’s workstation.

8. The workstation is approved in the IPI Enterprise Server (see the Workstations section).

Steps

1. In IPI Enterprise Server, navigate to Employees → Sync with Entra ID and click Sync Now.

Imported users will appear in the employee list, marked as synchronized from Entra ID and associated with a domain account.

Use Case: Passwordless Login with IPI Authenticator

1. When a user is imported into IPI Enterprise Server from Entra ID, they receive an invitation email.

2. The user receives an invitation email for the IPI Server and chooses their authentication method.

3. Upon accessing the server, the user selects an SSO method and chooses the IPI Authenticator mobile app.

4. The user logs in to the workstation using the method previously used (e.g., password).

5. The user scans a QR code in the IPI Client and creates a passwordless account for PC unlock.

6. The user can unlock their PC by scanning a QR code displayed on the workstation screen.

7. The user can continue logging in to their workstation using the IPI Authenticator app by scanning the QR code displayed on the PC screen.

Scenario 2: Importing Users with Automatic Password Change

Overview

This scenario enables you to import users from Entra ID and enforce automatic domain password changes using IPI Keys.

• Each imported user is assigned a new, strong, randomly generated password.

• The password is updated both in Entra ID and securely stored on the user’s IPI Key.

• This workflow requires IPI Keys.

• Future password rotations are handled automatically based on a configured schedule.

Prerequisites

Before syncing users from Entra ID, ensure the following conditions are met:

1. You are logged in as a user with administrator rights in IPI Enterprise Server.

2. Integration with Entra ID is properly configured in IPI Enterprise Server.

3. Users are added to:

   • IPI Users Sync group (for user import)

   • Security Key Auto Password Change group (for automatic password management)

4. The user must have a IPI Key with one of the following statuses: "Ready", "Active", or "Reserved".

5. The workstation is joined to the Entra ID domain.

6. The IPI Client is installed on the user’s workstation.

7. The workstation is approved in the IPI Enterprise Server (see the Workstations section).

Steps

1. In IPI Enterprise Server, navigate to Employees → Sync with Entra ID and click Sync Now.

   

Imported users will appear in the employee list, marked as synchronized from Entra ID and associated with a domain account.

1. Assign a IPI Key to each user and provide the user with an activation code.

Use Case: First Login with a IPI Key

After the key is assigned and the user receives their activation code:

1. IPI Enterprise Server imports the user from Entra ID and changes the existing domain password in Entra ID to a new, strong password generated.

2. A new account record is created for the IPI Key, and the password is securely assigned.

3. The user pairs or taps the IPI Key to the workstation and activates it.

4. The user enters the activation code when prompted.

5. The updated password is securely written to the key and synchronized with Entra ID.

6. A new account with an updated password is securely written to the key and updated in Entra ID.

7. The user can continue logging in to their workstation using the IPI Key in proximity mode (automatic unlocking when approaching the device).

Optional Features for Password Management

In addition to the automatic password update workflow, IPI also supports optional manual and user-initiated password management features:

1. Administrator-Initiated Manual Password Changes

This scenario describes how an administrator can manually set or generate a new password for a domain user using the IPI Enterprise Server interface.

2. User-Initiated Password Changes

This scenario describes how a domain user can change their own Entra ID password via the IPI Client using a IPI Key.

The user has two options:

• Change the password only on the IPI Key (the domain password remains unchanged).

• Change the password in both Entra ID and the IPI Key simultaneously.