Find your dream job at PaperCut

Choose your language

Choose your login

Contact us

Help Center menu

PRODUCT MANUALS

PaperCut NG & PaperCut MF Manual

PRODUCTS FEATURED

Overview of synchronizing user and group details with Azure AD

This topic covers:

Options for syncing PaperCut NG/MF with Azure AD

There are three ways to integrate Microsoft Azure cloud identity with PaperCut:

  • Using a local domain controller(setting the PaperCut sync source to Windows Active Directory)

    A common option is to use Microsoft’s Hybrid Identity model, with at least one Active Directory Domain Controller server in the local environment. This Domain Controller (using Azure AD Connect to communicate with Azure AD in the cloud) is then available to serve identity and authentication requests from the PaperCut application server - acting as a middleman between PaperCut and Azure AD. This method uses the regular Windows Active Directory sync method.

  • Using Azure AD through Secure LDAP(setting the PaperCut sync source to Azure AD Secure LDAP)

    This method allows the PaperCut application server to communicate directly with Azure AD using the secure LDAP protocol. However, note that Microsoft charges a monthly subscription fee to enable secure LDAP connections (requiring Azure Active Directory Domain Services) for an Azure/M365 tenancy.

  • Using ‘standard’ Azure AD(setting the PaperCut sync source to Azure AD)

    This method uses the Microsoft Graph APIendpoints included with every Microsoft 365 subscription at no extra cost. The PaperCut application server communicates directly with the Graph endpoints in Azure to perform authentication using the OAuth2 protocol.

Deciding which cloud-only sync method is right for you

The table below highlights the different features of the cloud-only sync methods from above, as well as some of the implications of choosing a particular sync method.

 

Azure AD
(version 21.1 or earlier) (Using Microsoft Graph API)

Azure AD
(version 21.2 or later) (using Microsoft Graph API)
Azure AD Secure LDAP
(Using Secure LDAP / Azure AD Domain Services)
PaperCut Core
Synchronize users and groups to PaperCut database 1Yes
(PaperCut username is the UPN - user@domain)
Yes
(PaperCut username is the UPN - user@domain)
Yes
(PaperCut username is the MailNickName - user)
MFD/Copier swipe card authentication 1YesYesYes
MFD/Copier swipe card self-association 2NoYesYes
MFD/Copier username/password authenticationNoYesYes
User or Admin User Web Interface username/password authenticationNoYesYes
“Sign On with Microsoft” button (Azure SSO) on Admin or User Web Interface 3YesYesYes
Mobile Web Client username/password authenticationNoYesYes
PaperCut User Client username/password AuthenticationNoYesYes
“Sign On with Microsoft” button (Azure SSO) on the PaperCut user client 3NoNoNo
Release Station swipe card authentication 1YesYesYes
Release Station username/password authenticationNoYesYes
Print Deploy
Print Deploy User Client username/password authenticationNoYesYes
Print Deploy Web Admin username/password authenticationNoYesYes
“Sign On with Microsoft” button (Azure SSO) on Print Deploy client 3NoNoNo
Mobility Print
Mobility Print client username/password authenticationNoYesYes
Mobility Print Web Admin username/password authenticationNoYesYes
“Sign On with Microsoft” button (Azure SSO) on Mobility Print client 3NoNoNo
Universal Print
Universal Print ConnectorYesYesYes
Other differences
CostFreeFreeMicrosoft charge an additional fee for enabling Secure LDAP through Azure Active Directory Domain Services
Username in PaperCutUPN (e.g. alex.test@papercut.com)UPN (e.g. alex.test@papercut.com)sAMAccountName - which Azure may call MailNickName (e.g. alex.test)
Support 2FA / MFA through the PaperCut sync sourceNoNoNo
Ability to sync Card numbers with AzureYes 4Yes 4Yes
Ability to sync user aliases with AzureNo 5No 5Yes

1 Swipe card authentication – use a swipe card with a card reader to log into the device or release station. Since this only uses the card number (and optional PIN), username/password authentication is not involved.

2 Swipe card self-association – use a brand new swipe card with a card reader to log into the device. Since PaperCut does not recognize the card number, it will ask the user to log in with their username and password, to ‘self-associate’ the new card with their user record.

3 ‘Single Sign on with Microsoft’ method of signing in – enabled on the Admin and User web interfaces under Options > User/Group Sync > Single Sign on with Microsoft > Enable the ‘Sign in with Microsoft’ button.

4 When using the standard Azure AD sync method, if you want to sync a primary card number, set the config key user-source.update-user-details-card-id to Y. On next sync, the Employee ID number from Azure AD is synced into the Primary Card Numberfield in PaperCut. There are no other configuration options available for this currently. Other alternatives for importing card numbers when using the standard Azure AD method are to use a batch-update method, auto-generation of card numbers or an external lookup as detailed in this manual on the User card and ID numbers page. Note: If you’re using the Azure AD Secure LDAP sync method, you can set additional options for card number sync through the interface as detailed on the Synchronize user and group details with Azure AD Secure LDAP page.

5 An alternative option for the standard Azure AD method is to use the batch import and update user process to update the user alias fields - however that would lead to an ongoing maintenance overhead.

Recommendations when using the standard Azure AD sync method

Standard Azure AD uses UPNs when syncing usernames. To ensure a successful migration or deployment, we highly recommend that you review the implications of using UPNs as usernames, and test print job ownership in your environment.

If you’re printing from workstation > print queue

If you’re doing ‘regular’ network printing then PaperCut normally will just use the locally logged in username of the workstation sending the print job. With Azure standard sync, this can mean a mismatch between the username that the PaperCut App server knows about (the UPN) and the username sending the print job (will normally be the MailNickName).

In this case, one option is to configure the Print Provider to construct the UPN from the MailNickName, by following the instructions in Configure PaperCut NG/MF Secondary or Site Servers. This lets you specify a ‘UPNSuffix=’ configuration for each Print Provider / Secondary Server, so that, for example, alex.test then becomes alex.test@organization.com. In this instance you’d want to make sure that you don’t have different domains using the same Print Provider.

Another alternative here is to configure a user alias for each user, containing their MailNickName (as mentioned above). However this method is quite manual and would need some maintenance overhead.

If you’re using Print Deploy

We recommend not using the ‘TRUST’ mode for Print Deploy client authentication. It will pick up the locally configured username logged into the workstation, which could be different to the UPN username configured in PaperCut (see above).

Instead, use the ‘PROMPT’ method of authentication so that users can enter their UPN and password when the Print Deploy client starts (from version 21.2) to authenticate.

If you’re using Print Deploy to deploy Print Server queues to your workstations, then it’s also worth checking the ‘workstation > print queue’ requirement details above.

If you’re using Mobility Print

From version 21.2, users can enter their UPN and password when adding printers using the Mobility Print client.

If you’re using Universal Print

Since Universal Print was designed around UPN usernames, there shouldn’t be any additional considerations when integrating the Universal Print Connector for PaperCut NG/MF.

Setting up Azure AD sync or Azure AD Secure LDAP sync

For more information and steps on how to set up each integration, see:

FAQs

Is there anything I should do to prepare for using standard Azure AD for syncing?

Yes. That's because standard Azure AD uses UPNs when syncing usernames, so you need to review the implications of using UPNs as usernames, and test print job ownership in your environment to ensure a successful migration or deployment.

What happens if I have MFA/2FA enabled for all my Azure accounts?

At this point, authenticating with MFA enabled on the Azure account will not work. However, this doesn’t mean that you have to disable MFA for all of your users – you can configure Azure to allow certain apps to bypass MFA. In our testing this was the default security policy applied; however, your Azure tenancy’s configuration and security policies may differ.

It’s also worth noting that if you are applying policies or conditional access at the machine level, you need to exclude the PaperCut Application Server from 2FA enforcement - not the devices themselves.

Why does the username in PaperCut appear as the UPN when using the standard Azure AD sync method?

The UPN is what uniquely identifies users in Azure, and having the full domain component in the username prevents username clashes that might otherwise occur when multiple domains are in use.

One potential problem with this approach is that some components of PaperCut - such as the User Client and the Print Deploy client - often get the username of the user logged into the OS. Even when you join a Windows device to an Azure AD domain and log in with a UPN, the Print Deploy Client, for example, might not identify the OS user as their full UPN. It will typically identify them as their MailNickName. For example, if the user’s UPN is alex@papercut.com, the MailNickName is probably going to be alex.

For alternatives to tackling this username mismatch, see step 3 in the KB article Preparing to use UPN usernames with PaperCut when synching with the standard Azure AD sync method.

How do I migrate from using sAMAccountName to User Principal Name (UPN) for all my PaperCut usernames?

Can I sync MailNickName instead of UPN with the standard Azure AD method?

There is currently no option to sync the MailNickName (instead of the UPN), using the standard Azure AD sync method.

What does the key user-source.ad.upn-as-username do?

When using on-prem AD sync (that is, the sync source set to ‘Windows AD’ in PaperCut), you can use this key to toggle between:

  • N, the default – the username is pulled into PaperCut as the sAMAccountName

  • Y, which will sync the UPN as the PaperCut username instead.

When the key is set to Y, it also means that when matching usernames of logins or print jobs, PaperCut will not truncate the UPN into a sAMAccountName.

When using Azure AD Secure LDAPas the sync source, this key doesn't alter the behavior of the PaperCut username created. The sync will always use sAMAccountName as the PaperCut username.

When using the standard Azure ADmethod, this key doesn't alter the behavior of the PaperCut username created. The sync will always use UPN as the PaperCut username (apart from in one scenario, detailed in the next question). However, when the key is set to Y, when matching usernames of logins or print jobs, PaperCut will not truncate the UPN into a sAMAccountName. So when using this sync method, this key must be set to Y (as detailed in the manual page).

Why do half of my users have the UPN for their username, and the other half have MailNickName as their username?

If a customer was originally using a sync method that pulled in the ‘MailNickName’ as the usernames in PaperCut (for example, ‘alex.test’) and then switched to use the standard Azure AD sync method, PaperCut sees that the email address associated with that user matches the UPN, and doesn’t create a new user. However, for any new users synced it will create the username as the UPN – in which case there could be a mixture of PaperCut username formats.

In this case we recommend renaming all accounts with the sAMAccountName to the UPN.

Can I sync card numbers/PINs using the standard Azure AD sync method?

It is possible to sync a primary card number into PaperCut NG/MF when using the standard Azure AD sync method (see footnote 4 under the table above). However, it is not possible to sync additional card numbers or PINs at this time. When using the Azure AD Secure LDAP method, there are additional sync options for multiple card numbers.

Can I sync Office and Department fields using the standard Azure AD sync method?

Yes! The Office and Department fields will sync into PaperCut NG/MF when using the standard Azure AD sync method. Note that the ability to sync the Department field was added in version 21.2.

Why does the PaperCut User Client not recognize me when I start it up?

If you normally start your PaperCut User Client and it silently starts and shows you your balance window, you may see an identification popup the first time you launch the user client after migrating to UPNs.

Take a look at the question ‘Why does the username in PaperCut NG/MF appear as the UPN when using the standard Azure AD sync method?’ above for more information. In summary, because the User Client might be seeing the Windows username as ‘alex.test’, whereas the username in PaperCut is alex.test@organization.com, so there will be a mismatch.

What should happen is that the client (if using version 21.2 or later) should let the user identify themselves with the UPN and password authentication, and the client should then start normally.

Is PaperCut looking at adding a ‘Sign in with Microsoft’ button to the Print Deploy client to make authentication smoother?

Hopefully! We have this on our list of things to do. If you have any questions, please quote PD-1171.

Is PaperCut looking at adding a ‘Sign in with Microsoft’ button to the Mobility Print client to make authentication smoother?

Hopefully! We have this on our list of things to do. If you have any questions, please quote MOB-2650.

Comments