Choose your language

Choose your login

Contact us

Overview of synchronizing user and group details with Entra ID (Azure AD)

This page applies to:

Options for syncing PaperCut NG/MF with Entra ID

There are three options to integrate Microsoft Entra ID (Azure AD) cloud identity with PaperCut NG/MF (summarized below, or for details see Deciding which cloud-only sync method is right for you ). When you’re ready to select the sync source you want to use:

  1. Go to Options > User/Group Sync.

  2. In the Sync Source section, in the Primary sync source dropdown, select the sync source you require.

Option 1 - Using a local domain controller

Set the PaperCut sync source according to your operating system:

  • macOSX/Linux: LDAP > Active Directory
  • Windows: Windows Active Directory

A common option is to use Microsoft’s Hybrid Identity model , with at least one Active Directory Domain Controller server in the local environment. This Domain Controller (using Azure AD Connect to communicate with Azure AD in the cloud) is then available to serve identity and authentication requests from the PaperCut application server - acting as a go-between PaperCut and Entra ID. This method uses the regular Windows Active Directory sync method . For all setup details, see Windows Active Directory sync method .

Option 2 - Using Entra ID (Azure AD) through Secure LDAP

Set the PaperCut sync source to Azure AD Secure LDAP.

This method allows the PaperCut Application Server to communicate directly with Entra ID using the secure LDAP protocol. However, note that Microsoft charges a monthly subscription fee to enable secure LDAP connections (requiring Entra ID Domain Services) for an Entra/M365 tenancy.

Option 3 - Using ‘standard’ Entra ID (Azure AD)

Set the PaperCut sync source to Azure AD.

This method uses the Microsoft Graph API endpoints included with every Microsoft 365 subscription _at no extra cos_t. The PaperCut Application Server communicates directly with the Graph endpoints in Entra ID to perform authentication using the OAuth2 protocol.

Considerations when using ‘standard’ Entra ID (Azure AD)

Many organizations enable Multi-Factor Authentication (MFA) in their Entra ID tenancy to meet security compliance or policy requirements. PaperCut NG/MF supports authentication of users whether MFA is enforced or bypassed; however, consider the following:

  • When MFA is enabled in Entra ID for PaperCut NG/MF

    From PaperCut NG/MF 23.0.1, users can log in to all web-based authentication pages (admin and web applications, Mobile Release web client, and Web accessibility user client) using either their AD username and password or the Sign in with Microsoft button and be redirected to the MFA flow.

    From PaperCut NG/MF 23.0.3 users can also access the user client and be redirected to the MFA flow.

    Username/password authentication and card association is not available at the MFD. The user can log in with an access card or ID number that’s already been associated with them. Consider this option when optimizing for authentication compliance.

  • When MFA is disabled or bypassed in Entra ID for PaperCut NG/MF

    From PaperCut NG/MF 21.2, users can log in to any PaperCut interface including all web applications, user clients, and using self-association at the MFD, without the added security of MFA. Consider this option when optimizing for ultimate compatibility with PaperCut NG/MF features over strict authentication compliance.

Deciding which sync option is right for you

The table below highlights the different features of the cloud-only sync options described above, as well as some of the implications of choosing a particular sync option.

This table is for PaperCut NG/MF versions 21.2 or higher. If you are using an earlier version, refer to the Enabling Entra ID (Azure AD) for version 21.1 or earlier KB article to understand the limitations.

 Option 2
Azure AD Secure LDAP
(Using Secure LDAP / Azure AD Domain Services)
Option 3
Azure AD - MFA enabled 
(version 23.0.1 or later)
(Using Microsoft graph API)
Option 3
Azure AD - MFA disabled
(version 21.2 or later)
(Using Microsoft graph API)
PaperCut Core   
Synchronize users and groups to PaperCut database 1Yes
(PaperCut username is the MailNickName - user)
Yes
(PaperCut username is the UPN - user@domain)
Yes
(PaperCut username is the UPN - user@domain)
MFD/Copier swipe card authentication 1YesYesYes
MFD/Copier swipe card self-association 2YesNoYes
MFD/Copier username/password authenticationYesNoYes
User or Admin User Web Interface username/password authenticationYesYesYes
“Sign On with Microsoft” button (Azure SSO) on Admin or User Web Interface 3YesYesYes
Mobile Web Client username/password authenticationYesYesYes
PaperCut User Client username/password AuthenticationYesYes
(23.0.3 or later)
Yes
“Sign On with Microsoft” button (Azure SSO) on the PaperCut user client 3NoNoNo
Release Station swipe card authentication 1YesYesYes
Release Station username/password authenticationYesNoYes
Print Deploy   
Print Deploy User Client username/password authenticationYesNoYes
“Sign On with Microsoft” button (Azure SSO) on Print Deploy client 3NoYesYes
Mobility Print   
Mobility Print client username/password authenticationYesNoYes
Mobility Print Web Admin username/password authenticationYesNoYes
“Sign On with Microsoft” button (Azure SSO) on Mobility Print client 3NoNoNo
Other differences   
CostMicrosoft charge an additional fee for enabling Secure LDAP through Azure Active Directory Domain ServicesFreeFree
Username in PaperCutsAMAccountName - which Azure may call MailNickName (e.g. alex.test)UPN (e.g. alex.test@papercut.com)UPN (e.g. alex.test@papercut.com)
Support 2FA / MFA through the PaperCut sync sourceNoYesNo
Ability to sync card numbers with AzureYesYesYes 4
Ability to sync user aliases with AzureYesYes Yes 6
Ability to sync users that sit within nested groups 7NoNoNo

1 Swipe card authentication – use a swipe card with a card reader to log in to the device or release station. Since this only uses the card number (and optional PIN), username/password authentication is not involved.

2 Swipe card self-association – use a brand new swipe card with a card reader to log in to the device. Since PaperCut does not recognize the card number, it will ask the user to log in with their username and password, to ‘self-associate’ the new card with their user record.

3 When enabled, ‘Single Sign on with Microsoft’ provides the user the option to log in using their Microsoft credentials via a Sign in with Microsoft button. To enable this, in the Admin web interface go to Options > User/Group Sync > Single Sign on with Microsoft. Select the Enable the ‘Sign in with Microsoft in the Admin and User web interfaces checkbox and follow the prompts. To enable this for Print deploy, go to Enable Printing > Print Deploy > Settings > Authentication methods and select Microsoft.

4 From PaperCut MF/NG version 22.0.9, you can set up card ID sync for Azure AD/Entra ID Standard through the admin interface UI options. This is in line with existing card ID sync options for other sync source types. Prior to this version, if you wanted to sync a primary card number, you needed to set the config key user-source.update-user-details-card-id to Y. On the next sync, the Employee ID number from Azure AD would be synced into the Primary Card Number field in PaperCut.

5 An alternative option for the standard Entra ID method to update the user alias fields is to use the batch import and update user process - however that leads to an ongoing maintenance overhead.

6 Since PaperCut MF/NG version 22.0.9.

7 If you want to sync a group of users (for example, Group B) that’s nested under another group (for example, Group A), when you configure the sync source settings be sure to explicitly target the nested group (Group B). If you target the higher-level group, no users will be synced. Always explicitly target sync sources.

Recommendations when using the standard Entra ID sync method

Standard Entra ID uses UPNs. To ensure a successful migration or deployment in any of the environments listed below, we highly recommend that you review the implications of using UPNs as usernames, and test print job ownership in your environment .

If you’re printing from workstation > print queue

If you’re doing ‘regular’ network printing then PaperCut normally will just use the locally logged in username of the workstation sending the print job. With Azure standard sync, this can mean a mismatch between the username that the PaperCut App server knows about (the UPN) and the username sending the print job (will normally be the MailNickName).

In this case, one option is to configure the Print Provider to construct the UPN from the MailNickName, by following the instructions in Configure PaperCut NG/MF Secondary or Site Servers . This lets you specify a ‘UPNSuffix=’ configuration for each Print Provider / Secondary Server, so that, for example, alex.test then becomes alex.test@organization.com . In this instance you’d want to make sure that you don’t have different domains using the same Print Provider.

Another alternative here is to configure a user alias for each user, containing their MailNickName (as mentioned above). However this method is quite manual and would need some maintenance overhead.

If you’re using Print Deploy

We recommend not using the ‘TRUST’ mode for Print Deploy client authentication . It will pick up the locally configured username logged into the workstation, which could be different to the UPN username configured in PaperCut (see above).

When Entra ID MFA is disabled or bypassed for PaperCut MF, use the ‘PROMPT’ method of authentication so that users can enter their UPN and password when the Print Deploy client starts (from version 21.2) to authenticate.

Otherwise, if MFA is enabled, you must use the Sign in With Microsoft in the Print Deploy client to authenticate.

If you’re using Print Deploy to deploy Print Server queues to your workstations, then it’s also worth checking the ‘workstation > print queue’ requirement details above.

If you’re using Mobility Print
When Entra ID MFA is disabled or bypassed for PaperCut MF, users can enter their UPN and password when adding printers using the Mobility Print client (from version 21.2) to authenticate. Otherwise if MFA is enabled, you cannot authenticate Mobility Print with Microsoft Entra ID. We are working on support for TRUST mode in a future release of Mobility Print. .
If you’re using Universal Print
Since Universal Print was designed around UPN usernames, there shouldn’t be any additional considerations when integrating the Universal Print Connector for PaperCut NG/MF .

Setting up Entra ID sync or Entra ID Secure LDAP sync

For more information and steps on how to set up each integration, see:

FAQs

Is there anything I should do to prepare for using standard Azure AD for syncing?
Yes. That’s because standard Azure AD uses UPNs when syncing usernames, so you need to review the implications of using UPNs as usernames, and test print job ownership in your environment to ensure a successful migration or deployment.
Why am I receiving a failed to authenticate with error: AADSTS50076 or AADSTS50079 message?
These errors indicate that the user is attempting to log in using a method that is not supported (for example, attempting to authenticate using a username and password on an MFD with MFA enabled, or using a username and password on a web interface on a version of MF/NG prior to 23.0.1). Please check your Azure AD MFA settings and refer to the table above to understand which log in methods are supported for your configuration.
Why does the username in PaperCut appear as the UPN when using the standard Azure AD sync method?

The UPN is what uniquely identifies users in Azure, and having the full domain component in the username prevents username clashes that might otherwise occur when multiple domains are in use.

One potential problem with this approach is that some components of PaperCut - such as the User Client and the Print Deploy client - often get the username of the user logged into the OS. Even when you join a Windows device to an Azure AD domain and log in with a UPN, the Print Deploy Client, for example, might not identify the OS user as their full UPN. It will typically identify them as their MailNickName. For example, if the user’s UPN is alex@papercut.com , the MailNickName is probably going to be alex.

For alternatives to tackling this username mismatch, see step 3 in the KB article Preparing to use UPN usernames with PaperCut when synching with the standard Azure AD sync method .

How do I migrate from using sAMAccountName to User Principal Name (UPN) for all my PaperCut usernames?
Can I sync MailNickName instead of UPN with the standard Azure AD method?
There is currently no option to sync the MailNickName (instead of the UPN), using the standard Azure AD sync method.
What does the key user-source.ad.upn-as-username do?

When using on-prem AD sync (that is, the sync source set to ‘Windows AD’ in PaperCut), you can use this key to toggle between:

  • N, the default – the username is pulled into PaperCut as the sAMAccountName

  • Y, which will sync the UPN as the PaperCut username instead.

When the key is set to Y, it also means that when matching usernames of logins or print jobs, PaperCut will not truncate the UPN into a sAMAccountName.

When using Azure AD Secure LDAPas the sync source, this key doesn’t alter the behavior of the PaperCut username created. The sync will always use sAMAccountName as the PaperCut username.

When using the standard Azure ADmethod, this key doesn’t alter the behavior of the PaperCut username created. The sync will always use UPN as the PaperCut username (apart from in one scenario, detailed in the next question). However, when the key is set to Y, when matching usernames of logins or print jobs, PaperCut will not truncate the UPN into a sAMAccountName. So when using this sync method, this key must be set to Y (as detailed in the manual page).

Why do half of my users have the UPN for their username, and the other half have MailNickName as their username?

If a customer was originally using a sync method that pulled in the ‘MailNickName’ as the usernames in PaperCut (for example, ‘alex.test’) and then switched to use the standard Azure AD sync method, PaperCut sees that the email address associated with that user matches the UPN, and doesn’t create a new user. However, for any new users synced it will create the username as the UPN – in which case there could be a mixture of PaperCut username formats.

In this case we recommend renaming all accounts with the sAMAccountName to the UPN.

Can I sync card numbers/PINs using the standard Azure AD sync method?

It is possible to sync a primary card number into PaperCut NG/MF when using the standard Azure AD sync method (see footnote 4 under the table above). However, it is not possible to sync additional card numbers or PINs at this time. When using the Azure AD Secure LDAP method, there are additional sync options for multiple card numbers.

Note that with PaperCut MF/NG version 22.0.9 or later, you can now set up additional Card/ID sync options through the Azure AD sync options (under **Options > User/Group Sync > Sync Source**).

Can I sync Office and Department fields using the standard Azure AD sync method?
Yes! The Office and Department fields will sync into PaperCut NG/MF when using the standard Azure AD sync method. Note that the ability to sync the Department field was added in version 21.2.
Why does the PaperCut User Client not recognize me when I start it up?

If you normally start your PaperCut User Client and it silently starts and shows you your balance window, you may see an identification popup the first time you launch the user client after migrating to UPNs.

Take a look at the question ‘Why does the username in PaperCut NG/MF appear as the UPN when using the standard Azure AD sync method?’ above for more information. In summary, because the User Client might be seeing the Windows username as ‘alex.test’, whereas the username in PaperCut is alex.test@organization.com , so there will be a mismatch.

What should happen is that the client (if using version 21.2 or later) should let the user identify themselves with the UPN and password authentication, and the client should then start normally.

Is PaperCut looking at adding a ‘Sign in with Microsoft’ button to the Mobility Print client to make authentication smoother?
Hopefully! We have this on our list of things to do. If you have any questions, please quote MOB-2650.

Comments