Available in PaperCut NG and PaperCut MF.

Synchronize user and group details with standard Azure AD


Standard Azure AD uses UPNs when syncing usernames. To ensure a successful migration or deployment, we highly recommend that you review the implications of using UPNs as usernames, and test print job ownership in your environment.

To synchronize with a standard Azure AD tenant, you need to create a new application in your Azure Tenant.


Step 1. Create your Azure application

  1. Log in to Azure as an application administrator.

  2. In the Search bar, search for and select Azure Active Directory.

  3. In the navigation pane, under Manage, select App Registrations.

  4. Click New registration.

  5. Fill in the basic information for your application.

    • Set Name as something you can easily identify, for example, PaperCut Azure Sync.

    • Set the supported account type to Accounts in this organizational directory only.

  6. Click Register.

Step 2. Give your application permissions to read users and groups

  1. In the navigation pane, under Manage, select APIApplication Programming Interface (API) is a set of routines, protocols, and tools for building software and applications. An API expresses a software component in terms of its operations, inputs, outputs, and underlying types, defining functionalities that are independent of their respective implementations, which allows definitions and implementations to vary without compromising the interface. Permissions and click Add a permission.

  2. In the right pane, select Microsoft Graph, and click Delegated permissions.

  3. Use the search bar to locate and add the following permissions:

    • profile

    • User.Read

  4. Click Application permissions.

  5. Use the search bar to locate and add the following permissions:

    • Directory.Read.All

    • Group.Read.All

    • GroupMember.Read.All

    • User.Read.All

  6. Under Configured Permissions, click Grant admin consent, and then click Yes to confirm.

Step 3. Configure your application’s authentication

  1. In the navigation pane, under Manage, select Authentication.

  2. Under Platform configurations, click Add a platform.

  3. In the right side pane, select Web.

  4. Fill in the platform configuration with the following values:

    • Redirect URIs: set to ://your-papercut-server-address/api/oauth2callback.

      For example: https://papercut.school.com:9192/api/oauth2callback

    • Leave the front-channel logout URL can be left blank.

    • Under Implicit grant and hybrid flows, select ID Tokens.

  5. Click Configure.

Step 4. Generate an application client secret value

  1. In the navigation pane, under Manage, select Certificates & secrets.

  2. Under Client Secrets, click New client secret.

  3. Complete the following fields:

    • Description: set to something memorable, for example, “PaperCut Sync Secret”.

    • Expires: Choose an appropriate expiry date.


      Prior to the expiry date you choose, to keep your users synchronized with PaperCut NG/MF you will need to create a new secret in the Azure Portal and also update the secret in the PaperCut Admin web interface.

  4. Click Add.

  5. Copy this client secret value for later use.

Step 5. Configure PaperCut

  1. Log in to the PaperCut Admin web interface.


    To ensure a successful migration or deployment, before completing this step please read Preparing to use UPN usernames with PaperCut when synching with the standard Azure AD sync method. Make sure you understand the implications of using UPNs for syncing usernames.


    When you use the standard Azure AD sync, On-demand user creation will be disabled by default.

  2. Select Options > User/Group Sync.

    The User/Group Sync page is displayed.

  3. In the Sync Source area, in Primary sync source, select Azure AD.

  4. Fill in the following fields:

    • Tenant ID: The ID of your tenant, as listed in Azure Active Directory.

    • App ID: The ID of the application you registered as part of this setup.

    • Client Secret: The client secret value you created in Step 4.

  5. If you want to sync the Primary card number in PaperCut from the employeeID field in Azure:

    1. From the Actions menu, click Config editor (advanced) to open the Config EditorThe Config Editor stores information used by PaperCut to configure advanced options and functions. This information is stored in config keys, which are editable by an administrator..

    2. Search for user-source.update-user-details-card-id.

    3. Change the value from N to Y.

      Click Update.

  6. Click Apply.

  7. If you want your users to be able to log in to the Admin and User web interfaces using the Sign in with Microsoft button:

    1. Return to Options > User/Group Sync.

    2. Scroll down the page to find Single Sign on with Microsoft and select the checkbox to enable it.

    3. Fill in the fields with the same information as above.

    4. Click Apply at the bottom of the page.