Overview of synchronizing user and group details with Azure AD
This topic covers:
There are three ways to integrate Microsoft Azure cloud identity with PaperCut:
Using a local domain controller (setting the PaperCut sync source to Windows Active Directory)
A common option is to use Microsoft’s Hybrid Identity model, with at least one Active Directory Domain Controller server in the local environment. This Domain Controller (using Azure AD Connect to communicate with Azure AD in the cloud) is then available to serve identity and authentication requests from the PaperCut application server - acting as a middleman between PaperCut and Azure AD. This method uses the regular Windows Active Directory sync method.
Using Azure AD through Secure LDAP (setting the PaperCut sync source to Azure AD Secure LDAP)
This method allows the PaperCut application server to communicate directly with Azure AD using the secure LDAP protocol. However, note that Microsoft charges a monthly subscription fee to enable secure LDAP connections (requiring Azure Active Directory Domain Services) for an Azure/M365 tenancy.
Using ‘standard’ Azure AD (setting the PaperCut sync source to Azure AD)
This method uses the Microsoft Graph API endpoints included with every Microsoft 365 subscription at no extra cost. The PaperCut application server communicates directly with the Graph endpoints in Azure to perform authentication using the OAuth2 protocol.
The table below highlights the different features of the cloud-only sync methods from above, as well as some of the implications of choosing a particular sync method.
(version 21.1 or earlier)
(Using Microsoft Graph API)
(version 21.2 or later)
(using Microsoft Graph API)
|Azure AD Secure LDAP
(Using Secure LDAP / Azure AD Domain Services)
|Synchronize users and groups to PaperCut database 1||Yes
(PaperCut username is the UPN - user@domain)
(PaperCut username is the UPN - user@domain)
(PaperCut username is the MailNickName - user)
|MFD/Copier swipe card authentication 1||Yes||Yes||Yes|
|MFD/Copier swipe card self-association 2||No||Yes||Yes|
|MFD/Copier username/password authentication||No||Yes||Yes|
|User or Admin User Web Interface username/password authentication||No||Yes||Yes|
|“Sign On with Microsoft” button (Azure SSO) on Admin or User Web Interface 3||Yes||Yes||Yes|
|Mobile Web Client username/password authentication||No||Yes||Yes|
|PaperCut User Client username/password Authentication||No||Yes||Yes|
|“Sign On with Microsoft” button (Azure SSO) on the PaperCut user client 3||No||No||No|
|Release Station swipe card authentication 1||Yes||Yes||Yes|
|Release Station username/password authentication||No||Yes||Yes|
|Print Deploy User Client username/password authentication||No||Yes||Yes|
|Print Deploy Web Admin username/password authentication||No||Yes||Yes|
|“Sign On with Microsoft” button (Azure SSO) on Print Deploy client 3||No||No||No|
|Mobility Print client username/password authentication||No||Yes||Yes|
|Mobility Print Web Admin username/password authentication||No||Yes||Yes|
|“Sign On with Microsoft” button (Azure SSO) on Mobility Print client 3||No||No||No|
|Universal Print Connector||Yes||Yes||Yes|
|Cost||Free||Free||Microsoft charge an additional fee for enabling Secure LDAP through Azure Active Directory Domain Services|
|Username in PaperCut||UPN (e.g. firstname.lastname@example.org)||UPN (e.g. email@example.com)||sAMAccountName - which Azure may call MailNickName (e.g. alex.test)|
|Support 2FA / MFA through the PaperCut sync source||No||No||No|
|Ability to sync Card numbers with Azure||Yes 4||Yes 4||Yes|
|Ability to sync user aliases with Azure||No 5||No 5||Yes|
1 Swipe card authentication – use a swipe card with a card reader to log into the device or release station. Since this only uses the card number (and optional PIN), username/password authentication is not involved.
2 Swipe card self-association – use a brand new swipe card with a card reader to log into the device. Since PaperCut does not recognize the card number, it will ask the user to log in with their username and password, to ‘self-associate’ the new card with their user record.
3 ‘Single Sign on with Microsoft’ method of signing in – enabled on the Admin and User web interfaces under Options > User/Group Sync > Single Sign on with Microsoft > Enable the ‘Sign in with Microsoft’ button.
4 When using the standard Azure AD sync method, if you want to sync a primary card number, set the config key
user-source.update-user-details-card-id to Y. On next sync, the Employee ID number from Azure AD is synced into the Primary Card Numberfield in PaperCut. There are no other configuration options available for this currently. Other alternatives for importing card numbers when using the standard Azure AD method are to use a batch-update method, auto-generation of card numbers or an external lookup as detailed in this manual on the User card and ID numbers page. Note: If you’re using the Azure AD Secure LDAP sync method, you can set additional options for card number sync through the interface as detailed on the Synchronize user and group details with Azure AD Secure LDAP page.
5 An alternative option for the standard Azure AD method is to use the batch import and update user process to update the user alias fields - however that would lead to an ongoing maintenance overhead.
Standard Azure AD uses UPNs when syncing usernames. To ensure a successful migration or deployment, we highly recommend that you review the implications of using UPNs as usernames, and test print job ownership in your environment.
If you’re printing from workstation > print queue
If you’re using Print Deploy
If you’re using Mobility Print
If you’re using Universal Print
For more information and steps on how to set up each integration, see:
Is there anything I should do to prepare for using standard Azure AD for syncing?
What happens if I have MFA/2FA enabled for all my Azure accounts?
Why does the username in PaperCut appear as the UPN when using the standard Azure AD sync method?
How do I migrate from using sAMAccountName to User Principal Name (UPN) for all my PaperCut usernames?
Can I sync MailNickName instead of UPN with the standard Azure AD method?
What does the key