# Active Directory
## Active Directory Guide
In this article, we illustrate how to properly set up the **Active Directory** functionality of the admin portal. Whether you utilise **on-premises** Active Directory or you are dependent in one from the **cloud** (**Azure AD**), by enabling this option, the **CYBERAWARE SECURITY** platform will retrieve and synchronise your groups and recipients accordingly.
**Prerequisites (Only for Azure AD Domain Services):**
Before you can integrate an Active Directory using **Azure AD Domain Services,** please make sure to visit and establish either of the following:
* [Create and configure an Azure Active Directory Domain Services managed domain](https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance)
* [Configure secure LDAP for an Azure Active Directory Domain Services managed domain](https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps)
**1.** As a reference point, let's have a look at our [Groups](https://docs.cyberawaresecurity.com/admin-portal/groups) and [Recipients](https://docs.cyberawaresecurity.com/admin-portal/recipients). Before synchronisation, they are both empty:
**2.** Navigate to **Active Directory:**
**3.** Go ahead and select the **Enable AD Synchronisation** option:
You should get the following output:
**4.** Click on the **AD Sync installer.msi** in order to **download** it. You'll later need to install it.
After the installation, this service tool will be used to synchronise both ends, our **platform's client** with your **AD server.**
**5.** When enabling the **Active Directory Synchronisation,** you will be deprived of the opportunity for **manual creation** of **groups** and **recipients.** To be able to once again have the ability to manually create groups and recipients, click on the indicated buttons shown below:
**6.** Before you **Confirm,** **copy,** and essentially **store temporarily** the provided **configuration key;** you'll be required to use it when setting up the **config** file for the sync service (we will discuss this further down the line).
**7.** On the confirmation prompt that pops up, select to **Confirm** or **Cancel** accordingly:
**8.** If you’ve confirmed the action, click **OK** to proceed:
**9.** As we can see, the Active Directory Synchronisation has been enabled!
**10.** Now, let's go ahead and **open** up the installer you've downloaded earlier in order to **install** the sync service.
You will be prompted with the **Setup Wizard:**
**11.** To continue, click on **Next:**
You will be met with the **End-User License Agreement:**
**12. Accept** the terms and select **Next:**
**13. Choose** the destination for your folder and click on **Next** to proceed accordingly:
**14.** Click on **Install** to finally install the machine:
**15. Untick** the box to **avoid launching** the **AD Sync Manager** as we are yet to set up the config file. Click **Finish** to close the window.
**16.** Finally, navigate to the **directory/path** you've chosen during the installation steps and **open** up the **config** file:
In this instance, we are using **notepad** to open it. As always, you may use any **text editor** you might prefer.
**17.** When the file opens up, you will come across the following configuration:
**18.** It is a **must** to edit and **fill** the following fields:
*Please refer to the table below for more:*
| Attributes | Details |
| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **workspace\_key** | This is the **configuration key** we've previously stored when enabling the Active Directory Synchronisation. |
| **\[ldap] - host** | If the organisation is using a **local machine** to run the Active Directory role, you should add its **IP.** Otherwise, if your Active Directory runs on top of **Azure,** you should add the external IP address (**public**) or the **FQDN** of the Active Directory Services. Use **localhost** if the tool is installed on the Domain Controller. |
| **\[ldap] - port** | Could be port **389** or **636** for a **local** setup. For **Azure AD,** you can only use port **636.** |
| **\[ldap] - user** | For an **on-premises** configuration, this is the **username** of the profile you are using to **administer** Active Directory. If you are rather managing **Azure Active Directory Services,** you should leave this attribute **blank.** |
| **\[ldap] - pass** | This is the **password** required to gain access to the admin role. |
| **\[ldap] - enable\_tls** | Assuming you are using port **636,** for **secure ldap** (**ldaps**), the value of this attribute should be set to **true,** otherwise you should leave it as its **default** (**false**). |
| **\[ldap] - #bind\_str** | This attribute is a **comment** by **default.** It should only be **uncommented** if you are using **Azure.** It can take parameters such as the **user** managing the Azure AD, his/her **group,** and the **domain.** |
| **\[ldap.ad] - base\_dn** | Here, you should add the **domain** as a parameter. It should match the one you've added in the **bind\_str** attribute. |
**19.** It is **recommended** to **edit** the following fields as well, but they are **optional:**
You may essentially exclude groups which aren't needed, such as the group of **enterprise admins,** etc.
**20.** After **saving** the changes, go ahead and **load** the **manager** application that exists within the same folder:
The following window should then pop up:
**21.** Click on the **Start service** button to **start** the service:
**22.** The service is now **Running** as expected!
**23.** After some time, when the **synchronisation** is **complete,** we may distinguish that the **changes** have been **applied. Groups** and **Recipients** sections should now appear **updated:**
**24.** As always, you may **disable** the Active Directory Synchronisation feature from the button shown below:
**25.** On the prompt that will pop up, press on **Disable** or **Cancel** accordingly:
**26.** At the **last confirmation,** click **OK** to finalise.
