# Active Directory
## Active Directory Guide
In this article, we illustrate how to properly set up the **Active Directory** functionality of the admin portal. Whether you utilise **on-premises** Active Directory or you are dependent in one from the **cloud** (**Azure AD**), by enabling this option, the **CYBERAWARE SECURITY** platform will retrieve and synchronise your groups and recipients accordingly.
**Prerequisites (Only for Azure AD Domain Services):**
Before you can integrate an Active Directory using **Azure AD Domain Services,** please make sure to visit and establish either of the following:
* [Create and configure an Azure Active Directory Domain Services managed domain](https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance)
* [Configure secure LDAP for an Azure Active Directory Domain Services managed domain](https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps)
**1.** As a reference point, let's have a look at our [Groups](https://docs.cyberawaresecurity.com/admin-portal/groups) and [Recipients](https://docs.cyberawaresecurity.com/admin-portal/recipients). Before synchronisation, they are both empty:
**2.** Navigate to **Active Directory:**
**3.** Go ahead and select the **Enable AD Synchronisation** option:
You should get the following output:
**4.** Click on the **AD Sync installer.msi** in order to **download** it. You'll later need to install it.
After the installation, this service tool will be used to synchronise both ends, our **platform's client** with your **AD server.**
**5.** When enabling the **Active Directory Synchronisation,** you will be deprived of the opportunity for **manual creation** of **groups** and **recipients.** To be able to once again have the ability to manually create groups and recipients, click on the indicated buttons shown below:
**6.** Before you **Confirm,** **copy,** and essentially **store temporarily** the provided **configuration key;** you'll be required to use it when setting up the **config** file for the sync service (we will discuss this further down the line).
**7.** On the confirmation prompt that pops up, select to **Confirm** or **Cancel** accordingly:
**8.** If you’ve confirmed the action, click **OK** to proceed:
**9.** As we can see, the Active Directory Synchronisation has been enabled!
**10.** Now, let's go ahead and **open** up the installer you've downloaded earlier in order to **install** the sync service.
You will be prompted with the **Setup Wizard:**
**11.** To continue, click on **Next:**
You will be met with the **End-User License Agreement:**
**12. Accept** the terms and select **Next:**
**13. Choose** the destination for your folder and click on **Next** to proceed accordingly:
**14.** Click on **Install** to finally install the machine:
**15. Untick** the box to **avoid launching** the **AD Sync Manager** as we are yet to set up the config file. Click **Finish** to close the window.
**16.** Finally, navigate to the **directory/path** you've chosen during the installation steps and **open** up the **config** file:
In this instance, we are using **notepad** to open it. As always, you may use any **text editor** you might prefer.
**17.** When the file opens up, you will come across the following configuration:
**18.** It is a **must** to edit and **fill** the following fields:
*Please refer to the table below for more:*
| Attributes | Details |
| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **workspace\_key** | This is the **configuration key** we've previously stored when enabling the Active Directory Synchronisation. |
| **\[ldap] - host** | If the organisation is using a **local machine** to run the Active Directory role, you should add its **IP.** Otherwise, if your Active Directory runs on top of **Azure,** you should add the external IP address (**public**) or the **FQDN** of the Active Directory Services. Use **localhost** if the tool is installed on the Domain Controller. |
| **\[ldap] - port** | Could be port **389** or **636** for a **local** setup. For **Azure AD,** you can only use port **636.** |
| **\[ldap] - user** | For an **on-premises** configuration, this is the **username** of the profile you are using to **administer** Active Directory. If you are rather managing **Azure Active Directory Services,** you should leave this attribute **blank.** |
| **\[ldap] - pass** | This is the **password** required to gain access to the admin role. |
| **\[ldap] - enable\_tls** | Assuming you are using port **636,** for **secure ldap** (**ldaps**), the value of this attribute should be set to **true,** otherwise you should leave it as its **default** (**false**). |
| **\[ldap] - #bind\_str** | This attribute is a **comment** by **default.** It should only be **uncommented** if you are using **Azure.** It can take parameters such as the **user** managing the Azure AD, his/her **group,** and the **domain.** |
| **\[ldap.ad] - base\_dn** | Here, you should add the **domain** as a parameter. It should match the one you've added in the **bind\_str** attribute. |
**19.** It is **recommended** to **edit** the following fields as well, but they are **optional:**
You may essentially exclude groups which aren't needed, such as the group of **enterprise admins,** etc.
**20.** After **saving** the changes, go ahead and **load** the **manager** application that exists within the same folder:
The following window should then pop up:
**21.** Click on the **Start service** button to **start** the service:
**22.** The service is now **Running** as expected!
**23.** After some time, when the **synchronisation** is **complete,** we may distinguish that the **changes** have been **applied. Groups** and **Recipients** sections should now appear **updated:**
**24.** As always, you may **disable** the Active Directory Synchronisation feature from the button shown below:
**25.** On the prompt that will pop up, press on **Disable** or **Cancel** accordingly:
**26.** At the **last confirmation,** click **OK** to finalise.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.cyberawaresecurity.com/admin-portal/active-directory.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.