Introduction
Teramind’s integration with Microsoft Entra ID (formerly Azure AD) streamlines user management by automating the synchronization* of employee and group data directly from your cloud directory into Teramind. This connection ensures that your monitoring environment remains synchronized with your organizational hierarchy.
*Sync Type & Frequency:
Teramind performs a one-way sync, only importing data from your Azure directory. Any changes made to these resources within Teramind will not be pushed back or saved to your directory.
Syncs occur automatically once daily at midnight UTC. However, you can manually trigger a sync anytime (see Managing Existing Integrations).
Prerequisites
Prior to integration, please ensure the Entra ID/Azure account used for this process has the following options enabled within its Azure profile:
Assigned Roles |
|
Overview > B2B collaboration | User type set to: Internal |
Check out the following sections to learn more about these settings and how to verify/manage them.
Assigned Roles
To authorize the connection between Teramind and your directory, the person performing the setup must have high-level permissions to "consent" to the integration. Without these roles, Microsoft will block the connection for security reasons. You must have the following Assigned Roles:
Application Administrator
Cloud Application Administrator
Global Administrator
You can check/add role assignments from your Microsoft Azure portal:
To check or manage assigned roles:
1. Sign in to the Microsoft Entra admin center.
2. Browse to Entra ID > Users > All users.
3. Select user name > Assigned roles.
You can see the list of roles assigned to the user at different scopes. Additionally, you can see whether the role has been assigned directly or via a group.
B2B Collaboration
B2B Collaboration refers to the setting that determines a user's identity type within your directory. Teramind requires the integrating administrator to be an Internal user type to prevent authentication handoff errors during the sync process. If admin is an External type, you can convert them to an Internal user from their user profile:
To check or convert B2B collaboration type:
1. Sign in to the Microsoft Entra admin center.
2. Browse to Entra ID > Users > All users.
3. Select user name > Overview.
4. Under B2B collaboration, click Convert to internal user if it’s not set to internal already.
Setting Up a New Integration
The integrations screen allows you to manage integrations with Teramind’s own apps or third-party solutions.
1. Navigate to the System > Integrations menu.
2. Click Microsoft Entra ID Directories. You will be taken to a new screen:
3. Click the Connect button. A login window will pop up:
4. Select your account to sign in. You might need to provide your 2FA authentication.
If authentication fails, it is likely due to insufficient permissions. Please revisit the Prerequisites section to verify your Azure account configuration.
Once authenticated, you will be redirected to the Permissions requested screen:
5. Review the permissions; click the Accept button to continue. You will be connect to your account and the window will close automatically. Go back to your Teramind Dashboard.
6. Click the Continue button. If the connection is successful, you will see the Microsoft Entra ID Directories screen:
7. At the top, you will see total number of Users and Groups currently recognized in your Entra ID environment.
8. Below overview section, you will see the section for the Extraction Rules.
9. Under the extraction rules, you will see the section for Mapping Rules.
10. Click the Add rules button to add a new rule.
11. Click the Toggle buttons to enable/disable rules.
12. Click the Three Dots in front of a rule to access its Context Menu. From the Context Menu, you can:
Edit: to edit the rule.
Increase priority*: to increase the priority (order) of the rule.
Decrease priority*: to decrease the priority (order) of the rule.
Remove: to delete the rule.
12. Click the Launch button to begin the syncing process.
*Rule Priority (Order)
The order of the rules is critical because Teramind processes them sequentially to determine the final dataset. Rule priority functions on a top-down basis: the first rule that applies to a user or group will dictate the outcome. For example, if a high-order rule excludes a specific group, but a lower-order rule includes a specific user within that group, that user will not be extracted because the exclusion rule was triggered first. However, if you reverse the priority by moving the inclusion rule to the top, the user will be successfully extracted before the group-wide exclusion is even considered. To ensure your sync works as intended, always place your most specific "Include" rules at the top of the list.
Configuring Rules
Extraction Rules
Extraction Rules determine which data is pulled from your Entra ID directory into Teramind. By carefully configuring these rules, you ensure that only necessary information is synchronized, which keeps your system efficient and clutter-free.
Note on Default Behavior
Teramind uses an "Exclude by Default" logic. Only users/groups explicitly included via a rule will be synchronized.
For example, if your directory contains Groups A, B, and C, and you set the following rules:
Include Users from Group A
Exclude Users from Group B
Only Group A will be imported. Group B is explicitly excluded, and Group C is implicitly excluded because it was not defined in an "Include" rule.
General
Name:
Give a descriptive title to identify this specific rule within your configuration list.
Target:
Defines the entity type this rule affects. You can select from User or Group.
Action:
Action defines the logic to be executed by the rule. You can select Include to include users or groups or select Exclude to skip them from import.
Condition
The Condition section allows you to apply conditional logic to your rule. Conditions are logical expressions to evaluate to True or False only. When a Condition is true for a rule, the associated Action is applied. Below is an explanation of each condition type along with example field input and values to guide your configuration.
All | This is a "pass-through" condition where the rule applies to every entity being synchronized. This always evaluates to True, meaning the rule/condition is always applied.
The rule is executed for all imported objects. |
None | This is the opposite of the “All” type. This effectively disables the rule, as it specifies that no entities meet the criteria. This always evaluates to False, meaning the rule/condition is never applied.
The rule never executes. |
Field equals | Field value equals specified value. The rule only runs if a specific directory field exactly matches the provided value.
|
Field not equals | Field value does not equal specified value. The rule runs for all entities except those where the specific field matches the provided value.
Applies the rule only to employees outside the US. |
Field exists | Field is present and not “None”.
This ensures the rule only runs for users who have an ID assigned in Entra directory. |
Field is empty | Field is empty (“None”, empty string, or empty list).
Useful for identifying users missing a group ID. |
Field is not empty | Field is not empty (has a value).
This ensures that only users with an email address is evaluated. |
Field in list* | Field value is in the specified list. It’s used to trigger a rule when a single-value attribute in your directory matches any one of multiple specified values. This is essentially a shorthand way of applying "Field equals" logic to several different items simultaneously.
The rule will execute for any user whose office is located in any of these three specific cities. |
Field not in list | Field value is not in the specified list. It’s the opposite of “Field in list” type.
|
Field matches regex | Field value matches the specified regular expression.
When you select this type, you will also see several options for the Pattern field:
In this example, the regex will match Teramind’s office location (“525 Randall Ave Ste 100, PMB 491, Cheyenne, WY 82001”):
|
Field intersects list* | Field list has at least one value in common with the specified list (set intersection). It’s a powerful type designed specifically for attributes that can contain multiple values, such as group memberships, email aliases, or multi-select custom fields. It determines if there is any overlap between the set of values stored in the source directory and the list of values you define in the rule.
This is useful for identifying users who belong to at least one of several specific departments or security tiers. The “memberOf” attribute typically contains a list of all groups a user belongs to. The rule executes for any user who is a member of the Finance group, the Legal group, OR the HR group. |
*Field In List vs. Field Intersects List
The primary difference between Field in list and Field intersects list depends on whether the data coming from your directory is a single piece of information or a collection of items.
Field in list is used when a user has a single value (such as one specific Department or a City) that you want to check against a list of several possibilities. For the condition to trigger, that specific value must be found within the list you provided. For example, if you set the list to "Sales, Marketing, HR," and a user’s department is "Sales," the rule triggers because "Sales" is in your list.
Field intersects list is used when a user has multiple values (such as membership in several different Groups or a list of email aliases). The condition triggers if there is a "set intersection," meaning at least one of the user's many values matches at least one value in your specified list. For example, if a user belongs to five groups and you provide a list of three specific Group IDs, the rule triggers as long as the user belongs to at least one of those three.
In summary, use Field in list to check if one single attribute matches one of many choices, and use Field intersects list to check if any part of a multi-value collection overlaps with your list.
Mapping Rules
Mapping Rules transform and map entity data to target systems. You can define how data is transformed when imported from Entra ID into Teramind. These rules allow you to clean, format, or modify specific attributes before they are assigned to a user profile.
Synchronization Requirements:
To successfully sync a user from Entra ID to Teramind, the user must have an email address, first name, and last name defined. These attributes can be assigned either statically within Entra ID or dynamically using the Teramind mapping rules.
General
Name:
Give a descriptive title to identify this specific rule within your configuration list.
Target:
Defines the entity type this rule affects. You can select from User or Group.
Action and Parameters:
Actions determine the specific operations Teramind performs when a rule's criteria are met, such as "Enable monitoring" or "Set position from field."
While many actions are universal, others are context-sensitive and will only appear if the target is a "User" or a "Group".
Certain actions also include granular parameters to further refine the behavior; for instance, the "Sync department from group" action provides toggle options to "Create department if it doesn't exist" and "Update existing department data". This ensures that the synchronization doesn't just pull data, but manages how that data interacts with your existing Teramind organizational structure.
The following table details the available actions for each target type and their associated configuration parameters:
Enable monitoring | Enable monitoring for the selected user.
Target: User
Parameters: N/A |
Disable monitoring | Disable monitoring for the selected user.
Target: User
Parameters: N/A |
Map fields | Map source fields to target fields.
Target: User, Group
Parameters: Supports the List of field mappings parameter with two sub parameters:
For example, Map Entra field “mobilePhone” to Teramind’s “Phone” field or map “displayName” to "firstName”, etc. |
Template field | Set a field using a dynamic template string. This action sets a Teramind field using a dynamic template string that combines static text with variables from your directory.
Target: User, Group
Parameters: This action supports two parameters:
In the above example, if a user’s display name is "Alice" and her department ID is "Engineering," the position field in Teramind will be automatically populated as "User: Alice, Department: Engineering". |
Regex transform | Apply regex transformation to a source field and set the result on a target field.
Target: User, Group
Parameters: This action supports a few parameters:
As an example, suppose your Entra ID stores phone numbers with an internal extension (e.g., “+1-555-0199 ext 123”) but you only want the main number in Teramind. You would set up the Regex pattern to match as something like “(\+\d-\d{3}-\d{3}-\d{4}).*” and set up the Replacement string as “\1”. |
Normalize field | Normalize a field value by converting to lowercase and removing all whitespace. This action is used for basic data cleanup to ensure consistency across your directory. For example, if email addresses in Entra ID contain inconsistent capitalization or accidental spaces, you can use the Normalize field action.
Target: User, Group
Parameters: This action comes with four parameters:
Result: An entry like " |
Set position from field | Set position for the employee based on a field from the unified entity.
Target: User
Parameters: This action supports only one parameter:
For example, If the Entra ID jobTitle for a user is "Senior Analyst," their Position in Teramind will be set to "Senior Analyst". |
Set position from value | Set position for the employee based on a static value.
Target: User
Parameters: Similar to the above action but uses static value instead so that you can type the position manually.
In the above example, every user processed by this rule will have their position in Teramind set to "Remote Consultant”. |
Create departments from user field | Create departments based on unique values from a specified user field.
Target: User
Parameters: This action comes with two parameters:
In the above example, if "New York" is found in the specified user field, Teramind will automatically create or map the user to a "DEP-New York" department. |
Sync employee | Synchronize employee data from user entity. Basically, this action lets you manage how user accounts are handled during the synchronization process.
Target: User
Parameters: This action comes with two parameters:
|
Sync department from group | Synchronize employee data from group entity. It basically automates department management by syncing specific Groups from the directory as Departments in Teramind.
Target: Group
Parameters: This action comes with two parameters:
|
Add employees to departments by field match | Add employees to departments based on matching field values. Automatically assigns IDs in employees and departments.
Target: User, Group
Parameters: This action has two parameters:
Example 1: Direct Name Matching: This is the most common setup where a user's department attribute in the directory exactly matches the name of a department you have already created in Teramind:
Scenario: If a user’s Entra ID department attribute is "Customer Success" and you have a department in Teramind named "Customer Success," the user will be automatically added to that department.
Example 2: Regional Department Assignment: You can use geographic data to sort users into regional departments you have established in Teramind:
Scenario: A user located in "London" will be added to the Teramind department named "London," allowing you to apply region-specific monitoring settings automatically.
Note: If the value in the source field does not have a corresponding match in Teramind, the user will not be assigned to any department by this specific rule. |
Relate employees to department by group membership | Automatically relate employees to departments based on their Entra ID group memberships. Links employees to specific Teramind departments based on their membership in organizational groups within the Entra directory.
Target: User, Group
Parameters: N/A |
Condition
The Condition section for mapping rules functions identically to the Condition section in the extraction rules.
Managing Existing Integrations
Once you have any integration(s) in place, you will be able to manage them from the Integrations screen:
1. Click the Gear icon under the Actions column to configure an integration. You will be taken to the Microsoft Entra ID Directories screen:
2. Sync Directory: Click the Sync Now button to manually trigger your rules and update the resources in Teramind.
3. Revoke Connection: Click Revoke button to remove the integration. Note: you can also remove an integration from the main Integrations screen.
Revoking a connection will stop all syncing for users, groups, rules, and remove the integration. This action cannot be undone. However, any resources already imported will remain in Teramind.
4. Manage Rules: Use this screen to add, edit, or toggle rules. For detailed configuration steps, see the Setting Up a New Integration section.
Removing the Integration
Uninstalling the App from Azure
1. Select Microsoft Entra ID from your Azure portal.
2. Select Enterprise applications from the left panel.
3. Select All applications from the left panel.
4. Find the Teramind Entra ID app and click on it.
5. Select Manage > Properties from the left panel.
6. Click the Delete button on top to remove the app.
Removing the Integration from Teramind
Click the Trash Can icon under the Actions column to remove an integration from Teramind.
Revoking a connection will stop all syncing for users, groups, rules, and remove the integration. This action cannot be undone. However, any resources already imported will remain in Teramind.