This integration requires using groups/teams. Kisi groups being synced with the Azure Integration shouldn’t be used to add manual users. You can set up separate groups to have the ability to sync and add one-off employees on an as-needed basis.
Azure Active Directory (Azure AD) is a comprehensive identity and access management cloud solution that gives you a robust set of capabilities to manage users and groups. If your organization uses Azure Active Directory (Azure AD), you can use the Kisi + Azure integration to keep your Kisi groups access directory up to date. With this integration, your Azure directory will sync to Kisi every 15 minutes.
Enable the Azure AD integration
Note: To be able to set this integration up, you’ll have to have the correct permissions in Azure which is Global Admin. Also, this integration needs to be set up using the Kisi master account, essentially the login you used to create the place. In Azure, you will need the following permissions:
• Read all group memberships (GroupMember.Read.All)
• Read all users' full profiles (User.Read.All)
Emails added must be active email addresses. If an account with an inactive mailbox is added into Kisi as a member, email delivery will fail, and the account will automatically be blacklisted by Kisi's mail servers.
To enable the Azure AD integration:
- Sign in to Kisi with your Place/Organization Owner account
- Under Setup, go to Integrations and click on Add Integration
- Enter a name for the integration and select Azure Active Directory User Import from the dropdown
- Click on Authorize with Microsoft and you’ll be redirected to the Microsoft Authentication screen
- Sign in with your Microsoft account that has Admin privileges
- Click Accept to allow the integration read access
- In Kisi, you should now see additional fields to configure the integration. Select the Active Directory Group
- In the User Email Property section, choose between User Principal Name and Mail as the attribute you want to use for this integration and that contains the user's email address in Azure AD. The default value is User Principal Name.
- Map the Azure Group to the Kisi Group/Team. A Kisi Group/Team is needed to share access to your place(s) with your users. If you choose the option Import as users only, the users will be imported but won't receive an invitation email from Kisi or have any access in your place(s).
- When you click Add, this configuration will be set up immediately and access will start to be shared with everyone in the organizational unit. Everyone in the Azure AD Group will get an email notification that Kisi access has been shared with them unless you chose Import as users only.
FAQ
How many Azure Active Directory Integrations can I add?
Since companies might have more complex organizational setups we allow unlimited integrations (This depends on the type of Kisi subscription). Each integration supports up to 5k users.
Do I have to create an extra integration for each group?
Yes, every group needs its own integration.
How fast does the integration synchronize?
Kisi fetches the status of the Azure Active Directory every 15 minutes.
If the integration is deleted, are all keys revoked?
All shares will be deleted, but the user profiles remain. That means they can’t access using those credentials anymore, but can still log in to their app. Without credentials, they will not see any doors associated with your place, however.
Why does deleting a user in Azure not delete it in Kisi?
Deleting a user in Azure only deletes the share and not the member on the Kisi side.
What admin level is needed to set up the integration?
Only a global admin can set up the integration.
Can I import nested Organizational Units?
Not at the moment, unfortunately, but we are working to release this feature soon!
I have several Organizational Units in Azure but I can only see a few of them when I try to import?
The preview on the Kisi side only shows 5 Organizational Units. If you start typing in the search bar you should see your other ones as well. If not, please reach out to Kisi support here.