Here you will find a collection of frequently asked questions from our customers about the integration with Microsoft Entra ID.
As an administrator, I explored the system but was unable to find information on how to activate Microsoft Entra ID.
Currently, there is no automatic activation of Microsoft Entra ID within the system. Instead, the activation of the integration with Microsoft Entra ID must be carried out in collaboration with AM System. This approach ensures a thorough review of the integration process, minimizing the risk of issues and misunderstandings. For detailed instructions on how to request this feature, please refer to the article on Integrating AM System with Microsoft Entra ID.
What are the system requirements for integrating AM System with Microsoft Entra ID?
A prerequisite for integrating the AM System with Microsoft Entra ID is that you must be using version 6 of the AM System.
Is it possible to have a mixed login environment, meaning both users linked to Microsoft Entra ID and local users in the AM system?
Yes, it is possible; however, it's important to note that a user cannot be both a local user in the AM system and linked to Microsoft Entra ID at the same time. A user must be either a local user or connected to Microsoft Entra ID.
It is essential to check for duplicate email addresses before activating Microsoft Entra ID. Why is this necessary?
The system utilizes the user's email address to match existing users in the AM System with Microsoft Entra ID. Users are matched based on their email addresses (the E-mail field in the AM System) against the User Principal Name (userPrincipalName) in Microsoft Entra ID. If a user exists in both systems with the same email address, these two users are matched and inherit settings and history. However, if there are duplicate email addresses—meaning multiple users have the same email address—the system cannot determine which user to match against. For more details, please refer to the section Matching Existing Users in our documentation.
We do not use the user's email address in the User Principal Name (UPN). Is it possible to use another field to match our users?
Currently, we can only use the User Principal Name (UPN) to match users. If you do not use the user's email address as the UPN, you will need to update the email addresses of your existing users in the AM System to align with the UPN format that you are using in Microsoft Entra ID. This adjustment is necessary to facilitate the matching of existing users.
Is it possible to create local users in the system with email addresses from a different domain than the one used in Microsoft Entra ID, or is there a risk of conflict during synchronization with Microsoft Entra ID?
Yes, it is perfectly acceptable to create local users in the AM System with unique email addresses, provided that there are available licenses. We emphasize the importance of managing email addresses and avoiding duplicates to minimize the risk of multiple users sharing the same email address linked to Microsoft Entra ID. If this occurs, the system may struggle to match Microsoft Entra ID users with local users during the initial synchronization process.
Can we, as administrators of the AM System, determine whether a user is a local user or linked to Microsoft Entra ID?
Yes, you can easily check this by navigating to the Personnel » View All section. In the search results, you will find information about each user's status in the Linked User column.
The Linked Azure AD information is also displayed on the user profile for those users who are connected to Microsoft Entra ID.
Is it possible to search for all users who are linked to Microsoft Entra ID or those who are not?
Currently, there is no feature available to specifically search for users linked to Microsoft Entra ID. However, you can view all personnel by navigating to the Personnel » View All section, and then sort the results by the Linked User column. This will allow you to display all linked users at the top of the search results.
I have added users to our Microsoft Entra ID, but I cannot see them in the AM System. How often is user synchronization performed, and what are the typical intervals?
Once a user is granted permission to access the application integrated with the AM System, they will be synchronized to the AM System. This synchronization occurs via SCIM provisioning and typically takes about 40 minutes to complete. Therefore, it is normal for new users to appear in the AM System within this timeframe. If you are using Microsoft on-premise, you should also account for the additional time required for the update to reach Microsoft Entra ID.
We have several users in Microsoft Entra ID that we have configured to gain access to the AM System, but not all of these users have been created in the AM System.
The synchronization between Microsoft Entra ID and the AM System occurs continuously at specific intervals. Typically, this process should not take more than approximately 60 minutes. However, if you are using Microsoft on-premise, you must also consider the additional time required for updates to reach Microsoft Entra ID, which can sometimes take several hours. If users are not being created in the AM System, it may be due to the requirement that both first name (givenName) and last name (surname) must be specified in Microsoft Entra ID for the user to be successfully created. Therefore, please ensure that these details are provided for each user.
Is it necessary to have sufficient licenses available when new users are synchronized from Microsoft Entra ID, or can licenses be added after the users have been synchronized??
The activation and synchronization of users will not fail even if the number of licenses is insufficient. However, if the licenses are not increased, you will be unable to make any changes to the profile settings until the number of licenses is adequate to cover all users. Therefore, we recommend that you always start by adding the necessary number of licenses before activating Microsoft Entra ID.
Can our users bypass the login page now that we are using Microsoft Entra ID?
Yes, users linked to Microsoft Entra ID can access your system by using the system URL and appending "/auth" to the end of the address (e.g., https://*****.amsystem.com/auth). Please note that "auth" must be in lowercase. If the user has already authenticated, they will be automatically logged into the AM System without needing to click on "Log in with Azure AD" or enter their username and password. If the user has not yet authenticated, they will see the Microsoft web authentication dialog instead.
Please note that since the AM System is a web-based platform, the user's browser must recognize that they have already authenticated with Microsoft Entra ID. This recognition allows users to bypass entering their login credentials.
Do you support Microsoft Entra ID via SAML 2.0?
Currently, we only support OAuth and provisioning through SCIM.
Can we use nested groups (groups within groups) to assign users to the application?
No, this is not recommended. According to Microsoft, "When you assign a group to an application, only users directly in the group will have access. The assignment does not cascade to nested groups."
Do you have a guide on how to set up the integration between Microsoft Entra ID and the AM System?
Here is an example configuration for your reference. Please note that this is not intended to be a comprehensive manual, as your specific setup for Microsoft Entra ID may differ.
Is there anything else we should consider?
Before activating this feature in the AM System, it is advisable to inform users and any external vendors about its implementation and what it entails. For instance, the login interface will appear slightly different, as a separate login dialog will be presented for users to authenticate using their Microsoft credentials. Users who are not linked to Microsoft Entra ID can still access the system by using the "Log in with local login" option.
An important detail to keep in mind is to ensure that all users log into your site using the exact address without any additional extensions after the domain. For example, the URL https://abc123.amsystem.com/ will work correctly, whereas https://abc123.amsystem.com/index.php will not function and may result in an error message such as "AADSTS50011: The redirect URI 'https://abc123.amsystem.com/index.php' specified in the request does not match the redirect URIs configured for the application...".
We currently have an integration with Microsoft Entra ID and the AM System, but we need to migrate our tenant to a different tenant. Is it possible to transfer this integration, and if so, what steps should we follow?
Yes, it is possible to migrate from one tenant to another, but it requires some manual effort. We use Object IDs to identify existing users, and since the Object IDs differ between the current tenant and the new tenant, we need to obtain an export of all users included in the existing application along with their Object IDs and the new Object IDs for those users. After this, we will need to schedule a meeting to carry out the migration together with you. Specifically, during this meeting, you will need to set up a new enterprise application while we update the users' Object IDs in the AM System. This process typically takes about 1-2 hours to complete, and during this time, the system will be shut down, preventing any users from accessing the system until the migration is finished.
Related Content:
- Integrate AM System with Microsoft Entra ID (formerly Azure AD)
- Example configuring - Integrate AM System with Microsoft Intra ID (formerly Azure AD)
Last updated:4 March, 2025