Sync Group Members

Prev Next

Overview

This guide provides step-by-step instructions for integrating Microsoft Entra ID groups with CloudLabs VM Labs. By synchronizing the lab with a Microsoft Entra group, user management becomes automatic and aligned with your organization's Microsoft Entra ID.

Once this integration is completed, you will be able to assign labs to Entra ID groups and all group members will have access to the labs. Please note that group members are synchronized every 24 HRS, you can force sync if you want to have immediate group membership changes reflected in CloudLabs.

Before proceeding with the next steps, you can choose either of the following Entra ID Group integration types in CloudLabs:

  • Entra ID Direct Access

  • Entra ID Administrative Units (optional)

    NOTE: Both options allow group-based integration to CloudLabs, but AU-based sync lets you scope synchronization to a smaller subset of groups in your Entra ID.

Let’s look at the steps:

  1. Create an Entra ID Service Principal

  2. Configure Entra ID Integration in CloudLabs Portal.

CloudLabs will need permissions to read your Entra ID data (group and group members) to enable this integration.

Create a Service Principal

Please create a service principle within your Entra ID organization, with the required permissions.

  1. Please see Microsoft’s documentation on how to Create Service Principal here> https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal

  2. Please create a service principal with following specifications:

    1. Name: “CloudLabs-EntraID-GroupsSync-SPN” (or any other name as per your organizational best practices)

    2. Supported Account Type: Accounts in this organizational directory only (Spektra Systems LLC only - Single tenant)

    3. Redirect URI: Leave Blank

  3. In the service principal, navigate to API Permissions and Click on Add Permissions. Select Microsoft Graph.

  4. Select Application Permissions and search for “Directory.Read.All” (for using Entra ID Direct integration)

  5. Click on Add Permissions and Grant Admin consent for your organization.

  6. Navigate to Secrets and create a secret. You may configure the expiry date as you see fit.

  7. Make a note of the following values. You’ll need them in CloudLabs portal.

    1. Tenant Id (3): Provide the Microsoft Entra Tenant ID of your Microsoft Tenant.

    2. Client Id (4): Service principal client ID.

    3. Client Secret (5): Secret Value.

Once you have this ready, you can proceed to next step.

Pre-requisites for Entra ID integration using Administrative Units (AU)

Before enabling integration with Microsoft Entra ID Administrative Units (AUs) in CloudLabs, ensure the following requirements are met:

  1. Microsoft Entra ID P1 license
    Using Administrative Units is a feature available only with Microsoft Entra ID Premium P1 (or higher) licensing.

  2. Service Principal must have "AdministrativeUnit.Read.All" API permission

    To allow CloudLabs to read information about Administrative Units and the associated groups, the Service Principal (SPN) used for integration must be granted the "AdministrativeUnit.Read.All" application-level permission from Microsoft Graph API.

    To provide the necessary permissions, please follow the steps below:

    - In the service principal, navigate to API Permissions and Click on Add Permissions. Select Microsoft Graph.

    Select Application Permissions and search for "AdministrativeUnit.Read.All"

     

  3. SPN should be added as "Group Administrator" on the AU scope

    Additional to the API permissions, the SPN must be scoped to the Administrative Unit to manage or retrieve its group memberships. You must assign the SPN the “Group Administrator” role at the Administrative Unit level, not at the directory-wide level.

    To achieve this, follow the steps below:

    - Navigate to the AU (1) you wish to integrate with CloudLabs, click on “Roles and Administrators (2)” and select “Group Administrator (3)”.

    - Click on “Add assignments”

    - Search for the SPN using the Application Client ID and select the application.

    - Click on “Next” and proceed to assign the permissions.

Setup Entra ID Group Sync Integration within CloudLabs.

  1. Navigate to the CloudLabs portal using a browser.

  2. Navigate to the Manage VM Labs tab present in the side pane.

  3. Navigate to the Global Settings page.

  4. Navigate to the "Integrations (1)” tab within the Settings page and configure the following details:

    1. Entra Id Group Configuration (2): This configuration will be used to synchronize the Microsoft Entra Groups.

    2. Authentication Context (3): Select how CloudLabs should authenticate and sync Entra ID groups for your labs.

      1. Entra ID Direct Access (7) - Synchronize groups directly from the entire Microsoft Entra ID tenant.

      2. Entra ID Administrative Units (8) - Limit synchronization to groups within a specific Entra ID Administrative Unit.

    3. Tenant Id (4): Provide the Microsoft Entra Tenant ID of your Microsoft Tenant.

    4. Client Id (5): Provide the service principal client ID.

    5. Client Secret (6): Provide the secret key of the service principal.

      NOTE: The service principal must have the “Directory.Read.All” (or) “AdministrativeUnit.Read.All” API Permission to perform the group sync operation depending on the type of EntraID integration.

    6. Once the details are provided, click on “Save (9)” and confirm the updates.

    7. To reset the Integration configuration click on “Reset (10)”.

Sync Group Members

Now that you have learned how to integrate Microsoft Entra ID groups with CloudLabs VM Labs, you can proceed with syncing group members to a lab.

  1. Navigate to your Lab > Users.

  2. Click on Sync Group Members.

  3. Select a group (1) from dropdown and click Save.

  4. In case of AU integration, the AU name (2) will be mentioned next to the group name.

You will now see that group members are now available in users listing. Please note that group members are synchronized every 24 HRS You click on Sync Group Members again to force sync any changes.

Troubleshooting

  1. If you are unable to see group dropdown list or sync group members, please verify that your service principal still has required permissions and secret is not expired.

  2. Please review activity logs for more error information or contact Support for further troubleshooting.