Enroll users to your MA program with Microsoft Entra ID or Microsoft 365 Active Directory

You can enroll users to the MA program using Microsoft Entra ID® or Microsoft 365 Active Directory®.

Requirements

• Microsoft Entra ID Cloud

  On-premises Microsoft Entra ID is not supported.

• Single tenant account types

  Multi-tenancy is not supported.

Steps

1. If you are using:

   • Microsoft Entra ID — Sign in to the Microsoft 365 admin center and click Identity under Admin centers.
   • Microsoft 365 — Click Apps > Admin, and then click Show all.

     Tip: You can also access this from Microsoft Admin Console.

2. Register your AW integration:

   1. In the navigation menu, under Identity, click Applications > App registrations.

   2. Click + New registration.

   3. On the Register an application page, do these actions:

      • Name — Enter the name that you want displayed for your application. We recommend naming it Arctic Wolf Managed Security Awareness Integration.
      • Supported account types — Select Accounts in this organizational directory only (Single tenant).

        Note: Multi-tenancy is not supported.

   4. Click Register. The Overview page for the newly registered application opens.

3. Assign permissions to your AW integration:

   1. In the navigation menu, under Manage, click API permissions.

   2. Click + Add a permission.

   3. Click Microsoft Graph.

   4. Click Application permissions.

      Note: Do not click Delegated permissions. This does not provide the API permissions required for MA setup, so it will cause an insufficient permissions error message.

   5. In the Select permissions search box, enter Directory.Read.All, expand Directory, and then select the Directory.Read.All checkbox.

   6. In the Select permissions search box, search for User.Read.All, expand User, and then select the User.Read.All checkbox.

   7. Click Add permissions.

   8. In the Configured permissions section, click Grant admin consent for <company_name>.

   9. On the Grant admin consent confirmation dialog, click Yes.

      Your Microsoft Graph permissions should look like this:

      

4. Generate a client secret for your MA integration:

   1. In the navigation pane, under Manage, click Certificates & secrets.

   2. Click the Client secrets tab, and then click + New client secret.

   3. On the Add a client secret page, do these actions:

      • Description — Enter a meaningful description for the client secret. For example, Arctic Wolf Secret.
      • Expires — Select 730 days (24 months) from the list.

   4. Click Add. Your new client secret appears on the Client secrets tab.

   5. In the Value column, click Copy to clipboard to copy the client secret, and then save it in a safe encrypted location, such as a password manager.

      Notes:

      • The client secret Value is time-sensitive. It is only viewable during the application registration, so it must be saved now.
      • Do not share the client secret with anyone outside of authorized personnel.
      • If Arctic Wolf requires a copy of the client secret, we will provide you with a secure transfer link, such as Egnyte.

5. Obtain the ID values for your MA integration:

   1. In the navigation pane, click Overview.
   2. Take note of these fields and their associated values:
      • Application (client) ID
      • Directory (tenant) ID

6. The MA program uses an AD group to assign sessions to users. Check if you have an existing group for MA users:

   Note: Arctic Wolf cannot sync more than one group.

   1. In the navigation menu, under Identity, click Groups > All groups.
   2. Check if you have an existing group for MA users:

      • If you have an existing group — Confirm this information about your AD group, and then proceed to the next step.

        • Make sure your AD group contains the users that you want to include in the MA program. A user is defined as a single licensed user associated with one email account.
        • If you select an existing group, make sure the group does not contain non-human users, such as fax machines, copy machines, conference rooms, or distribution email groups.
        • Make sure your AD group is a Microsoft 365 or Security group. You cannot use a distribution list or mail-enabled security group.

      • If you do not have an existing group —

        1. Click + New group.
        2. On the New Group page, do these actions:
           • Group type — Select Security from the list.

             Note: you can also use a Microsoft 365 group, but a Security group is preferred.

           • Group name — Enter an easily identifiable name for the AD group. For example, Arctic Wolf Managed Security Awareness, AW MSA, or AW Managed Awareness.
           • Members — Click No members selected, and then select users to add to your AD group.
        3. Click Create.

7. Integrate your Microsoft Entra ID or Microsoft 365 Active Directory credentials with MA:

   1. In a new browser tab, sign in to the MA Portal.
   2. Click Settings > User Management.
   3. On the User Integration page, under What would you like to do? click, Create a new integration.
   4. On the User Integration page, under Integration Type, select Entra ID.
   5. Enter these values that you copied earlier:
      • Application (Client) ID — Enter the Application (client) ID.
      • Directory (Tenant) ID — Enter the Directory (tenant) ID.
      • Client Secret Value — Enter the Value of the client secret.
      • Client Secret Value Expiration Date — Enter the Expires value in MM/DD/YY format.

8. Test your connection and synchronize the credential changes in Microsoft Entra ID or Microsoft 365 Active Directory with MA:

   1. Click Test Connection, and then do one of these actions:

      • If the "Connection Successful" message appears, click Acknowledge, and then click Save Credentials.
      • If errors persist, see Troubleshooting for support.

   2. In the Awareness Group section, in the Select a group list, select the AD group that you created for MA.

   3. Click Query Group.

      Note: Take note of the AD Group name and the total number of users. You will use this number later to make sure the intended users are active in the MA Portal.

   4. Click Save Integration.

   5. On the User Integration page, in the Saved Credentials section, click Sync Now. Active users are pushed to the MA Portal.

9. Check that the intended users are active in the MA Portal:

   1. Click Administration Dashboard.
   2. Click the User Information tab.
   3. Make sure the number of entries at the bottom of the user table match the total number of users you noted earlier.

Next steps

• Complete Step 2: Add MA to email gateway and spam filtering allowlists.