English (UK)
Log in
Home
Home
Technical Resources Centre
Need help with setting up Workplace, managing domains or other technical info? Look no further.
Getting started
Just launched Workplace and not sure what to do next? We've got everything you need right here.
Technical Resources
You don't have to be an IT genius to launch Workplace, but if you are then these technical resources are for you.
In-depth hubs
Our resource hubs will help you master some of Workplace's most popular features and embrace new ways of working.
Help Centre
Find step-by-step instructions and answers to frequently asked questions.
Setup guides
From adding a domain to inviting users, follow this step-by-step guide to set up your Workplace.
Domain Management
Find out why domain management matters - and how to do it properly.
Workplace Integrations
Discover how to bring all your tools together. Something missing? Learn how to build your own integrations.
Account Management
Keep your Workplace up to date by creating, maintaining or deactivating user accounts.
Authentication
Make sure you only give access to the right people by integrating with your current identity solutions.
IT Configuration
Learn how to keep Workplace running smoothly with info on networks, email whitelisting and domains.
Account Lifecycle
Understand the process of inviting members of your organisation to claim their accounts.
Security and Governance
Get the lowdown on how we keep your people and information safe on Workplace with added technical terminology.
Workplace API
Learn how you can automate and integrate your custom solutions with Workplace using our API.
Live Video resources
Looking to use Live Video to transform your Town Halls? This is the place to get tips, guides and practical insights.
Knowledge Library resources
Wish your intranet was a little more inspiring? Use these Knowledge Library resources to get started.
Working from Home with Workplace
So you've embraced remote work - now what? Stay on top of your game with these guides, videos and customer stories.
New rules of engagement
Turn hybrid teams into high-performing teams by learning more about the new rules of employee engagement.
Getting started
From launching Workplace to paying for it, learn more about those crucial first steps.
Using Workplace
This is where we reveal the hidden depths Workplace has to offer with tips and info on key features.
Managing Workplace
Got a specific question about managing content, data or employees? This is the place to ask it.
IT and Developer Support
Looking for answers to more technical questions about security, integration and the like? Start here.
Integrations
    Security
      Interactive Demo
        Customer stories
        Workplace for Good
          Pricing Plans
            ROI Calculator
              Events and Webinars
                E-books and Guides
                  Newsroom
                    Workplace One Partner Programme
                      Service and reseller partners
                        Ways to work
                          Workplace Toolkits
                            Workplace Academy
                              Support
                                Customer Communities
                                  What's new in Workplace
                                    English (UK)

                                    Account management



                                    Learn how you can create, update and deactivate user accounts on Workplace.
                                    !
                                    Following the industry trend of migration towards cloud IdP solutions, we have decided to sunset the AD Sync solution on 12 August 2021, after which time our team will no longer provide support or software updates. As of today, you will no longer be able to deploy the AD Sync solution to new Workplace communities. Due to security reasons, we will sunset the current version (v15) and all previous versions of the AD Sync support software on 1 February 2021.
                                    ?
                                    Which cloud IdP solutions does Workplace integrate with?
                                    Workplace integrates many IdP solutions, including Microsoft Azure AD, Okta, Harbor, G Suite, OneLogin and Connect by Azuronaut. We encourage you to visit our Integration Directory for a full list of IdP solutions that we partner with. We recommend Microsoft Azure AD as a viable alternative to the current AD Sync solution. You may also follow steps as described here to complete the migration.

                                    What if I'm not ready to migrate to a cloud provider?
                                    Should you prefer not to migrate to a cloud provider at this moment, we would encourage you to update your AD Sync support software to the newly released version (v16) as described, which will continue to function until 12 August 2021.
                                    Overview

                                    Overview

                                    As the Workplace Active Directory Sync (also called AD Sync hereafter) product is being deprecated, we've worked together with the Microsoft team to present this guide to help you migrate to Microsoft Azure Active Directory.

                                    Architecture overview

                                    Architecture overview

                                    Scenarios

                                    Scenarios

                                    There are two main scenarios that you may encounter when integrating Workplace with Azure Active Directory:

                                    Follow these steps if you're unsure:

                                    Integrate your on-premises Active Directory with Azure Active Directory

                                    Integrate your on-premises Active Directory with Azure Active Directory

                                    If your organisation does not have an Azure tenant, you will need to create one.
                                    More information: Quickstart: Set up a tenant

                                    Azure AD Connect

                                    It's a Microsoft tool designed to meet and accomplish your hybrid identity goals. It provides the following features:

                                    • Password hash synchronisation - A sign-in method that synchronises a hash of user's on-premises AD password with Azure AD.
                                    • Pass-through authentication - A sign-in method that allows Azure AD users to authenticate against your on-premises Active Directory, but doesn't require the additional infrastructure of a federated environment.
                                    • Federated authentication - Federation management is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
                                    • Synchronisation - Responsible for creating users, groups and other objects, as well as making sure that identity information for your on-premises users and groups is consistent between on-premises Active Directory and Azure AD. This synchronisation can also include password hashes.
                                    • Health monitoring - Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
                                    Azure AD Connect

                                    The Azure Active Directory Connect synchronisation services (Azure AD Connect sync) are a main component of Azure AD Connect. It takes care of all the operations that are related to synchronising identity data between your on-premises environment and Azure AD. Azure AD Connect sync is the successor of DirSync, Azure AD Sync and Forefront Identity Manager with the Azure Active Directory Connector configured.

                                    Azure AD Connect cloud provisioning

                                    Azure AD Connect cloud provisioning is a new Microsoft agent designed to meet and accomplish your hybrid identity goals for synchronisation of users, groups and contacts to Azure AD. It can be used alongside Azure AD Connect sync or alone.

                                    How are they different?

                                    With Azure AD Connect cloud provisioning, provisioning from on-premises Active Directory to Azure AD is orchestrated in Microsoft Online Services. An organisation only needs to deploy, in their on-premises and IaaS-hosted environment, a lightweight agent that acts as a bridge between Azure AD and on-premises Active Directory. The provisioning configuration is stored in Azure AD and managed as part of the service.

                                    More information:

                                    Integrate Azure Active Directory automatic provisioning with Workplace

                                    Integrate Azure Active Directory automatic provisioning with Workplace

                                    If your organisation does not possess either Azure Active Directory Premium P1 or P2 licensing for all users who will be provisioned, we recommend using attribute-based scoping rather than group-based assignment.

                                    Group-based assignment of users

                                    If you don't already have applicable groups, you can use Azure Active Directory's dynamic groups feature to create a group where only users who meet specified conditions are added as members. Dynamic group membership reduces the administrative overhead of adding and removing users.

                                    More information: Dynamic membership rules for groups in Azure Active Directory

                                    Whether with an existing group or an Azure AD dynamic group, assigning a group of users to the Azure AD enterprise application is as simple as:

                                    • Go to the Workplace enterprise application in the Azure portal, click "Users and groups" and add the group(s)
                                    • After adding Workplace administrator credentials; on the provisioning blade of the Workplace enterprise application, ensure that the "Sync only assigned users and groups" option is set under Scope.

                                    Attribute-based scoping of users

                                    Instead of group-based assignment of users to the Workplace enterprise application, the other option that does not require Azure AD Premium licensing is to use "Sync all users and groups" in combination with attribute-based scoping filters.

                                    A scoping filter allows the Azure Active Directory provisioning service to include or exclude any users who have attribute values matching one or more specified conditions. For example, when provisioning users from Azure AD to an SaaS application (i.e. Workplace) used by a sales team, you can specify that only users with a "Department" attribute of "Sales" should be in scope for provisioning.

                                    Scoping filters can be configured in the enterprise application's Provisioning tab in the Mappings section. Scoping filters can be used as your only method of controlling which users are provisioned into Workplace, or in combination with the group-based assignment feature detailed above.

                                    More information: Attribute-based application provisioning with scoping filters

                                    Sample steps to set up attribute-based application provisioning with scoping filters:

                                    Important: If you're using "Attribute-based scoping of users" for provisioning make sure that you also go to the Properties Panel of the later SSO configuration and use the toggle to set the "User assignment required?" to No.

                                    If this option is set to "No", then any users who navigate to the application deep-link URL or application URL directly will be granted access.

                                    If this option is set to yes, then users must first be assigned to this application before access is enabled. This could only be achieved by having either all users assigned or by using group-based filtering for assignment or manually adding the users.

                                    Creating and configuring the enterprise application/third-party integration

                                    You will need system administrator credentials from Workplace and either application administrator, cloud application administrator, application owner or global administrator roles in Azure.

                                    More information: Tutorial: Configure Workplace by Facebook for automatic user provisioning

                                    Follow these sample steps to set up user provisioning:

                                    1

                                    2

                                    3

                                    Note:
                                    After testing and saving your Workplace system administrator credentials in the enterprise app's provisioning configuration, you will need to navigate away from the enterprise application or reload the page in your browser before you try and start the provisioning; otherwise the start of the provisioning process will fail.
                                    After some time, you will see the following screen:

                                    Extra: Configure the SSO using Azure as identity provider

                                    Extra: Configure the SSO using Azure as identity provider

                                    You can also set up SSO using the same enterprise application in Azure.

                                    Step-by-step setup of SSO on both Azure AD and Workplace:

                                    1

                                    2

                                    3

                                    4

                                    SSO URLs correspondence:

                                    Azure

                                    Workplace

                                    Identifier (entity URL)

                                    Audience URL

                                    Reply URL (assertion cast service)

                                    ACS URL

                                    Sign-on URL

                                    https://{your-subdomain}.workplace.com

                                    Single sign-on (SSO) setup in Workplace

                                    Workplace

                                    Azure

                                    Name of the SSO provider

                                    Your custom name for the setup

                                    SAML URL

                                    Login URL

                                    SAML issuer URL

                                    Azure AD identifier

                                    SAML logout URL (optional)

                                    Logout URL

                                    Make sure you add the corresponding domains to the SSO. This domains must be verified in Workplace.:

                                    Once the SSO has been configured, you will need to define the authentication method for your users. This can only be SSO or you can have a mix of authentication methods (have some users log in with password and other with SSO).

                                    More information:

                                    Reference

                                    Reference