Breadcrumbs

S2 - Enroll your CI Sync SaaS Instance to Entra ID

Extended Page Title

Step 2 - Enroll your CI Sync SaaS instance as an Enterprise Application in your Azure AD/Entra ID

Task List

Task #

Task

Performed by

1

Enrol your CI Sync SaaS instance as an Enterprise Application in your Entra ID

Azure Admin

2

Grant users access to the CI Sync SaaS application (so they can use the CI Sync Web UI)

Azure Admin
CI Sync Admin

Task 1: Enrol your CI Sync SaaS instance as an Enterprise Application in your Entra ID

Click to expand Context Notes

In this section your customer specific instance of the CI Sync SaaS application is enrolled into your organisation’s Entra ID as an Enterprise Application.

The steps must be performed by an Entra ID Admin with sufficient rights to create and maintain a new Enterprise Application. 

By the time your Entra ID SME commences these steps, Syncfish will have provided you with your company specific URL.  The URL will be https://YourCo.syncfish.app where “YourCo” is your company name or a shorted version.

Important: If a non-Entra ID admin accesses the URL it will initiate the Enterprise Application registration in your Entra ID and will fail due to not having sufficient permissions. 

Please do NOT access the URL provided and attempt to login unless you are an Entra ID SME with sufficient rights to perform all steps below.


  1. Your Entra ID Admin should open a browser and navigate to the Syncfish provided URL to your company specific instance of the CI Sync SaaS application User Interface.  The URL will be as shown below:

    1. https://YourCo.syncfish.app

  2. When prompted to sign in, ensure you login with an Entra ID Admin account in the same AAD tenancy that you provided to Syncfish.

CleanShot 2025-03-26 at 14.00.53@2x-20250326-030059.png

  1. You will be prompted to Accept the Permissions requested and to Consent on behalf of your organisation. When you click Accept it will enrol the CI Sync SaaS application in your Entra ID.

image-20250326-030316.png

  1. Once the enrolment is complete, you will be returned with a HTTP 403 error “Requested resource is forbidden”.

CleanShot 2025-03-26 at 14.03.52@2x-20250326-030434.png

The 403 error is expected behaviour because the user account (of your Entra ID Admin) has not yet been granted access to the newly enrolled CI Sync Enterprise Application.

The steps required to grant individual user access to the CI Sync SaaS application User Interface are documented further below.

  1. Your Entra ID Admin should now use the Azure Portal to verify the CI Sync SaaS application was successfully enrolled as an Enterprise Application in your Entra ID.  To do this:

    1. Login to the Azure Portal

    2. Navigate to Azure Active Directory

    3. Select Enterprise Applications

    4. Find and select the newly created CI Sync Enterprise Application in the list (i.e. “Syncfish – CI Sync (Enterprise Edition)”)

    5. From the Overview menu item, ensure Properties such as Name, Application ID and Object ID have all be populated.

CleanShot 2025-06-25 at 10.36.29@2x-20250625-003636.png

Task 2: Grant users access to the CI Sync SaaS application (so they can use the CI Sync Web UI)

Click to expand Informational Note

In this section your Entra ID SME will grant those users who will need access to the CI Sync SaaS application user Interface.

In most organisations this is likely to be one or two people only (i.e. those few users expected to create and schedule synchronization jobs via the CI Sync User Interface).

Through this documentation we refer to this person/these people generically as the “CI Sync Admin”.

  1. In the Azure Portal, navigate to Entra ID -> Enterprise Applications and select the CI Sync application (i.e. “Syncfish - CI Sync (Enterprise Edition)”)

  2. Click the “Assign users and groups” hyperlink under Getting Started -> 1. Assign users and groups.

CleanShot 2025-06-25 at 10.38.15@2x-20250625-003823.png


  1. There may already be a Role Assigned “Default Access” depending on which account enrolled the Enterprise App. This role assignment can be left alone but we still need to add the “administrator” role assignment.

  2. Click Add user/group

CleanShot 2025-06-25 at 10.04.46@2x-20250625-000526.png


  1. Click the None Selected link under Users and Groups.

CleanShot 2025-06-25 at 10.05.52@2x-20250625-000618.png

  1. Use the right-hand pane to filter/search and select the user/s and/or group/s you want to grant access to the CI Sync SaaS application (i.e. to those few users expected to create and schedule synchronization jobs via the CI Sync Web UI).  When ready, click the Select button to complete. 

  2. You have now granted a user (or a group) access to the CI Sync Web UI.

CleanShot 2025-06-25 at 10.08.32@2x-20250625-000841.png

  1. You now need to grant a CI Sync role for those same user/s or group/s (otherwise they will not have sufficient permissions within the CI Sync SaaS application. The table below explains the functionality available in the CI Sync Web UI for each role.

CI Sync Role

CI Sync Web UI Functionaly

Administrator

Full access to all features in the UI (add new source/destination connections, amend any CI Sync settings, run a sync job immediately, create a scheduled sync job).

Reader

Able to view all features in the UI but not make any changes.

Scheduler

Same as reader but can also schedule and review sync job logs (this role cannot update settings or create/run new sync jobs).

Billing

Currently not in use (i.e. no specific functionality implemented for this role)

  1. Click the None Selected link under Select a role

CleanShot 2025-06-25 at 10.10.01@2x-20250625-001008.png

  1. Use the right-hand pane to select the one of the predefined CI Sync Roles. Select the required role and then click the Select button to complete.

You need to set at least one initial user to have the Administrator role so they can perform subsequent tasks through this setup guid.

CleanShot 2025-06-25 at 10.27.53@2x-20250625-002813.png

 

  1. The screen should look as below.  When ready, click the Assign button at the bottom of the screen.

CleanShot 2025-06-25 at 10.30.24@2x-20250625-003037.png

  1. The users who were granted access should now be able to login and use the CI Sync SaaS application User Interface.  They can test by navigating to the Syncfish provided URL to your company specific instance of the CI Sync SaaS application User Interface.  The URL will be as shown below:

    1. https://YourCo.syncfish.app

  2. When prompted to sign in, login with your regular AAD user credentials (including any MFA requirements).  

CleanShot 2025-03-26 at 14.00.53@2x-20250326-030059.png

  1. Upon successful login you will be presented with the CI Sync Home Page of the CI Sync Web UI.