Breadcrumbs

S2 - Enrol CI Sync SaaS to your Entra ID

Extended Page Title

Step 2 - Enrol the CI Sync SaaS application as an Enterprise Application to your Azure AD/Entra ID

#

Task

Performed by

1

Enrol the CI Sync SaaS application as an Enterprise Application in your AAD

Azure Admin

2

Grant users access to the CI Sync SaaS application (so they can use the User Interface)

Azure Admin
CI Sync Admin

Task 1: Enrol the CI Sync SaaS application as an Enterprise Application in your AAD

Click to expand Context Notes

In this section your customer specific instance of the CI Sync SaaS application will enrolled into your organisation’s Azure Active Directory (AAD) as an Enterprise Application.

The steps must be performed by an AAD SME with sufficient rights to create and maintain a new Enterprise Application. 

By the time your AAD SME commences these steps, Syncfish will have provided you with your company specific URL.  The URL will be https://YourCo.syncfish.app where “YourCo” is your company name or a shorted version.

Important: If a non-AAD admin accesses the URL it will initiate the Enterprise Application registration in your AAD and will fail due to not having sufficient AAD permissions.  Please do NOT access the URL provided and attempt to login unless you are an AAD SME with sufficient rights to perform all steps below.

  1. Your AAD Admin should open a browser and navigate to the Syncfish provided URL to your company specific instance of the CI Sync SaaS application User Interface.  The URL will be as shown below:

    1. https://YourCo.syncfish.app

  2. When prompted to sign in, ensure you login with the AAD Admin account in the same AAD tenancy that you provided to Syncfish.

CleanShot 2025-03-26 at 14.00.53@2x-20250326-030059.png

  1. You will be prompted to Accept the Permissions requested and to Consent on behalf of your organisation. When you click Accept it will enrol the CI Sync SaaS application in your AAD.

image-20250326-030316.png

  1. Once the enrolment is complete, you will be returned with a HTTP 403 error “Requested resource is forbidden”.

CleanShot 2025-03-26 at 14.03.52@2x-20250326-030434.png

The 403 error is expected behaviour because the user account (of your AAD Admin) has not yet been granted access to the newly enrolled CI Sync Enterprise Application.

The steps required to grant individual user access to the CI Sync SaaS application User Interface are documented further below.

  1. Your AAD Admin should now use the Azure Portal to verify the CI Sync SaaS application was successfully enrolled as an Enterprise Application in your AAD.  To do this:

    1. Login to the Azure Portal

    2. Navigate to Azure Active Directory

    3. Select Enterprise Applications

    4. Find and select the newly created CI Sync Enterprise Application in the list (i.e. “Syncfish – CI Sync (Enterprise Edition)”)

    5. From the Overview menu item, ensure Properties such as Name, Application ID and Object ID have all be populated.

CleanShot 2025-06-25 at 10.36.29@2x-20250625-003636.png

Task 2: Grant users access to the CI Sync SaaS application (so they can use the User Interface)

Click to expand Informational Note

In this section your AAD SME will grant those users who will need access to the CI Sync SaaS application user Interface.  In most organisations this is likely to be one or two people only (i.e. those few users expected to create and schedule synchronization jobs via the CI Sync User Interface).

  1. In the Azure Portal, navigate to Azure Active Directory -> Enterprise Applications and select the CI Sync application (i.e. “Syncfish - CI Sync (Enterprise Edition)”)

  2. Click the “Assign users and groups” hyperlink under Getting Started -> 1. Assign users and groups.

CleanShot 2025-06-25 at 10.38.15@2x-20250625-003823.png


  1. There may already be a Role Assigned “Default Access” depending on which account enrolled the Enterprise App. This role assignment can be left alone but we still need to add the “administrator” role assignment.

  2. Click Add user/group

CleanShot 2025-06-25 at 10.04.46@2x-20250625-000526.png


  1. Click the None Selected link under Users and Groups.

CleanShot 2025-06-25 at 10.05.52@2x-20250625-000618.png

  1. Use the right-hand pane to filter/search and select the user/s and/or group/s you want to grant access to the CI Sync SaaS application (those few users expected to create and schedule synchronization jobs via the CI Sync User Interface).  When ready, click the Select button to complete. 

  2. You have now granted a user (or a group) access to the CI Sync User Interface.

CleanShot 2025-06-25 at 10.08.32@2x-20250625-000841.png

  1. You now need to grant a CI Sync role for those same user/s or group/s (otherwise they will not have sufficient permissions within the CI Sync SaaS application. The table below explains the functionality available in the CI Sync Web UI for each role.

CI Sync Role

CI Sync Web UI Functionaly

Administrator

Full access to all features in the UI (add new source/destination connections, amend any CI Sync settings, run a sync job immediately, create a scheduled sync job).

Reader

Able to view all features in the UI but not make any changes.

Scheduler

Same as reader but can also schedule and review sync job logs (this role cannot update settings or create/run new sync jobs).

Billing

Currently not in use (i.e. no specific functionality implemented for this role)

  1. Click the None Selected link under Select a role

CleanShot 2025-06-25 at 10.10.01@2x-20250625-001008.png

  1. Use the right-hand pane to select the one of the predefined CI Sync Roles. Select the required role and then click the Select button to complete.

You need to set at least one initial user to have the Administrator role so they can perform subsequent tasks through this setup guid.

CleanShot 2025-06-25 at 10.27.53@2x-20250625-002813.png

 

  1. The screen should look as below.  When ready, click the Assign button at the bottom of the screen.

CleanShot 2025-06-25 at 10.30.24@2x-20250625-003037.png

  1. The users who were granted access should now be able to login and use the CI Sync SaaS application User Interface.  They can test by navigating to the Syncfish provided URL to your company specific instance of the CI Sync SaaS application User Interface.  The URL will be as shown below:

    1. https://YourCo.syncfish.app

  2. When prompted to sign in, login with your regular AAD user credentials (including any MFA requirements).  

CleanShot 2025-03-26 at 14.00.53@2x-20250326-030059.png

  1. Upon successful login you will be presented with the CI Sync Home Page of the CI Sync UI.