Available in PaperCut NG and PaperCut MF.

https://covidrataustralia.com.au/

Overview of synchronizing user and group details with Azure AD

This topic covers:

NOTE

Azure environments with federated accounts enabled will not be able to authenticate in PaperCut with the username/password method by default. Please refer to Microsoft’s Azure documentation to investigate options to work around this limitation.

Options for syncing PaperCut NG/MF with Azure AD

There are three ways to integrate Microsoft Azure cloud identity with PaperCut:

Deciding which cloud-only sync method is right for you

The table below highlights the different features of the cloud-only sync methods from above, as well as some of the implications of choosing a particular sync method.

 

Azure AD
(version 21.1 or earlier) (Using Microsoft Graph API)

Azure AD
(version 21.2 or later) (using Microsoft Graph API)
Azure AD Secure LDAP
(Using Secure LDAP / Azure AD Domain Services)
PaperCut Core
Synchronize users and groups to PaperCut database 1Yes
(PaperCut username is the UPN - user@domain)
Yes
(PaperCut username is the UPN - user@domain)
Yes
(PaperCut username is the MailNickName - user)
MFD/Copier swipe card authentication 1YesYesYes
MFD/Copier swipe card self-association 2NoYesYes
MFD/Copier username/password authentication NoYesYes
User or Admin User Web Interface username/password authentication NoYesYes
“Sign On with Microsoft” button (Azure SSO) on Admin or User Web Interface 3YesYesYes
Mobile Web Client username/password authentication NoYesYes
PaperCut User ClientThe User Client tool is an add-on that resides on a user's desktop. It allows users to view their current account balance via a popup window, provides users with the opportunity to confirm what they are about to print, allows users to select shared accounts via a popup, if administrators have granted access to this feature, and displays system messages, such as the "low credit" warning message or print policy popups. username/password Authentication NoYesYes
“Sign On with Microsoft” button (Azure SSO) on the PaperCut user client 3NoNoNo
Release StationPrint Release Stations place a print job on hold and allow users to release it when required. Often a Release Station is a dedicated PC terminal located next to the printers, however, Release Stations can take other forms such as a web browser based interface. Some common examples where Release Stations can be used include secure printing, approved printing, and authentication. In a secure printing environment jobs are only printed when the user arrives at the print area and confirms his or her identity. This ensures the user is there to collect the job and other users can't "accidentally" collect the document. In some organizations it may be appropriate to hold jobs until they are approved by selected individuals. A good example would be a teacher approving printing on an expensive color printer. Hold/Release queues can be used as a form of authentication in an unauthenticated environment. Users must authenticate prior to releasing their jobs allowing PaperCut NG to confirm their identity. swipe card authentication 1YesYesYes
Release Station username/password authentication NoYesYes
Print Deploy
Print Deploy User Client username/password authentication NoYesYes
Print Deploy Web Admin username/password authentication NoYesYes
“Sign On with Microsoft” button (Azure SSO) on Print Deploy clientA light service that runs on users' computers that installs printers and routinely checks for updates from the Application Server. 3NoNoNo
Mobility Print
Mobility Print client username/password authentication NoYesYes
Mobility Print Web Admin username/password authentication NoYesYes
“Sign On with Microsoft” button (Azure SSO) on Mobility Print client 3NoNoNo
Universal Print
Universal Print ConnectorYesYesYes
Other differences
Cost FreeFreeMicrosoft charge an additional fee for enabling Secure LDAP through Azure Active Directory Domain Services
Username in PaperCut UPN (e.g. [email protected])UPN (e.g. [email protected])sAMAccountName - which Azure may call MailNickName (e.g. alex.test)
Support 2FA / MFA through the PaperCut sync source NoNoNo
Ability to sync Card numbers with Azure Yes 4Yes 4Yes
Ability to sync user aliases with Azure No 5No 5Yes

 

1 Swipe card authentication – use a swipe card with a card reader to log into the device or release station. Since this only uses the card number (and optional PIN), username/password authentication is not involved.

2 Swipe card self-association – use a brand new swipe card with a card reader to log into the device. Since PaperCut does not recognize the card number, it will ask the user to log in with their username and password, to ‘self-associate’ the new card with their user record.

3 ‘Single Sign on with Microsoft’ method of signing in – enabled on the Admin and User web interfaces under Options > User/Group Sync > Single Sign on with Microsoft > Enable the 'Sign in with Microsoft' button.

4 When using the standard Azure AD sync method, if you want to sync a primary card number, set the config keyA config key stores information about a specific advanced setting in PaperCut. Config keys are editable by an administrator in the Config Editor. user-source.update-user-details-card-id to Y. On next sync, the Employee ID number from Azure AD is synced into the Primary Card Number field in PaperCut. There are no other configuration options available for this currently. Other alternatives for importing card numbers when using the standard Azure AD method are to use a batch-update method, auto-generation of card numbers or an external lookup as detailed in this manual on the User card and ID numbers page. Note: If you’re using the Azure AD Secure LDAP sync method, you can set additional options for card number sync through the interface as detailed on the Synchronize user and group details with Azure AD Secure LDAP page.

5 An alternative option for the standard Azure AD method is to use the batch import and update user process to update the user alias fields - however that would lead to an ongoing maintenance overhead.

Recommendations when using the standard Azure AD sync method

Standard Azure AD uses UPNs when syncing usernames. To ensure a successful migration or deployment, we highly recommend that you review the implications of using UPNs as usernames, and test print job ownership in your environment.

Setting up Azure AD sync or Azure AD Secure LDAP sync

For more information and steps on how to set up each integration, see:

FAQs