Overview of synchronizing user and group details with Azure AD
This topic covers:
Azure environments with federated accounts enabled will not be able to authenticate in PaperCut with the username/password method by default. Please refer to Microsoft’s Azure documentation to investigate options to work around this limitation.
Options for syncing PaperCut NG/MF with Azure AD
There are three ways to integrate Microsoft Azure cloud identity with PaperCut:
Using a local domain controller (setting the PaperCut sync source to Windows Active Directory)
A common option is to use Microsoft’s Hybrid Identity model, with at least one Active Directory Domain Controller server in the local environment. This Domain Controller (using Azure AD Connect to communicate with Azure AD in the cloud) is then available to serve identity and authentication requests from the PaperCut application server - acting as a middleman between PaperCut and Azure AD. This method uses the regular Windows Active Directory sync method.
Using Azure AD through Secure LDAP (setting the PaperCut sync source to Azure AD Secure LDAP)
This method allows the PaperCut application server to communicate directly with Azure AD using the secure LDAP protocol. However, note that Microsoft charges a monthly subscription fee to enable secure LDAP connections (requiring Azure Active Directory Domain Services) for an Azure/M365 tenancy.
Using ‘standard’ Azure AD (setting the PaperCut sync source to Azure AD)
This method uses the Microsoft Graph APIApplication Programming Interface (API) is a set of routines, protocols, and tools for building software and applications. An API expresses a software component in terms of its operations, inputs, outputs, and underlying types, defining functionalities that are independent of their respective implementations, which allows definitions and implementations to vary without compromising the interface. endpoints included with every Microsoft 365 subscription at no extra cost. The PaperCut application server communicates directly with the Graph endpoints in Azure to perform authentication using the OAuth2 protocol.
Deciding which cloud-only sync method is right for you
The table below highlights the different features of the cloud-only sync methods from above, as well as some of the implications of choosing a particular sync method.
Azure AD
| Azure AD
(version 21.2 or later) (using Microsoft Graph API) | Azure AD Secure LDAP (Using Secure LDAP / Azure AD Domain Services) | |
---|---|---|---|
PaperCut Core | |||
Synchronize users and groups to PaperCut database 1 | Yes (PaperCut username is the UPN - user@domain) | Yes (PaperCut username is the UPN - user@domain) | Yes (PaperCut username is the MailNickName - user) |
MFD/Copier swipe card authentication 1 | Yes | Yes | Yes |
MFD/Copier swipe card self-association 2 | No | Yes | Yes |
MFD/Copier username/password authentication | No | Yes | Yes |
User or Admin User Web Interface username/password authentication | No | Yes | Yes |
“Sign On with Microsoft” button (Azure SSO) on Admin or User Web Interface 3 | Yes | Yes | Yes |
Mobile Web Client username/password authentication | No | Yes | Yes |
PaperCut User ClientThe User Client tool is an add-on that resides on a user's desktop. It allows users to view their current account balance via a popup window, provides users with the opportunity to confirm what they are about to print, allows users to select shared accounts via a popup, if administrators have granted access to this feature, and displays system messages, such as the "low credit" warning message or print policy popups. username/password Authentication | No | Yes | Yes |
“Sign On with Microsoft” button (Azure SSO) on the PaperCut user client 3 | No | No | No |
Release StationPrint Release Stations place a print job on hold and allow users to release it when required. Often a Release Station is a dedicated PC terminal located next to the printers, however, Release Stations can take other forms such as a web browser based interface. Some common examples where Release Stations can be used include secure printing, approved printing, and authentication. In a secure printing environment jobs are only printed when the user arrives at the print area and confirms his or her identity. This ensures the user is there to collect the job and other users can't "accidentally" collect the document. In some organizations it may be appropriate to hold jobs until they are approved by selected individuals. A good example would be a teacher approving printing on an expensive color printer. Hold/Release queues can be used as a form of authentication in an unauthenticated environment. Users must authenticate prior to releasing their jobs allowing PaperCut NG to confirm their identity. swipe card authentication 1 | Yes | Yes | Yes |
Release Station username/password authentication | No | Yes | Yes |
Print Deploy | |||
Print Deploy User Client username/password authentication | No | Yes | Yes |
Print Deploy Web Admin username/password authentication | No | Yes | Yes |
“Sign On with Microsoft” button (Azure SSO) on Print Deploy clientA light service that runs on users' computers that installs printers and routinely checks for updates from the Application Server. 3 | No | No | No |
Mobility Print | |||
Mobility Print client username/password authentication | No | Yes | Yes |
Mobility Print Web Admin username/password authentication | No | Yes | Yes |
“Sign On with Microsoft” button (Azure SSO) on Mobility Print client 3 | No | No | No |
Universal Print | |||
Universal Print Connector | Yes | Yes | Yes |
Other differences | |||
Cost | Free | Free | Microsoft charge an additional fee for enabling Secure LDAP through Azure Active Directory Domain Services |
Username in PaperCut | UPN (e.g. [email protected]) | UPN (e.g. [email protected]) | sAMAccountName - which Azure may call MailNickName (e.g. alex.test) |
Support 2FA / MFA through the PaperCut sync source | No | No | No |
Ability to sync Card numbers with Azure | Yes 4 | Yes 4 | Yes |
Ability to sync user aliases with Azure | No 5 | No 5 | Yes |
1 Swipe card authentication – use a swipe card with a card reader to log into the device or release station. Since this only uses the card number (and optional PIN), username/password authentication is not involved.
2 Swipe card self-association – use a brand new swipe card with a card reader to log into the device. Since PaperCut does not recognize the card number, it will ask the user to log in with their username and password, to ‘self-associate’ the new card with their user record.
3 ‘Single Sign on with Microsoft’ method of signing in – enabled on the Admin and User web interfaces under Options > User/Group Sync > Single Sign on with Microsoft > Enable the 'Sign in with Microsoft' button.
4 When using the standard Azure AD sync method, if you want to sync a primary card number, set the config keyA config key stores information about a specific advanced setting in PaperCut. Config keys are editable by an administrator in the Config Editor. user-source.update-user-details-card-id to Y. On next sync, the Employee ID number from Azure AD is synced into the Primary Card Number field in PaperCut. There are no other configuration options available for this currently. Other alternatives for importing card numbers when using the standard Azure AD method are to use a batch-update method, auto-generation of card numbers or an external lookup as detailed in this manual on the User card and ID numbers page. Note: If you’re using the Azure AD Secure LDAP sync method, you can set additional options for card number sync through the interface as detailed on the Synchronize user and group details with Azure AD Secure LDAP page.
5 An alternative option for the standard Azure AD method is to use the batch import and update user process to update the user alias fields - however that would lead to an ongoing maintenance overhead.
Recommendations when using the standard Azure AD sync method
Standard Azure AD uses UPNs when syncing usernames. To ensure a successful migration or deployment, we highly recommend that you review the implications of using UPNs as usernames, and test print job ownership in your environment.
If you’re doing ‘regular’ network printing then PaperCut normally will just use the locally logged in username of the workstation sending the print job. With Azure standard sync, this can mean a mismatch between the username that the PaperCut App server knows about (the UPN) and the username sending the print job (will normally be the MailNickName).
In this case, one option is to configure the Print ProviderA Print Provider is a monitoring service installed on a secondary print server to allow PaperCut to control and track printers. This monitoring component intercepts the local printing and reports the use back to the primary Application Server. to construct the UPN from the MailNickName, by following the instructions in Configure PaperCut NG/MF Secondary or Site Servers. This lets you specify a ‘UPNSuffix=’ configuration for each Print Provider / Secondary Server, so that, for example, alex.test then becomes [email protected]. In this instance you’d want to make sure that you don’t have different domains using the same Print Provider.
Another alternative here is to configure a user alias for each user, containing their MailNickName (as mentioned above). However this method is quite manual and would need some maintenance overhead.
We recommend not using the ‘TRUST’ mode for Print Deploy client authentication. It will pick up the locally configured username logged into the workstation, which could be different to the UPN username configured in PaperCut (see above).
Instead, use the ‘PROMPT’ method of authentication so that users can enter their UPN and password when the Print Deploy client starts (from version 21.2) to authenticate.
If you’re using Print Deploy to deploy Print Server queues to your workstations, then it’s also worth checking the ‘workstation > print queueA print queue displays information about documents that are waiting to be printed, such as the printing status, document owner, and number of pages to print. You can use the print queue to view, pause, resume, restart, and cancel print jobs.’ requirement details above.
From version 21.2, users can enter their UPN and password when adding printers using the Mobility Print client.
Since Universal Print was designed around UPN usernames, there shouldn’t be any additional considerations when integrating the Universal Print Connector for PaperCut NG/MF.
Setting up Azure AD sync or Azure AD Secure LDAP sync
For more information and steps on how to set up each integration, see:
FAQs
Yes. That's because standard Azure AD uses UPNs when syncing usernames, so you need to review the implications of using UPNs as usernames, and test print job ownership in your environment to ensure a successful migration or deployment.
At this point, authenticating with MFA enabled on the Azure account will not work. However, this doesn’t mean that you have to disable MFA for all of your users – you can configure Azure to allow certain apps to bypass MFA. In our testing this was the default security policy applied; however, your Azure tenancy’s configuration and security policies may differ.
It’s also worth noting that if you are applying policies or conditional access at the machine level, you need to exclude the PaperCut Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more. from 2FA enforcement - not the devices themselves.
The UPN is what uniquely identifies users in Azure, and having the full domain component in the username prevents username clashes that might otherwise occur when multiple domains are in use.
One potential problem with this approach is that some components of PaperCut - such as the User Client and the Print Deploy client - often get the username of the user logged into the OS. Even when you join a Windows device to an Azure AD domain and log in with a UPN, the Print Deploy Client, for example, might not identify the OS user as their full UPN. It will typically identify them as their MailNickName. For example, if the user’s UPN is [email protected], the MailNickName is probably going to be alex.
For alternatives to tackling this username mismatch, see step 3 in the KB article Preparing to use UPN usernames with PaperCut when synching with the standard Azure AD sync method.
Take a look at the KB article Preparing to use UPN usernames with PaperCut when synching with the standard Azure AD sync method.
There is currently no option to sync the MailNickName (instead of the UPN), using the standard Azure AD sync method.
When using on-prem AD sync (that is, the sync source set to ‘Windows AD’ in PaperCut), you can use this key to toggle between:
N, the default – the username is pulled into PaperCut as the sAMAccountName
- Y, which will sync the UPN as the PaperCut username instead.
When the key is set to Y, it also means that when matching usernames of logins or print jobs, PaperCut will not truncate the UPN into a sAMAccountName.
When using Azure AD Secure LDAP as the sync source, this key doesn't alter the behavior of the PaperCut username created. The sync will always use sAMAccountName as the PaperCut username.
When using the standard Azure AD method, this key doesn't alter the behavior of the PaperCut username created. The sync will always use UPN as the PaperCut username (apart from in one scenario, detailed in the next question). However, when the key is set to Y, when matching usernames of logins or print jobs, PaperCut will not truncate the UPN into a sAMAccountName. So when using this sync method, this key must be set to Y (as detailed in the manual page).
If a customer was originally using a sync method that pulled in the ‘MailNickName’ as the usernames in PaperCut (for example, ‘alex.test’) and then switched to use the standard Azure AD sync method, PaperCut sees that the email address associated with that user matches the UPN, and doesn’t create a new user. However, for any new users synced it will create the username as the UPN – in which case there could be a mixture of PaperCut username formats.
In this case we recommend renaming all accounts with the sAMAccountName to the UPN.
It is possible to sync a primary card number into PaperCut NG/MF when using the standard Azure AD sync method (see footnote 4 under the table above). However, it is not possible to sync additional card numbers or PINs at this time. When using the Azure AD Secure LDAP method, there are additional sync options for multiple card numbers.
Yes! The Office and Department fields will sync into PaperCut NG/MF when using the standard Azure AD sync method. Note that the ability to sync the Department field was added in version 21.2.
If you normally start your PaperCut User Client and it silently starts and shows you your balance window, you may see an identification popup the first time you launch the user client after migrating to UPNs.
Take a look at the question ‘Why does the username in PaperCut NG/MF appear as the UPN when using the standard Azure AD sync method?’ above for more information. In summary, because the User Client might be seeing the Windows username as ‘alex.test’, whereas the username in PaperCut is [email protected], so there will be a mismatch.
What should happen is that the client (if using version 21.2 or later) should let the user identify themselves with the UPN and password authentication, and the client should then start normally.
Hopefully! We have this on our list of things to do. If you have any questions, please quote PD-1171.
Hopefully! We have this on our list of things to do. If you have any questions, please quote MOB-2650.