Sync with Microsoft Entra ID

ENTERPRISE

On Enterprise plans, Firezone can automatically synchronize users and groups from your Microsoft Entra ID directory. This eliminates the need to manually create and manage users in Firezone. You can add multiple Entra directories to sync from different tenants.

Overview

Firezone uses Microsoft Graph API to read users and groups from your Entra directory. When you complete the setup flow, you'll authorize Firezone to access your directory with read-only permissions.

Prerequisite: If you plan to use the Assigned groups only sync mode, you must first complete Entra authentication setup. This creates the Firezone Enterprise Application in your tenant that you'll assign groups to.

Setup

Step 1: Start the Directory Sync setup in Firezone

In your Firezone admin portal, go to Settings -> Directory Sync.
Click Add Directory and select Microsoft Entra ID.
Enter a name for this directory to easily identify it in the Firezone portal (e.g. "Entra ID").

Step 2: Choose a sync mode

Select how you want Firezone to sync groups from your directory:

Assigned groups only (recommended)

Only groups assigned to the Firezone Authentication Enterprise Application in your Entra tenant will be synced. This gives you fine-grained control over which groups appear in Firezone.

This option requires Entra ID P1/P2 or higher. It will not work with Entra ID Free.

To assign groups to the Firezone application:

Sign in to the Azure portal.
Go to Microsoft Entra ID → Enterprise applications.
Search for Firezone Authentication and select it.
Go to Users and groups.
Click Add user/group to assign specific groups.

Make sure you select the Firezone Authentication application and not the Firezone Directory Sync application. Groups must be assigned to the Authentication application for this sync mode to work.

Only users who are members of the assigned groups will be synced to Firezone.

All groups

All groups from your Entra directory will be synced to Firezone. Use this option if:

You're using Entra ID Free (which doesn't support app assignments for groups).
You want to sync all groups without managing assignments.

With All groups, every group in your directory will appear in Firezone. For large directories, consider using Assigned groups only to limit which groups are synced.

Step 3: Verify and save

Click Verify Now to authorize Firezone to access your Entra directory. You'll be redirected to Microsoft to sign in and grant permissions.

Verify you're signing into the correct tenant before granting permissions. The tenant ID will be captured during this step.

If successful, you'll see a confirmation message. Click Save to complete the setup.

Verify you have Entra ID P1/P2 or higher.
Check that the groups are assigned to the Firezone Authentication Enterprise Application in the Azure portal.

Users not syncing

Users are synced based on their group membership. If a user isn't syncing:

Verify the user is a member of a group that's being synced.
For Assigned groups only, ensure the user's group is assigned to the Firezone application.
Wait for the next sync cycle or click Sync Now.

Wrong tenant

If users or groups from the wrong tenant are syncing, remove the directory and add it again. During the Verify Now step, ensure you're signing into the correct Microsoft account and tenant.

Need additional help?

See all support options or try asking on one of our community-powered support channels:

Discussion forums: Ask questions, report bugs, and suggest features.
Discord server: Join discussions, meet other users, and chat with the Firezone team
Email us: We read every message.

Or try searching the docs: