SECURITY Full Access or Team Access privileges in Workplace Manager
NAVIGATION
Workplace offers Microsoft Active Directory (AD) integration, offering the following benefits:
- A Workplace team can be linked to AD
- User accounts can be provisioned and maintained using account information from AD
- User accounts share the account lockout policies from AD
- Group and group relationships are imported and maintained by AD
- User authentication is performed though the integration link to AD. Users will use their AD credentials to login to Workplace.
Active Directory glossary
This glossary only lists terms specific to the Active Directory integration:
About accounts
- If an email address associated with a user in Workplace is identical to an email address captured by the LDAP search path, the Workplace account will automatically become an AD managed account.
- Accounts that have been locked out in AD (via policy or manually) will be unable to authenticate. While the inability to authenticate is immediate, their status will only be updated in Workplace after the next AD sync.
- AD Linked Accounts disabled/deleted via AD will show as Disabled when viewed via Workplace Online > Configuration > Active Directory. Although not accessible, these accounts will continue exist within Workplace, and projects owned by these accounts will remain available.
- Unlinked Accounts are managed and authenticated locally in Workplace.
- AD Linked Accounts are managed and authenticated via AD in the following manners:
Full name, email address, phone number and password are managed from Active Directory.
E-mail address is a mandatory attribute. An account with empty e-mail can’t be provisioned or linked with a Workplace account.
Attribute mapping:Active Directory Workplace Display Name full name E-mail e-mail Telephone Number phone number Locked/Disabled disabled
About groups
- AD groups and Workplace groups can coexist - projects and folders can be shared with AD groups as well as Workplace groups.
- Groups synced from AD will display a Windows badge in the bottom left corner of the group icon
- Members of groups imported from AD are managed from within Active Directory
- If there is a name collision between a Workplace group and AD group, both will exist and retain the same name.
- Group names cannot exceed 100 characters.
- Groups in AD are updated on each AD Sync, which may result in:
Members being added to groups, resulting in projects and folders shared with that group being available to the newly added members
Members being removed from groups, resulting in access to projects and folders being denied for members that were allowed access via sharing with that group - If groups are removed within AD, they will also be removed from the Workplace team upon the next sync.
- Group attribute mapping:
| Active Directory | Workplace |
| Display Name | name |
| Description | description |
LDAP Search Path Syntax
The LDAP path must be specified in the following manner: CN=Users, DC=domain, DC=local
The rules are:
- One element for each new level in the AD
- The DC elements must be entered left to right - e.g. DC=domain, DC=local
- The remainder of the path must be entered from right to left - the element furthest to the right must match the top node in AD and so forth
- Each specified LDAP search path is Workplace is ONE search path in AD
- LDAP search path specifying the groups must be placed above the LDAP search paths specifying the users, where applicable
The syntax is:
- DC for Domain Controller nodes
- CN for Container nodes
- OU for Organizational Unit nodes
The types must match the types used in the Active Directory.
What happens when Active Directory is enabled or disabled
- After enabling AD on the Integrations tab or on the Active Directory page, the specified team admins (in the AD settings) will receive an e-mail informing them that AD has been enabled.
- All matched accounts will become AD Linked Accounts that will require the AD credentials to access Workplace.
- If the connection to AD is lost, the specified team admins (in the AD settings) will receive an e-mail with a URL . Clicking this URL will disassociate the admins account from AD and allow them to reset their password. This will allow them to access Workplace Online to make the necessary changes to the AD configuration.
- If AD is disabled, all administrators will receive an email with a link to confirm disabling the AD integration. Once the integration is disabled via this link, all AD provisioned users will receive a password reset mail - users can then follow link and set a new Workplace password.
- If AD is re-enabled, all users will receive a mail stating that their account is now AD managed and they must use their AD password.
About synchronization
- Synchronization can be run manually or scheduled to run automatically, commencing at a specified hour of the day
- The AD Sync process may require a substantial overhead traffic and CPU load on the integration agent
- Each AD Sync :
- Compares the Workplace cached AD data with the live AD data:
- New AD accounts are displayed as “New accounts since last sync” within the Workplace Active Directory Integration UI
- Deleted AD accounts are displayed as Deleted account from AD within the Workplace Active Directory Integration UI.
- Compares the Workplace cached AD data with the live AD data:
- The account is not deleted from Workplace but only disabled.
- Iterates through all defined groups and updates, imports or removes:
- Group Name
- Group Members (groups and members)
- Iterates through all accounts and imports information about new accounts and updates any existing. Account information includes the following:
- Full Name
- Email Address
- Phone Number
- Iterates through all defined groups and updates, imports or removes:
- Each AD Sync operation generates a log of changes which is visible in Workplace Online > Configuration > Active Directory > Sync Log
About time intervals
- AD access check (runs a dummy query on every configured account) – configured per server (1 minute default).
- Time before the first connection check is done (after server startup) – configured per server (1 minute default).
- AD log is kept for 10 days by default – configured per server.
- AD sync time – scheduled for every day (default at 00:00) – configured per team.
- The AD status on the UI is updated at the same frequency as the AD access check interval.
AD integration methods
Workplace offers three methods for integrating with Active Directory
- LDAP Direct
- Entra ID (formerly Azure) AD
- OnPrem Agent
LDAP Direct method (recommended)
This method requires a certificate to be created and the integration takes place via LDAPS. There are no additional hardware requirements for this method.
Refer to Active Directory: LDAP Direct .
Entra ID (formerly Azure) AD
The Entra ID integration is a way of integrating Workplace with Microsoft (Windows) Entra ID Active Directory. This integration allows users and groups to be synced from WAAD. Once configured and enabled, users can authenticate with their Active Directory credentials and keep their email address, telephone number and name synchronized with Active Directory.
Refer to Active Directory: Entra ID (formerly Azure).
NOTE Workplace does not support multiple Entra ID SSO apps under the same Entra ID instance unless the Workplace accounts are in different geographic regions (URL when logged in shows the same domain prefix, i.e. us, eu, au,ca). For more about regions and IP addresses, please refer to Workplace ports and IP addresses.
OnPrem method
This method involves activating an integration agent by installing Workplace Server on a dedicated machine, bound to the AD domain. This integration agent is responsible for syncing with AD.
NOTE Workplace Desktop v10 cannot be used as an integration agent as it cannot be run as a service.
Refer to Active Directory: On Prem Agent.
