Use the below links to jump to each topic:
Getting Started with User Sync
Resolving Microsoft / Office 365 Re-authentication Issues in Recognize
Getting Started with User Sync
The Recognize user sync is a process that provides a way for companies to keep their Recognize user directory in sync with their corporate user directory. Once initial settings are established, the user sync options allow you to manage your users in Recognize automatically.
How it Works
We connect to the identity provider and user directory of your choice (see below) and synchronize the users based on a few parameters. You can sync your entire organization or you can pick groups to synchronize. You can also manually initiate a sync at any time via the Settings page in the company admin portal. The time it takes to execute a full sync depends on the size of your directory and the size of the queue in our background tasks server. For most of our customers, it can range from 15m to 2 hours. The user sync is run nightly or weekly depending on your subscription package.
Identity Providers
We currently support user syncing through Yammer and the Microsoft Cloud (i.e, EntraID, formerly known as Azure AD). We offer an SFTP (secure file transfer protocol) option as well. To learn more, please see our sFTP Implementation Guide.
If you do not want to or cannot sync your user directory, we support "just-in-time" user provisioning. This is where we create accounts and permit access to Recognize when a user logs in via OAuth or SAML. See more information about SAML in our resources section here.
You can also take a look at our comprehensive User Sync Guide for more detailed information, requirements, and step by step instructions for enabling user syncing through Yammer or Microsoft Cloud.
What information can we sync?
You can specify if you would like to sync Recognize Teams to your directory’s groups to more closely mirror your internal structure. Some of the other information that we currently allow includes:
- first name & last name
- phone number (optional, mobile phone for SMS notifications)
- display name (optional)
- manager (optional)
- birthday(optional, day/month only)
- hire date (optional, not available with Yammer)
- job title (optional)
- department (optional)
- country (optional)
Are notifications or invites sent out?
When users are synced, they are provisioned with an account and added to the Recognize directory, but no emails or notifications are sent out. We have a "bulk invite" feature on our User tab page in the Company Admin portal where you can customize the invitation email and send it out at a time of your choosing. We also offer an 'auto-invite' feature (mentioned in the settings below) which works well for inviting users who join the company after your initial launch. See our article on how to invite users to Recognize for more information.
What are the steps to set up user sync?
You can establish a user sync from within the Recognize Company Admin portal. A best practice for setting up the user sync is to first create a Service Account in your Microsoft tenant (which can typically be done by a Global Microsoft administrator) and then create a corresponding Service Account within Recognize with a Company Admin designation. Make sure the Service Account created in Microsoft has a role that can grant the below permissions. Once you have established these, log in to Recognize with the Recognize Service Account credentials, and establish the sync owner (steps shown below) as the Service Account.
Permissions needed for Service Account in Microsoft:
- offline_access
- User.Read
- User.ReadBasic.All
- GroupMember.Read.All
- Directory.Read.All
Steps to set up the sync:
- Select 'Menu' from the top right corner of the screen
-
Select 'Company Admin' from the drop-down to open the Company Admin portal
NOTE: If you do not see this option, it means you haven't been made a Company Admin for the Recognize platform, and you'll need to reach out to the business owner within your organization to grant this access.
- Select 'Settings' from the left side menu to take your to your organization's platform settings and configuration
- Select 'User Management' from the right-hand navigation pane
- Under the section for 'User sync,' you'll see a drop-down to choose your sync provider, where you'll select 'Microsoft/Office 365'
- You'll also see a toggle to 'Enable sync,' which will set your user sync to run at the next scheduled nightly run
- Additionally, there will be a set of options for what you'd like to include in your sync, where each can be toggled on or off independently - make sure that each of the fields you choose to turn on has corresponding data to be brought in, and for any fields that don't, keep the toggle 'OFF'
- Only a Microsoft administrator for your company will be able to facilitate the initial linking of your Microsoft data with the Recognize platform by clicking the 'Microsoft' button under 'Connect with Microsoft/Office 365 to pull in user data'
- Anyone with Company Admin access will be able to test the connection of the sync by selecting the 'Test Connection' button
- Company Admins are also able to select 'Run User Sync' if they'd like to run the sync to refresh data on demand
- The Sync owner can be clearly identified in this section as well to show who to contact regarding the sync set-up
- Note that only a Global/Microsoft administrator will be able to make any changes to the sync configuration or re-authenticate the token, which is why we highly suggest naming a Sync Owner
- Lastly, you will find the 'Auto send invites' setting in this section as well - we recommend turning this on only after you've launched and sent initial invites
- Global Administrators that are setting up the user sync will also see additional options, one of which will be the ability to sync specific groups from Microsoft/Office 365 - if no groups are specified, the entire company will be synced
- Global Administrators can also determine whether disabled users can be synced (or not synced) under the 'Sync Options' section
-
Global Administrators can also sync teams directly from Microsoft/Office 365 if desired
Resolving Microsoft / Office 365 Re-authentication Issues in Recognize
Occasionally, it may be necessary to re-authenticate with Microsoft / Office 365. As best practice, we recommend that customers use dedicated service accounts to create the authentication connection. This ensures the connection does not rely on an individual user.
If you are planning to use a service account, and one is not already configured in Recognize, please review our User Sync Guide for the steps to add a service account to Recognize.
Then, follow these steps to successfully re-authenticate the connection:
-
Navigate to the 'Company Admin Portal' in Recognize
-
Within Company Admin, select 'Settings' from the left side menu
-
Scroll down to locate the 'User Management' section within the Settings menu
-
Click on the Authenticate with Microsoft / Office 365 button to initiate the re-authentication process
- After you have successfully re-authenticated with Microsoft/Office 365, toggle the Enable Sync setting to ON to resume the connection. *Please do not re-enable this setting until the authentication connection is successfully reestablished.
It's important to consider the following:
- User Sync is the Source of Truth: Note that User Sync serves as the primary data source. Any manual data entries made within Recognize could be overridden by User Sync.
- Potential Data Overwrite: If certain fields in your Active Directory are left blank and those same options are set to 'ON' in the user management settings during User Sync, existing manual data in your Recognize account might be erased.
If you have any questions, please contact us at: support@recognizeapp.com.