Harvest Groups

When using Windows Authentication, you need to “harvest” groups from the Active Directory or the Graph API interface.

Under Quick Access, select Security.

Select Groups > Harvest Group.

Active Directory

1. Select Active Directory harvester from the drop-down menu.

2. Enter domain of the Active Directory. (To find this on your computer, click Settings > System > About > Domain or Workgroup. Or simply type Domain in your Windows search bar and select this option.)

3. Enable secure LDAP if required. Remember to include the secure port (by default 636) in ‘Active directory domain’ section if using Secure LDAPS.

Use this format:

<domain>:<secure_LDAPS_port>

Note: LDAP is a protocol for accessing active directory information (users, groups, etc). Secure LDAP (also called LDAPS) uses Secure Socket Layer protocols and is used rarely.

4. Enter the path to the Group Container if known. Group container is the default location for new user accounts and groups created in the domain.

5. Enable Remove Groups to remove previously harvested group records but which are no longer in the AD currently (for example ex-employees, contractors etc).

Click Harvest.

Graph API

Select Graph API harvester from the drop-down menu.

Enter Client and Tenant IDs and the application secret.

Enable Security Groups Only to harvest groups whose accounts are enabled in the Azure active directory (now called Microsoft Entra ID).

Remember

  • Once an initial set of groups and users has been created, new harvests or imports will not duplicate records from the previous import.
  • Duplicated user or group names are not supported. The import will only add new records.
  • An import does not delete the currently saved security model i.e. permissions are maintained between imports.