Guides for system admins

Install MailRisk add-in:


Allow simulated phishing:


Single sign-on and user sync:

Synchronize users and groups from Azure AD

You will need an administrator role in Azure to be able to complete this guide.

Note: Synchronization with Azure AD is a feature available in our PLATINUM price plan.

To obtain the required API key/secret pair, go to the Secure Practice customer portal and navigate to security settings:

  • Click the «Settings» button in the top right corner, and navigate to the «SECURITY» tab.
  • Then, locate the «API access» section, and click «Enable API»:

Enable Azure AD

Customer settings

TIP: To avoid any personal dependencies, we recommended that you employ a designated admin user for the purpose of any API access, and generate the API keys via that user.

After completing the previous guide on enabling SSO, you may already have a Secure Practice enterprise application in your Azure AD instance.

  • Click the «Secure Practice» application, and then the «Provisioning» tab in the left menu, and then the «Get started» button to continue.

Unable to click the «Get started» button?

Microsoft Azure may reject user provisioning to be established with existing SSO applications, due to a permission issue with the service principal. In this case, simply create another enterprise application in your directory, because users will not see this provisioning application anywhere. | Learn more

Before we begin the provisioning process, we need to define which users should be included in the synchronization scope towards Secure Practice. This may also be updated at any time later.

  • Click the «Users and groups» tab for your enterprise application.
  • Add any assignments for groups and/or users to be included, and save.

The next step requires your Secure Practice API key and secret pair for authorizing Microsoft Azure to perform updates on your Secure Practice accounts.

The Azure wizard will however need a special token which is a base64 encoded value of the API key and API secret you obtained earlier, joined together by a colon (:).

Generate your base64-encoded secret token here

The secret token is generated privately on your local device.

When inside the provisioning wizard, expand the «Admin Credentials» tab:

  • Input tenant URL (, and your secret token:

After successfully testing the connection and saving your credentials, the provisioning tab will now reveal that provisioning is disabled by default.

  • Change the «Provisioning Status» setting to «On».
  • Select «Selected users and groups» as the desired scope, and save.

The integration will synchronize whichever users you enable for this application, either directly or through group memberships. Synchronization is not immediate, but happens through periodic intervals at several points in time each day.

Finally, in case you had to create a separate enterprise application for user syncronization, in addition to your SSO application, it could be a good idea to hide the new application from assigned users.

  • Click the «Properties» tab for your enterprise application.
  • Disable the «Enable users to sign-in» and «Visible to users» settings, and save.

We are happy to answer any questions you may have, including on compliance or data protection.