Help Center

Synchronizing user accounts with Active Directory and G Suite

Large organizations often use Microsoft Active Directory or Google G Suite to manage employee accounts on a company network. Pyrus works with both, and lets you easily manage the list of accounts synchronizing users with your identity provider.

This synchronization saves an administrator’s time, reduces the number of errors in creating new accounts, and enhances security by blocking access to former employees’ accounts across all systems.

Synchronizing Pyrus with Microsoft Active Directory

The user automatically receives an invitation to Pyrus when a new account is created in Active Directory. When blocked in Active Directory, the user loses access to his or her Pyrus account, and all their active sessions are terminated across all devices.

Configuring synchronization

Launch Pyrus Sync, then click Active Directory Sync in the left panel.

Pyrus Sync will prepare accounts for synchronization, and you will see everything being sent to Pyrus. You can change the mapping by selecting the right values in the Active Directory section.

Important: Only users from the organizational units (OU) whose titles end with “user” or “users” (like sales department users) will be synchronized.

If your organization structure has several hierarchy levels, you need to manually create those levels first in the Pyrus orgchart. Pyrus Sync will map the user attributes in Active Directory to the Pyrus organization structure during synchronization. If there are departments in Active Directory that aren’t listed in the organizational structure in Pyrus, they will appear in Pyrus after synchronization.

Note: Every two hours, Pyrus Sync tracks changes in Active Directory and prepares them for synchronization. If any changes should be sent immediately to Pyrus, click Update now before synchronizing.

Click Sync and the program will show the changes that it found.

  • Add — this adds a list of new users. They will be added to Pyrus after synchronization.
  • Update — if any changes have been made since the last synchronization (like a change in name or position), you will find them in this section.
  • Block — this group includes users who have been blocked in Active Directory. They won’t be able to access their accounts after synchronization.

The status indicated in the Status column shows why some users will be added and why others will be updated or blocked.

  • New is for the new users. They will be added to Pyrus after synchronization.
  • Update — if any changes have been made since the last synchronization, like a change in name or position, you will see updated details in Pyrus after synchronization.
  • Block — this status is for the users who aren’t found and users who have been blocked in Active Directory or located in an organizational unit whose name doesn’t include “user” or “users.” They won’t be able to access their Pyrus accounts after synchronization.
  • Unblock — these are users who are blocked in Pyrus. They will be added to Pyrus again.
  • Bind — these are Pyrus users who haven’t been synchronized with AD. After synchronization, they will be binded to the AD users by their email address.

Pyrus Tip: The list of updated elements may include hundreds of entries. For example, when a company goes international, employee names should be transliterated into English. To find the right person on a large list, use the Search users field. The search supports regular expressions. Let’s suppose titles of some user accounts start with a number. To quickly find them, enter ^[0-9] in the search box.

If you don’t want certain accounts to be synchronized in Pyrus, mark them with a check in the list and click Add to exceptions.

Click Sync to start synchronizing. Pyrus Sync will report the results upon completion.

Important

  • Synchronize with Pyrus Sync every time you add or block a user in Active Directory, or at least once a day.
  • When your organization changes its primary domain name (for example, from moscow.company.com to company.com), it can appear that some users have two email addresses (user@moscow.company.com and user@company.com). For correct synchronization with Pyrus, make sure that each user in Active Directory has one email address for the new domain.

Troubleshooting

  • If a user tries to start synchronization without Pyrus Administrator rights, they will see this error message. Solution: give the user Administrator rights, or log in to Pyrus Sync as an Administrator and run the synchronization.

  • The error message appears when opening Active Directory Sync in Pyrus Sync on a machine that is not in the Active Directory domain. Solution: start synching on a machine that is in your Active Directory domain.

Synchronizing Pyrus with Google G Suite

If you manage your users with G Suite, your colleagues can join your organization in Pyrus and log in with their corporate emails. If they’re blocked in G Suite, they can’t log in to Pyrus.

Setting it up

No synching with G Suite is necessary, just send a link to your colleagues. They will log in to Pyrus using their Google accounts and will be automatically added to your organization. Later on, your colleagues will be able to log in to Pyrus the same way, or with a code sent to their corporate emails.

If you block or delete users in G Suite, they will lose access to their corporate email and won't be able to log in to Pyrus.

Note: blocked users will lose access to Pyrus only after their active sessions are terminated, and only if they have not set a permanent password. We strongly recommend that you block the user in Pyrus on the User management page.

Was this article helpful?