All Collections
Active Directory Application
Active Directory Application

Learn more about the Active Directory application and how to automatically import employees into your Envoy directory.

Updated over a week ago

How does this application work?

The Active Directory (AD) app is different than cloud-based tools like G Suite, Okta, or OneLogin. This application automatically creates and uploads a CSV from your AD instance. To do this, your IT team will need to install a cron script on your server.

Important Notes:

  • To run Active Directory sync please make sure you are running Powershell version 3.0 or greater.

  • You can manually create new employees or add employees from other locations while maintaining your directory sync. This feature is helpful for contractors, temps, or other people who may host visitors/receive deliveries but are not core team members. Learn more about manually adding employees.

Enabling the Envoy + Active Directory application

  1. Under Directory and SSO, select "Directory settings," navigate to Active Directory. Click “Install.”

Step 1: Run initial sync

  1. Locate Your CRON script, and copy the script found there. Save it as envoy-ad-sync.ps1  on your server.

  2. Read through the top part of the script and customize the variables from the plugin configuration to match your organization’s implementation.

  3. This will typically mean setting the correct Organizational Units (OU’s) and optionally customizing where the sync will save its temporary files.

  4. Run the script via command prompt or PowerShell to verify that the script is correctly syncing users with Envoy. You should be able to confirm the sync is running back on the Envoy dashboard by seeing details on when your last sync ran.

    1. You may have to update or allow an exception on the script execution policy on your AD box.

    2. In order for the Active Directory sync to successfully complete, all entries in the CSV generated by Powershell must have a valid e-mail.

    3. You are required to use TLS 1.2. If you run into issues forcing TLS 1.2, within the Envoy cron script (screenshot above) replace 

      1. [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 


        ServicePointManager.SecurityProtocol |= (SecurityProtocolType)3072; 

        and then run the script.

Step 2: Setting up the script to run via Task Scheduler

Now, you’re ready to schedule the script to run automatically.

  1. Open Task Scheduler on the machine with the script.

  2. Open Task Scheduler Library and select “Create Task.”

  3. Adjust settings accordingly. It’s important that the user account that is set to run this task is able to read OU’s and user accounts in your Active Directory environment. 

  4. Set a schedule for the script to run. Do this by creating a new trigger. Here, it runs daily at 1 AM. 


How to alter the script to use a different variable such userPrincipleName?

  • Replace "mail" with "userPrincipleName" in the script per the screenshot below

How to exclude a sub OU?

  • Add the following to the "Get-ADUser" line of code

  • $out += Get-ADUser -searchbase $ou -Properties * -Filter "(mail -like '*@*') -and (Enabled -eq 'True')" | ? {$_.DistinguishedName -notlike "*,OU=[INSERT OU NAME],OU=[INSERT OU NAME]*"} |

Did this answer your question?