AvePoint Learn
Request article
Contact support
Request article
Contact support
English

Home > Import Objects > Import Microsoft Entra Groups

Export to PDF

Import Microsoft Entra Groups

You can either manually import existing Microsoft Entra groups or set up profiles to automatically discover and import them using the following instructions:

Manually Import Microsoft Entra Groups

To import existing distribution groups, security groups, and mail-enabled security groups, complete the following steps in order:

1. Export Microsoft Entra Group Information to a Template File

Complete the following steps to export a template file that contains group information:

  1. In the Cloud Governance admin center, navigate to Profiles & templates > Manual import, and then click Export a template on the ribbon.

  2. Configure the following settings in the Export a template panel:

    1. Export job name ‒ Enter a name for the export job.

    2. Description ‒ Enter an optional description for future reference.

    3. Object type ‒ Select Microsoft Entra group.

    4. Scope ‒ Define the scope for the groups you want to export. Click Add to open the Add containers panel. Then, select one or more containers that were configured in AvePoint Online Services and click Add. Groups within the containers that are not currently managed by AvePoint Cloud Governance will be exported to the template file.

      NOTE

      Make sure groups have already been discovered and added into the appropriate AvePoint Online Services containers.

    5. Metadata – Add metadata that will be added to the exported template file. You can then review and edit the metadata values of the groups. Click Add. In the Add Metadata window, select metadata and click Add to list.

  3. Click Export to export the template file. After the export job is completed, navigate to Job monitor. Select the export job and click Download on the ribbon to export the template file.

2. Configure the Template File to Provide Governance Details

To configure an exported Microsoft Entra group template file, complete the following steps:

  1. Navigate to the location where the exported template file is saved.

  2. Open the template file to view and configure the following information for each group.

    NOTE

    The template file contains column headings in the first row and these headings are required. The information you enter must be exact, including spaces and capitalization.

    • Tenant ID ‒ Displays the tenant ID of the group.

    • Email Address or ID ‒ Displays the email address or ID of the group.

    • Group Type ‒ Displays the type of the group.

    • Primary Contact ‒ Enter the email address of a user to assign the user to be the primary group contact.

    • Secondary Contact (optional) ‒ Enter the email address of a user to assign the user to be the secondary group contact.

    • Contact Election Profile (optional) – Enter a Microsoft Entra group contact election profile name to apply the profile to the group.

    • Renewal Profile (optional) – Enter a Microsoft Entra group renewal profile name to apply the profile to the group.

    • Metadata ‒ If you have selected metadata for the export job, the metadata is included in the template file. You can edit the metadata value for each group or remove the metadata that you do not want to apply to any groups.

      Note the following:

      • If the type of the metadata is Hyperlink, the metadata value must be the desired text and the hyperlink address separated by a semicolon.

      • If the metadata type is Lookup, AvePoint recommends that you do not change the format of the SharePoint library/list column whose value will be retrieved as the metadata value. Make sure the metadata value is in one of the following types: Yes/No, Date and Time, and User or Group.

      • If the metadata type is Microsoft Entra property, the metadata value must be the user email address.

  3. Save the template file after the configuration.

3. Import the Template File

To import the configured template file, complete the following steps:

  1. In Profiles & templates > Manual import, complete the following settings:

    1. Import job name ‒ Enter a name for the import job.

    2. Description ‒ Enter an optional description for future reference.

    3. Object type ‒ Select Microsoft Entra group.

    4. Import a template file (.xlsx) ‒ Click Browse to locate the configured template file.

  2. Click Import to start the import job and apply the governance details.

4. View Import Results

After you start the import job, go to Job monitor. When the import job status changes to Completed, it indicates that the groups included in the template file have been successfully imported to AvePoint Cloud Governance.

If the import job status changes to Completed with Exception, it indicates that one or more groups are not successfully imported. Follow the steps below to view the import results:

  1. Select the import job and click Download on the ribbon to download the job report.

  2. Navigate to the location where the import result file is saved and open the file.

  3. The Result column shows the import result.

    • Successful indicates the group has been successfully imported.

    • Failed indicates the group is not imported. You can refer to the details in the Comment column for troubleshooting and modify the template file.

      When you modify the template file, remove the rows of the groups that have been successfully imported and only keep the failed groups. After modifying the template file, you can import the template file again to re-import those groups.

    • Skipped indicates the group is skipped being imported. You can refer to the details in the Comment column to find the reason.

Automated Import for Microsoft Entra Groups

To set up profiles to discover newly created distribution groups, security groups, or mail-enabled security groups that have been created outside of AvePoint Cloud Governance and automatically import the groups, complete the following steps in order.

1. Create a Scan Profile to Discover Groups

To ensure AvePoint Cloud Governance can automatically import the newly created groups, you must create a scan profile first. Complete the following steps to create a scan profile in AvePoint Online Services:

NOTE

Creating a scan profile requires a Service Administrator role in AvePoint Online Services.

  1. Navigate to AvePoint Online Services > Auto discovery > Scan profiles.

  2. Create a scan profile.

    • Select Microsoft 365 > Security and distribution group as the object type.

    • If you want to import all groups, you can choose Express mode.

    • If you want to import the groups that meet specific rules, you can choose the Advanced mode.

    • Make sure a scan schedule is configured in the scan profile settings.

    For details on creating a scan profile, see Manage Scan Profiles.

2. Create an Automatic Import Profile

To configure a Microsoft Entra group automatic import profile in the Cloud Governance admin center, go to Management > Profiles & templates > Automatic import profiles, click Create on the ribbon, and select Microsoft Entra group automatic import profile from the drop-down list. Then, configure the following settings in the Create Microsoft Entra group automatic import profile panel:

NOTE

You can choose whether to Show guidance to confirm governance details task assignees respectively in the contact, profiles, and metadata steps of the confirm governance details tasks. If you want to show guidance, select a guidance profile from the drop-down list. You can click View profile details to view the details of the selected guidance profile. You can also click the create button to create a new profile. For more information about how to create a guidance profile, refer to Configure Guidance Profiles. To retrieve the latest guidance profiles that are available, you can click the refresh button.

  1. Profile name – Enter a name for the Microsoft Entra group automatic import profile.

  2. Description – Enter an optional description for the Microsoft Entra group automatic import profile.

  3. Notes to primary contact – Your notes can help the primary group contact decide if they are the correct contact, as well as help them fill in missing group information during the confirm governance details process. Enter the notes to be displayed in your desired languages by completing the following steps:

    1. Click the edit button of your desired languages.

    2. In the Edit message panel, enter your desired notes in the text box.

    3. Click Save when you finish the configuration.

    Default language – Select a default language. Note that only the languages that are enabled as available languages can be selected as the default language.

    If a user's Cloud Governance display language is not one of the enabled options, the notes will be shown in the default language.

  4. Scope – Define the scope for this profile to scan for new groups. Click Add to open the Add containers panel. Then select one or more containers that were configured in AvePoint Online Services.

    Note the following:

    • Make sure groups have already been discovered and added into the appropriate AvePoint Online Services containers.

    • Containers that have been added to other profiles cannot be selected.

  5. Automatic import schedule – Specify an interval and a start time for the automatic import process to define the automatic import schedule.

    • Interval – Enter an integer in the text box and select Days, Weeks, or Months as the unit of time to specify the automatic import interval.

    • Start time – Select a date and time as the start time for the automatic import process.

  6. Contacts – Configure the primary contact and/or secondary contact for the imported groups.

    • People picker filter profile – Select a people picker filter profile from the drop-down list. The filter settings will be applied to the group contact people picker fields in the confirm governance details task. The filter settings determine what users are searchable and can be chosen in these fields. After selecting a people picker filter profile, you can click View profile details to view the details of the profile.

      You can also click the create button or go to Management > Profiles & templates > People picker filter profiles to create a people picker filter profile. For more instructions, refer to Configure People Picker Filter Profiles.

    • Primary contact – Enter the name of a user or enter $ to select a user role $Group owner as the primary contact who will be responsible for the newly imported groups. When you specify the role $Group owner, the owner of the group will be responsible for the confirm governance details task.

      • Select an email template from the drop-down list for the Notification email to confirm the governance details task assignment.

      • Choose whether to Notify the primary contact when groups are imported to Cloud Governance. With the notification email enabled, select an email template from the drop-down list for the notification email.

    • Secondary contact – Enter the name of a user as the secondary contact who will be responsible for the newly imported groups.

      • Select an email template from the drop-down list for the Notification email to confirm the governance details task assignment.

      • Choose whether to Notify the secondary contact when groups are imported to Cloud Governance. With the notification email enabled, select an email template from the drop-down list for the notification email.

  7. Lifecycle management actions – Choose whether to Allow the primary contact to delete a group during the automatic import process.

  8. Renewal profile – Select one or more renewal profiles for the newly imported groups. You can also click Create and create a Microsoft Entra group renewal profile in the Create Microsoft Entra group renewal profile panel. For details on how to configure a Microsoft Entra group renewal profile, refer to Configure Microsoft Entra Group Renewal Profiles.

    Default profile – Select a default renewal profile from the drop-down list.

    Choose one of the following options to determine how to set the Microsoft Entra group renewal profile:

    • Require business users to configure this field – A renewal profile is required to be selected in the confirm governance details task. You can select a renewal profile and business users can change the renewal profile in the confirm governance details task.

    • Show this field as read-only to business users – You select a renewal profile and business users cannot change the renewal profile in the confirm governance details task.

    • Hide this field from business users – You select a renewal profile, and it will not be shown in the confirm governance details task.

  9. Contact election profile – With a profile applied to the groups, an automated contact election process will start when the primary or secondary contact is deactivated. Select one or more contact election profiles for the newly imported groups. You can also click Create and create a Microsoft Entra group contact election profile in the Create Microsoft Entra group contact election profile panel. For details on how to configure a Microsoft Entra group contact election profile, refer to Configure Microsoft Entra Group Contact Election Profiles.

    Default profile – Select a default contact election profile from the drop-down list.

    Choose one of the following options to determine how to set the Microsoft Entra group contact election profile:

    • Require business users to configure this field – A contact election profile is required to be selected in the confirm governance details task. You can select a contact election profile and business users can change the contact election profile in the confirm governance details task.

    • Show this field as read-only to business users – You select a contact election profile and business users cannot change the contact election profile in the confirm governance details task.

    • Hide this field from business users – You select a contact election profile, and it will not be shown in the confirm governance details task.

  10. Metadata – Choose the method to determine what metadata will be applied to the newly imported groups:

    • Manual – With this option selected, you can choose the metadata to apply to the newly imported groups. Click Add to open the Add metadata panel. Then, select available metadata in your tenant and click Add to list.

      If you want to modify the metadata value, click the Edit button and edit the metadata value in the panel.

    • Dynamic – With this option selected, select a dynamic metadata profile from the drop-down list and the metadata to be applied to the newly imported groups will be loaded based on the conditions or branches defined in the profile.

  11. Duration and escalation – Specify a duration for the entire automatic import process. Enter a number in the text box and select Days, Weeks, or Months as the unit of time.

    • You can choose to Send a reminder email to the primary contact before the confirmation task is overdue, and then select a reminder profile from the drop-down list.

    • You can choose to Enable an escalation for an overdue import process, and then select an escalation profile from the drop-down list. If the confirm governance details task is not completed within the specified duration, the group import process will be overdue. The groups will be deleted based on the escalation profile.

      After selecting an escalation profile, you can click View profile details to view the details of the selected profile.

  12. Administrator contact – Specify a user or group (Microsoft 365 Group, distribution group, or mail-enabled security group) to be the administrator contact to monitor the automatic import process.

    • Notification email template for the completed group import – Select an email template to notify the administrator contact when the group import process is completed.

    • Notification email template for completed governance details confirmation – Select an email template to notify the administrator contact when the governance details confirmation is completed.

  13. Click Save to save all your configurations.

3. Monitor Automatic Import Results

In Job monitor in the Cloud Governance admin center, you can monitor the status and results of automatic import jobs. When a job status is shown as Completed, it indicates that the newly discovered groups have been successfully imported to AvePoint Cloud Governance.

If a job status is shown as Exception, it indicates that one or more groups are not successfully imported. Follow the steps below to view the import results:

  1. Select the automatic import job and click Download on the ribbon.

  2. Open the automatic import result file to see the detailed import result.

  3. The Status column shows the import result:

    • Successful indicates that the group has been successfully imported.

    • Failed indicates the group is not imported. You can refer to the details in the Comment column for troubleshooting.