Azure Sync Expiration

Created by Yves Lacombe, Modified on Mon, 30 Oct, 2023 at 4:49 PM by Yves Lacombe



If you've been with Vircom & Proofpoint for a while (more than two years), and you're using Office365, chances are that we setup an Office365 sync with you so that your users in Office365 are reflected in proofpoint and updated daily when you make changes to your user base and mailboxes.



ISSUE


The main issue is that the shared secret that proofpoint uses has a limited duration on the Office365 side.  The secret for the Azure Active Directory sync has a max duration of two years.  So when it reaches it's expiration date, it no longer works.



SYMPTOMS


Once expiration happens, if you add or remove an employee mailbox, it will not be reflected on proofpoint.  So typically it doesn't affect mail flow for existing users but any changes (like adding/removing users or aliases) don't happen on proofpoint. 


If you login to proofpoint and go to USER Management -> Azure Active Directory Sync -> Click Save, you typically will get an error indicating that the sync is not working.





FIX


There's the automatic way to do it and the manual method.




AUTOMATIC METHOD



1- Login to the Vircom Portal


vircomportal.com


Note: To login, you need to use an admin account.   The login username is the email address of said account and the local proofpoint password.  Using your office365 password will not work here.  If you don't know what the local password is, just set it by requesting a password reset from the proofpoint login.



2- From the menu, go to the  Office365 menu, and the Azure Active Directory sub-option.  


You will be able to click on CONFIGURE if you've never configured the sync through the portal before, or FIX if we detect if it's expired.  Either way, once the secret is fixed or created, we will be tracking in the future the creation/updated date and alert you of expiry prior to the two year durection period.



When you click on fix or configure, you will be asked for credentials, the credentials to use here are your office365 global admin creds.


If you need help, feel free to reach out to us.





MANUAL METHOD



PROCEDURE


1- Validate the existing secret is indeed defunct.

2- Generate the new secret

3- Put it in proofpoint azure sync 

4- (Optional) Update the secret in VircomPortal


Please note that if you feel this is too complicated, feel free to ask us to do it with you






1- Validate the existing secret is indeed defunct.


Go to Microsoft Office365 Administration Menu -> Identity



Expand APPLICATIONS and click on APP REGISTRATIONS



Select ALL APPLICATIONS and locate the one with the name "PPE", "Proofpoint" or "ModusCloud" within.  You should only have one normally.   The example below has multiple because it's our test environment just to illustrate. 


The application ID in the right column should match what you see in the proofpoint portal application-id field under the azure sync.


While you're at it, copy the application ID to your clipboard and then to notepad for safekeeping - we will need it later.





Once you've located the proper APP REGISTRATION, select it..


Click on "Certificates and Secrets"



In our example, it's not expired ... but in yours it probably will be:





2- Generate the new secret


On the same page, click "+ New Client Secret"


Give it a name and use the pull down for the expiry to select the max duration (24 months)



Click the ADD button.


IMPORTANT - do not move away from the web page until you copy pasted the new secret to notepad


The new secret will be visible only once.  Copy it to your clipboard and then notepad, you'll need it later.



Once you have the new secret, time to set it in proofpoint.


At this stage, you should have in your notepad:


The application ID

The new secret.




3- Put it in proofpoint azure sync 


Go back to proofpoint and paste the new secret in the secret field:



Click SAVE at the bottom, if it works, you should see this at the top of the page:



You're done - you're good for another two years.



4- (Optional) Update the secret in VircomPortal


If you're a heavy user of our VircomPortal (vircomportal.com), you know that we automate a bunch of things with it including the new office365 monitoring.  It's important to update your app-id and secret in the vircom portal.


Go to https://vircomportal.com


Login with your email address and local proofpoint password (not your office365 password)


Go to Office 365 - Azure Active Directory part of the menu and update the application secret and hit save



If it works, you'll get a SUCCESS mention.  



Now you're really really done.