Master Account Holders can import Microsoft Entra ID users as LogMeIn Rescue technicians into their organization. Key user data in LogMeIn Rescue will be automatically updated when those change in the Azure Active Directory.
- Generate a service token and default password for new users in the Admin Center.
- Select the Global Settings tab.
- To generate a service token, click Generate and Copy under Active Directory Synchronization.
Result: A service token is generated and copied to your clipboard.
- Define the default password you want your new technicians to use for their first login.
Note: Users are required to change this password upon their first login.
- At the bottom of the page click Save.
- Download and extract the server application.
- In the LogMeIn Rescue Administration Center, under Active Directory Synchronization, click Download to download the service installer.
Result: The service installer is downloaded to your computer in a zip file.
- Extract the zip file to a folder.
- Run the server application, and configure synchronization behavior.
Important: You need privileges to run the application as a system service. The computer running the application must be connected to Active Directory with sufficient permissions to access and query all Active Directory groups and users.
- Select the Microsoft Entra ID service to be used.
- Submit the following credentials:
- Master Account Holder LogMeIn Rescue credentials
- The service token you previously generated on the Global Settings tab of the Admin Center.
- Region
Note: By checking Dry Run mode, a preview of the changes the synchronization will make to your Rescue account will be output in an Excel file.
Important: If you select Dry Run mode, synchronization can ONLY be used as a Windows terminal application.
- Click Next.
Note: The application runs in Admin mode.
- Enter your Entra App credentials, and click Next.
- Enter a search criteria (for example 'support').
- Enter a search term (for example 'aid').
Result: AdSync searches for this term between the configured AD groups.
- Select the Technician Groups you want to synchronize.
- Click the Technician Groups radio button under Technician Groups/Admin Groups
- The first column contains the Microsoft Entra AD Groups, select one Active Directory group you want to synchronize with a Rescue Technician Group.
- The second column contains the Rescue Technician Groups, select one group that will be synchronized with the AD group.
- Navigate to the Enable Full Group synchronization option:
- checked (default): The synchronization process performs a one-to-one synchronization, that is groups, users, and hierarchies inside Rescue will be exactly the same as in the Entra AD hierarchy.
- unchecked: Only user status updates are synchronized. If a user is in a different group than the configured one, they will not be moved back to the configured group.
- Click the arrow button pointing to the third column to finalize the selection.
Note: If you want to select multiple groups, repeat step a. To cancel synchronization between two groups, select them in the third column, and click the arrow pointing towards the second column. The AdSync Wizard loads the previously configured groups to make the reconfiguration process smoother.
Important: You can synchronize up to 999 groups, each consisting a maximum number of 999 members.
- Navigate to Group settings:
- Mobile license: a mobile license is assigned to the members of the group, if available.
- Mapping UPN to SSOID: When checked, the SSO IDs of the group members will directly correspond to their UPNs.
- Click Next.
- Select Yes in the confirmation pop-up window to continue with the synchronization.
Note: If you connected at least one Active Directory Group to a Rescue Technician Group check an option under Global settings to define the behaviour of the synchronized group.
- Select your preferences under Global settings:
- Use UPN instead of Email address: When checked, you can use "UserPrincipalName" instead of an email address in Rescue.
- Use Email address as a SSO ID: When checked, the SSO ID in Rescue gets the email address.
- Click Next.
- In the resulting pop-up window click Yes to continue with the synchronization.
- Select how AdSync will run:
- Start Active Directory Synchronizer as a service.
- Start Active Directory Synchronizer as a Windows terminal application.
- Interval to send changes (minutes): You can enter your preferred frequency of the synchronization operation.
Important: Running the synchronizer as a Windows app will also place an icon resembling to the Rescue logo in the System tray. You can hide or unhide the application by right-clicking on it. If you want to the stop the synchronization process, use the Close the program option.
- If the installation was successful, click Finish, and close the installer.
Result: The service application is installed as a Windows service provisioning users belonging to the selected Microsoft Entra ID group(s) to the selected Rescue Technician Group(s).
Restriction: It is not possible to delete a technician from the LogMeIn Rescue Admin Center by using the Active Directory synchronization service. When a user is deleted or moved in Active Directory, the corresponding LogMeIn Rescue technician is disabled.
Note: If a technician is moved to another LogMeIn Rescue Technician Group, subsequent synchronization will update the user's status and move the user back to its initial synchronization group.
Note: If a user is disabled, deleted, or moved in Active Directory, the technician's mobile license is freed up, and becomes available for other members of the LogMeIn Rescue organization.
Tip: If the synchronization service fails, you can get an error log by clicking Active Directory Logger at the bottom of the Active Directory Synchronization section on the Global Settings tab of the Admin Center.