Skip to main content

Microsoft Integrations

Microsoft Entra Profile Picture Sync

Overview

This article explains, how to synchronize profile pictures from Microsoft Azure Active Directory to Flexopus, using the Graph API in case you configured a SAML2 Single Sign On.

In case you connected your Microsoft Azure Active Directory via SAML2 for Single Sign On, you may realize that the SAML2 SSO protocol does not provide an attribute mapping for profile picture. Using SAML2 you can not sync profile picture, this is not part of the SAML2 standard.

In case of an O365 OAuth SSO this is different, there the profile picture is part of the communication protocol, but an OAuth SSO has many other disadvantages compared to a SAML2 SSO.

Setup instruction manual

The profile picture sync will run after a successful SAML2 login. Flexopus requests the profile picture via the Graph API. We require admin permissions to request the date via Graph API.

STEP 0 - Configure SAML2 for SSO

For the SAML2 SSO configuration, we have a separated article guiding you through the steps. This article assumes that you finished the SAML2 configuration steps.

Azure Active Directory SAML2 SSO | Flexopus
Learn how to integrate Flexopus with Azure Active Directory using SAML2 for secure Single Sign-On and streamlined user management.
Flexopus Help CenterDaniel Fafula

STEP 1 - Enable synchronization

Go to Flexopus and enable the profile picture under the configured SAML2 settings. Navigate as admin to Dashboard > Settings > Authentication > SAMl2 Settings.

Configure Profile Picture Sync via Microsoft Entra Attributes

Click on the Connect button as an Azure admin. This will lead you to a page where you need to grant the following permissions to Flexopus:

  • Read profile photo of a user or group
    Allows the app to read all profile photos of users and groups, on your behalf.
  • Sign you in and read your profile
    Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information.

Basically, you enable us to log in to Graph API and to request the profile pictures of the users.

Grant permissions

STEP 2 - Grant permissions in Azure too

After granting the permissions, a new enterprise application will be created in Azure called Flexopus SAML2 Directory extension. Navigate here to the Permissions tab. Here you can see the granted permissions. Make sure you click on the Grant admin consent for Flexopus GmbH button. This way, we can make sure that the permissions are granted properly.

Grant permissions in the azure portal

STEP 3 - Testing

Log out in Flexopus and log in again. Your profile picture should be synced. Make sure you test it with a user, which has an avatar in Azure.

In case you have questions, contact support@flexopus.com.