Sync setup — provider details and fallbacks

The Sync users step covers the three-click happy path that fits 95% of clients. This article is the depth for the other 5% — provider-specific options, what to do when you don’t have admin access on the customer’s side, and manual entry.

If your client is on Microsoft 365 and you have admin access, you don’t need this article. Skip to Post-sync cleanup if you’ve already synced and want to tidy up.

Microsoft 365

Microsoft sync offers two modes after admin consent:

• Sync All Users — mirrors every active user in the customer’s tenant. The recommended default; protects the whole workforce.
• Sync by Groups — pick specific security groups to mirror. Use when only certain departments or teams are scoped into the security awareness program.

Walkthrough

1. From the People page, click Sync with Microsoft.

2. A popup opens to Microsoft’s admin consent screen. Sign in with admin credentials (yours or the customer’s, if you have them) and approve the requested permissions.

3. The popup closes and we show you the mode picker:

   • Sync All Users — click and you’re done.
   • Sync by Groups — pick the security groups to mirror, then click Sync.

After the sync, review and clean up the user list — most directories include service accounts and shared mailboxes that shouldn’t get training.

Google Workspace

Google sync requires a one-time Domain Wide Delegation (DWD) setup in Google Admin Console before we can read the customer’s directory. After DWD, the sync has three modes: All Users / OUs / Groups.

Set up Domain Wide Delegation

This is a configuration step in Google Admin Console — outside our app — and only needs to be done once per customer.

In our app, click Sync with Google, then sign in with the customer’s Google admin credentials. After consent, we show you the DWD setup screen with the Client ID and OAuth scopes you need to register on the Google side. Keep that screen open. The values are also reproduced below for reference — but the copy buttons on the dashboard are the source of truth in case anything is ever rotated.

Client ID

Paste this into the Google Admin Console’s Client ID field on the Add API client form:

105239018523099741746

OAuth scopes

Paste this comma-separated list into the Google Admin Console’s OAuth scopes field:

https://mail.google.com/,https://www.googleapis.com/auth/gmail.insert,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly

Walkthrough — Google Admin Console

1. In a new tab, go to admin.google.com and sign in to the customer’s Google Workspace.

2. Navigate to Security → Access and data control → API Controls.

3. Under Domain wide delegation, click Manage Domain Wide Delegation.

4. Next to API clients, click Add new.

5. Paste the Client ID (above) into the form.

6. Paste the OAuth scopes (above) into the scopes field.

7. Click Authorize.

Back on our DWD setup screen, click Test & Complete Setup. We round-trip a directory read to confirm the scopes work. If the test fails, the most common cause is a typo in the Client ID or scopes — re-check the values in Google Admin against the copy buttons on the dashboard.

Sync after DWD is authorized

1. Back in our app, click Domain Wide Delegation Complete.

2. Click Start Sync Process.

3. Authenticate with the customer’s Google admin credentials when prompted, then approve the requested scopes.

4. Pick a mode:

   • Sync All Users — mirrors the entire domain. Most common.
   • Sync by OUs — pick specific Organizational Units. Best when the customer’s directory is OU-segmented.
   • Sync by Groups — pick specific Google Groups. Best when only a subset of users should be in our system.

After the sync, review and clean up the user list.

Sync-link invite

Use this when you don’t have admin access on the customer’s Microsoft or Google tenant — the most common reason the happy path doesn’t fit.

Note

Screenshot pending capture: sync-link-invite-page — the People page with the Generate sync-link invite action and the one-time URL it produces.

1. From the People page, click Generate sync-link invite.

2. We give you a one-time URL. Copy it and email it to whoever on the customer’s side has admin rights.

3. They open the link, authenticate to their own tenant, and grant consent. The sync runs in your environment.

You never see or store the customer’s credentials. From your side it works exactly like a normal sync — same review-and-clean-up step at the end.

This is the answer to “Microsoft is asking me for permissions I don’t have.”

Add users manually

For trial setups, one-person clients, or directories without a supported sync provider.

1. From the People page, click Add user for individual entry, or Upload CSV for a batch.

2. For CSV: download the template, fill it in, upload.

3. Whitelist our mail infrastructure on the customer’s mail server (see below) so training and phishing emails don’t get filtered. This is mostly a problem for manual setups since sync-based customers usually have your tenant approved already.

Whitelist our mail infrastructure

Manual setups go through standard mail flow and can be filtered by the customer’s mail security. Add our senders so training and phishing emails land:

• IP addresses: 54.240.43.212 and 34.232.212.184
• Safe sender: bounce@infimasec.com

Whitelisting is a manual-setup concern only — sync’d clients don’t need it.

Switching providers later

If the customer changes their mind about which directory provider they use, you can switch without losing the user list.

1. From the People page, disconnect the current sync provider.

2. Connect the new provider through the normal sync walkthrough above.

3. The user list stays put — users get rebound on the new provider’s first sync.

Post-sync cleanup

Every directory has accounts that shouldn’t be in security awareness training — service accounts, shared mailboxes, ex-employees whose accounts weren’t disabled. These come in with the sync but you don’t want them counting toward billing or skewing your phishing results.

1. On the People page, scan the user list for accounts that aren’t real people.

2. Select them and click Deactivate.

Deactivated users stay in the system but are inactive — no training, no phishing tests, no billing. Their historical data is preserved. You can reactivate them later if needed.

Frequently asked

I added users manually. Can I switch to sync later without losing them? Yes. Set up sync when you’re ready and we’ll match existing users by email on the first sync. You don’t have to delete the manual entries first.

A user got removed from the customer’s directory. What happens here? On the next sync, that user is removed from our system — they’re gone, not marked inactive. If you want a user to stay in the system but stop receiving training (for example, an employee on long leave), use the manual Deactivate action on the People page instead of relying on directory removal.

Do I need to set up DWD for every Google client? Yes. DWD is per-customer — each Google Workspace customer needs our Client ID authorized in their Google Admin Console before the sync runs.

The DWD test failed after I added the Client ID and scopes. Most common cause is a typo. Compare the values you pasted in Google Admin against the copy buttons on the dashboard. If they match exactly, give Google a couple of minutes to propagate the new authorization, then click Test & Complete Setup again.

Why does the Google scope list include gmail. if we’re just syncing directory?* The gmail scopes are what let us deliver training and phishing email into your client’s mailboxes via the Gmail API — that’s how sync’d Google clients receive our mail without having to whitelist anything. Without those scopes, mail won’t land.

Related

• Sync users (3-click path) — the simple happy-path version of this article.
• Client admins — the other tab on the same People page; manages admin access, not end users.
• Google sync fails with admin_policy_enforced — the troubleshooting article for the specific Google error code you’ll see when the customer’s Workspace requires explicit third-party app trust.