Add Users

Written By Marissa Fegan (Super Administrator)

Updated at February 27th, 2024

Within VIPRE Email Security – Cloud Edition, a user is defined as a single actual email address. Aliases and distribution lists do not count against the allowed number of users. This article explains the different ways you can create or import users into the system.

Using any of the methods below enables you to add users to VIPRE.

Log in as an administrator

  1. Login to https://email.myvipre.com/ using your Administrator credentials


Navigate to the desired customer

If you are logging in as the administrator, you will be presented with your customer list.

  1. From the displayed Customer List, select the Customer which you are adding users to


Choose one of the following methods for adding users below:

Directory Services

VIPRE Recommends

Adding users via directory services like LDAP or Entra ID, is recommended due to its ease of use. 


LDAP

This article explains the benefits of using LDAP sync for user management and how to enable in Email Security.

What is LDAP sync? 

For ease of user management with Email Security, use Lightweight Directory Access Protocol (LDAP) Sync. User information that updates in LDAP will automatically replicate to VIPRE Email Security. This lets you continue to use the LDAP system as a single point of user management.

When LDAP Sync is enabled, Email Security considers LDAP the system of truth. Thus, new users in LDAP are automatically added to Email Security. Disabled or deleted users are automatically deleted from Email Security once the deletion delay interval expires. Email aliases are automatically mapped from LDAP secondary email address data.

The sync process can be scheduled to run every 6, 12, or 24 hours, every three days, or weekly. If immediate sync is needed, such as in the case of offboarding an employee, the Email Security administrator can use the Sync Now action to immediately sync the LDAP changes over to Email Security. Network traffic for the sync process is minimized by Email Security, which places a directory service sync agent local to the LDAP directory service. The data that is transmitted back to Email Security is a subset of the LDAP data.

Summary of benefits

Use LDAP sync to enjoy these benefits

  • Quickly add users to a new (or existing) Email Security account
  • Keep users' account details updated (e.g., name, phone, notes)
  • Easily add email aliases to users' accounts
  • Ensure disabled, or deleted users cannot access Email Security

Supported directory services

The Email Security LDAP sync feature has been certified with Microsoft Active Directory Services. Since LDAP is a standard protocol, the feature should work with any standard directory that supports LDAP. However, not all directory implementations use the same attributes to store the same types of information; in some cases, this may cause mismatches in data interpretation. If you are attempting to connect Email Security to some other directory, let us know of any issues so that we can account for different schema mappings.

LDAP sync and manual account management

If desired, user management through LDAP sync can be used in conjunction with manual account management. When used in this manner, the LDAP sync process uses a supplemental approach to reconcile user accounts.  For example, an email address that has been manually added to Email Security will have its name, phone number, and notes updated from the directory service data. This also means when the user is disabled or deleted in LDAP, that action will not be recognized in Email Security.

LDAP sync processing considerations

Review the information in this section for an understanding of how LDAP sync works with user management in Email Security.

Synchronization rules

The synchronization process uses these rules when scanning LDAP for updates to make in Email Security. If the rules are not met, then the user is not added to the Email Security account.

  • System of truth - when LDAP sync is enabled, it is the system of truth for user management within Email Security
  • Primary email address - the domain of the primary email address must match a domain that is managed by the Email Security account 
  • Secondary email address (aliases)- the domains of secondary email addresses must match a domain that is managed by Email Security AND the primary email address domain is managed by the same Email Security account.
    • list of users - when viewing the list of users, you will see secondary email addresses grouped under the users' account for the primary address
  • Domain changes in Email Security- if a domain is removed from management under Email Security, this results in:
    • when the removed domain matches a Primary email domain - the user is immediately removed from Email Security and will not appear under LDAP -> Conflicts
    • when the removed domain matches a Secondary email domain - the secondary email address is removed from the primary user, as long as Email Security still manages the primary domain
  • LDAP attributes - these attributes sync to Email Security: mail, proxyAddresses, member, givenName, sn (Surname), homePhone, mobile, company, department, and notes

Enabling / Disabling of LDAP sync

Take note of the following points when enabling or disabling LDAP sync. The information in this section assumes the synchronization rules (above) are met.

  • Single LDAP source - at this time, LDAP sync supports connecting to just one LDAP source
  • Enable for new Email Security account - set up LDAP sync connection and use the Sync Now action to quickly add users
  • Enable for existing Email Security account - upon for the first sync event; Email Security will 
    • Add users - LDAP users that are not found in Email Security will be added
    • Update users - user metadata from LDAP will be added to existing users. Qualifying secondary email addresses will be added.
    • Delete users -Unless managed manually or by SMTP, Email Security users that are not found in LDAP are flagged for deletion and will be listed under LDAP -> Conflicts
  • Disable LDAP sync - users will stay in Email Security, and you must now manage manually
    • User conflicts - no further action will occur for users identified as conflicts at the time of disabling LDAP sync. However, users flagged for deletion will be automatically deleted when the delay interval expires.

Synchronization frequency

The Email Security Administrator controls the frequency at which the LDAP process runs. 

  • Frequency - Email Security polls LDAP for changes as frequently as every 6, 12, or 24 hours; every three days, or weekly
  • Adjusting frequency - polling interval is adjusted through the Poll LDAP Every setting that is located on the Connect tab under Service Settings -> LDAP
  • On-demand synchronization - use the Sync Now action to force immediate sync from LDAP to Email Security. This is especially useful when there is an urgent need to add or remove a user.

User Deletion

  • Users deleted from LDAP - upon the next sync polling event, newly deleted users will be flagged for deletion in Email Security
  • Users disabled in LDAP - are flagged for deletion in Email Security
  • Deletion delay interval - LDAP connection setting Delete Users After controls the delay interval, which can be set to  7, 14, or 30 days; or never
  • Physical deletion- users deleted from LDAP are delayed by a minimum of 7 days before Email Security automatically deletes them
    • Accidental deletion - the delay interval protects against unintentional removal, or temporary disablement, of accounts that sync over from LDAP
  • When a user is flagged for deletion
    • User access disabled -  during the delayed deletion interval, users registered for deletion can no longer access Email Security
    • User-level rules - user-specific Email Security rules, such as Allow & Deny, are retained during the delete delay interval. Once the user is automatically deleted when the interval expires, the related user rules are deleted. 
    • User's Archived emails - for a user that is automatically deleted after the delete interval and later activated in LDAP, they will be automatically synced to Email Security. At that time, the user's email archive will be restored. 
  • Immediate deletion - during the delete delay interval, a user can be manually deleted from Email Security through the User Conflicts tab within the LDAP section of Service Settings 
  • Ignore deletion - users deleted from LDAP can be retained in Email Security by using the Ignore action (User Conflicts tab) during the deletion delay interval
  • Manual deletion - A user that is manually deleted in Email Security will be added back upon the next sync event with LDAP. The user must be deleted from LDAP for them to be permanently deleted in Email Security.


Important

Only one directory service can be active and enabled at a time. For example, you can use either Azure or LDAP but not both. Enabling one directory service will disable the other. You will be prompted before saving the new configuration.

When switching from one directory service to the other, previously synced users no longer in the current directory service sync will be considered user conflicts. These users can be found in the User Conflict Tab and are marked for deletion as directed in the Delete User After setting.



How to enable LDAP sync for user management

LDAP discovery allows VIPRE to scan your network directory for users and automatically add them to the user list.

Step 1. Prerequisite - Firewall permissions for LDAP

To use LDAP sync, you will need to ensure your firewall permits access from the Email Security data centers to your LDAP server. 

  1. Open one of these LDAP ports, based on your use of SSL (recommended) or non-SSL
    • SSL: 636
    • Non-SSL: 389
  2. Permit these server IP addresses 

    Email Security Data Center Network Ranges

    192.162.216.0/22 (192.162.216.0-192.162.219.255)

    208.70.128.0/21 (208.70.128.0-208.70.135.255)

    72.35.12.0/24 (72.35.12.0 - 72.35.12.255)

    72.35.23.0/24 (72.35.23.0 - 72.35.23.255)

Step 2. Set up the LDAP connection

  1. Login to https://email.myvipre.com/ using your Administrator credentials

If you have multiple accounts to administer, you will be presented with your list of accounts.

  1. From the Administrator Dashboard, expand the Customers menu, then select Customer List
  2. From the displayed Customer List, select the Customer to which you are adding users
  3. From the customer dashboard, expand the Service Settings menu. Then, select LDAP
  4. On the Connect tab of the LDAP Configuration screen, click the Enable LDAP box
  5. In the Host field, enter the IP address of the LDAP server 
  6. Ensure the SSL option is selected (highly recommended). Deselect if your environment does not support SSL.
  7. In the Username and Password fields, enter the user account credentials to be used for the sync process
  8. Enter the Base DN (Domain Name) information using standard LDAP notation, e.g.; ou=myOU,dc=example,dc=com
  9. In the Poll LDAP Every drop-down, select the frequency at which you would like the sync process to run
  10. In the Delete Users After drop-down, select the number of days for the deletion delay interval
  11. Click Show advanced options to specify the LDAP port (if not using the default 389/636)
  12. Click Test to verify the connection settings
  13. Click Save to store the configuration changes

If the connection test has failed, double-check the setting provided, revise as necessary and test again

Step 3. Add users

  1. To immediately discover and add users, select Sync Now. Otherwise, users will sync at the next polling cycle. 

The initial sync may take up to an hour, depending on the number of users to be created.

Important Information

Sync: Disabled/deactivated users and public folders are not synced by default in LDAP. Enable the checkboxes to sync disabled/deactivated users and/or public folders.

Custom Filter: Filters are applied to user and group syncs; LDAP search filters are supported

How to disable LDAP Sync

Email Security retains all users when LDAP Sync is disabled. If any users are flagged for deletion, they will still be deleted at the expiration of the deletion delay interval. 

Disable LDAP sync

  1. Login to https://email.myvipre.com/ using your Administrator credentials

If you have multiple accounts to administer, you will be presented with your list of accounts.

  1. From the Administrator Dashboard, expand the Customers menu, then select Customer List
  2. From the displayed Customer List, select the Customer to which you are adding users
  3. From the customer dashboard, expand the Service Settings menu. Then, select LDAP
  4. On the Connect tab of the LDAP Configuration screen, uncheck the Enable LDAP box
  5. Click Save to store the configuration changes

LDAP sync is now disabled. 

Managing LDAP in Email Cloud

Exceptions

The Exceptions tab is where you can select any name from the User List that you want to exclude from the LDAP sync with VIPRE Email Cloud. This means any exceptions will also be excluded from any custom filters you set up on the Connect tab.


VIPRE Email Security Cloud - LDAP Sync Exceptions

 


To exclude a user, group, or alias from the LDAP sync:

  1. In the User List column, which shows a complete view of your directory server, locate the row with the name of the user, group, or alias you want to exclude
  2. Click the blue arrow in the same row as the name to add that name to the Exception List
  3. Click Save

Additions

The Additions tab allows you to manually add users to include in the LDAP sync. For example, this would be useful for adding any new employees that may need to be added in between syncs.


VIPRE Email Security Cloud - LDAP Sync Additions

 To include an additional user to your LDAP sync:

  1. Type the email address of the user you want to include
  2. Click Add

Users added to your LDAP sync via this method will be listed on this tab. They will also show up in the list under Users in the left-side menu with the source as LDAP.


User Conflicts

The User Conflicts tab will show users that previously synced in the portal but are no longer in the directory server.


VIPRE Email Security Cloud - LDAP Sync User Conflicts

 

Possible actions within this tab are: Delete, Ignore, Export, Deactivate

Example Use-Case

You notice there are two users showing in User Conflicts. Let's say that when you were first setting up LDAP sync, under the Connect tab, you set Delete Users After to 7 days. You're fine with one of the users being deleted because the employee no longer works for your company. The other user, however, is on maternity leave and will be coming back in 12 weeks.

  1. Click the checkbox next to the user and select your desired action.

In the example above, you could use Ignore so that the user will not be deleted after 7 days.


Troubleshooting

Firewall settings - Verify the Email Security IP addresses have been allowed through the network and domain controller firewall. Verify that your Directory Service is reachable through your firewall.

Account credentials - Confirm the correct user account credentials for Username and Password have been provided and are accurate.

Connection successful but users not populating

When the sync process runs, users will begin to appear in the Users view of the Admin portal. Follow the suggestions below if you do not see the users populating in this view as the sync process runs. After allowing up to 30 minutes for the initial sync process to complete, if many users are missing, then please reach out to our Support team for assistance.

Sync Now - Click the Sync Now button on the Connect tab of the LDAP Configuration screen. You should receive a notification message indicating the sync process has been started. 

Managed domain - Verify domain is a managed domain for this Email Security account. From the Email Admin portal, navigate to Domains. The domain(s) shown here must match the domain of the LDAP users' primary email addresses.

‍ 

Entra ID

 

Microsoft Entra ID (Active Directory) is a cloud-based identity and access management service that we've integrated with VIPRE Email Security Cloud allowing Email Cloud to sync user and group accounts that belong to your managed domain. 

Important

Only one directory service can be active and enabled at a time. For example, you can use either Azure or LDAP but not both. Enabling one directory service will disable the other. You will be prompted before saving the new configuration.

When switching from one directory service to the other, previously synced users no longer in the current directory service sync will be considered user conflicts. These users can be found in the User Conflict Tab and are marked for deletion as directed in the Delete User After setting.

 

 

There are two main parts to set up the Entra ID integration with Email Security Cloud.

Part 1 - Configure Entra ID Integration

Follow the steps below to configure Entra ID to integrate with VIPRE Email Security Cloud. These steps all take place in Entra ID and assume you already have a Microsoft Azure account.

Step 1 - New App Registration

  1. Navigate to portal.azure.com and log in with your Microsoft Azure account credentials
  2.  On the left-side menu, under Manage, select App registrations
  3. Click New Registration and name your registration
    • Any name will work but it's recommended to use a name that identifies what app you're registering (e.g., in this case, VIPRE Email Cloud)
  4. Click Single tenant
  5. Skip the redirect URI and click Register
 

Step 2 - API Permissions

  1. On the left-side menu, under Manage, select API Permissions
  2. Select Add a permission
  3. Select Microsoft Graph 
    • This is the API that the Email Cloud portal uses to communicate with Azure
  4. Select Application Permissions
  5. Select the following Application Permissions
    • Directory > Directory.Read.All
    • Group > Group.Read.All
    • GroupMember > GroupMember.Read.All
    • User > User.Read.All
  6. Click Add Permissions
  7. Look for the row that shows User.Read, click the ellipses (...) on the right, and select Remove Permission
  8. Click Grant admin consent for <your.tenant.name.here>
 

Step 3 - Certificates & Secrets

  1. In the breadcrumb trail, select the API name

Example showing where to locate the tenant and API names. Your tenant name, and API name, won't match this image.

 

  1. On the left-side menu, select Certificates & secrets
  2. Under Client secrets, click New client secret and fill in the following information:
    • Description - This can be whatever you want
    • Expires - No matter which timeframe you choose, it's important to set a reminder for yourself to both create a new client secret, and save the new client secret into the Azure Connect tab (step 5 below), before expiry. Failure to do so could break the sync between Email Cloud and Entra ID.
  3. Click Add
 

Step 4 - Gather Necessary Info for VIPRE Email Cloud

 

  1. Open a new text file on your computer and copy/paste the following information from the Microsoft Entra ID portal into the blank text file:
    1. Under Client secrets, copy the Value and paste it into your blank text file
    2. In the breadcrumb trail, select the API, copy the Application (client) ID and paste it into your text file
    3. From the same page, copy the Directory (tenant) ID and paste it into your text file
 

 

Part 2 - Enable and Sync Entra ID

In part two, we'll take what we did in the Entra ID portal and configure it to sync with VIPRE Email Security Cloud.

Step 5 - Connect

 

  1. In a separate browser tab, navigate to your Email Cloud admin portal and log in
  2. On the left-side menu, click Service Settings, then select Directory Services
  3. On the main page, select Entra ID
  4. Place checkmark next to Enable Azure Sync
  5. Copy the Directory (tenant) ID) from your text file and paste it into the Tenant Domain field
  6. Copy the Application (client) ID from your text file and paste it into the Client ID field
  7. Copy the Client secret from your text file and paste it into the Client Secret field
  8. Select a Sync Frequency from the dropdown menu
    • The default sync frequency is 6 hours
  9. Select an amount of time to Delete Users After from the dropdown menu; see the User Conflicts section below for more details
    • The default is 7 days
  10. Click the checkbox if you want to include disabled/deactivated user accounts in your sync
    • This is unchecked by default
  11. If you want to include Custom Filters, enter those in the text field here
    • Custom Filters are only applied to syncs of users. Groups are not included.
    • For full details, including supported custom filters and examples of queries, visit Custom Filters for use with Entra ID Sync to open a new browser tab
  12. Click Save in the bottom right
  13. Click Test in the bottom left to verify the connection
    • If successful, a green message will appear in the top-right "Azure Connection test was passed
    • If unsuccessful, a red message will appear in the top-right "Azure Connection test failed"
      • Verify the Tenant Domain, Client ID, and Client Secret were copied correctly from the Azure portal
  14. Click Sync Now
    • A green message will appear in the top-right "Azure sync has successfully started"

Once the sync has completed, you will be able to see all of your users by clicking Users in the left-side menu. Looking in the Source column, you will be able to tell which users were added via Azure.

VIPRE Email Security Cloud User List showing Azure as the sourceVIPRE Email Security Cloud - Users

 

 

 

 

 

Congratulations! You have successfully configured Entra ID to sync with VIPRE Email Security Cloud! Continue reading below to learn how to further manage your Entra ID integration

Managing Entra ID in Email Cloud

Exceptions

The Exceptions tab is where you can select any name from the User List that you want to exclude from the Entra ID sync with VIPRE Email Cloud. This means any exceptions will also be excluded from any custom filters you set up on the Connect tab.

 

VIPRE Email Security Cloud - Entra ID Sync Exceptions 
 

To exclude a user, group, or alias from the Entra ID sync:

  1. In the User List column, which shows a complete view of your directory server, locate the row with the name of the user, group, or alias you want to exclude
  2. Click the blue arrow in the same row as the name to add that name to the Exception List
  3. Click Save
 

Additions

The Additions tab allows you to manually add users to include in the Entra ID sync. For example, this would be useful for adding any new employees that may need to be added in between syncs.

 

VIPRE Email Security Cloud - Entra ID Sync Additions
 

 To include an additional user to your Entra ID sync:

  1. Type the email address of the user you want to include
  2. Click Add

Users added to your Entra ID sync via this method will be listed on this tab. They will also show up in the list under Users in the left-side menu with the source as Azure.

 

 

User Conflicts

The User Conflicts tab will show users that previously synced in the portal but are no longer in the directory server.

 

VIPRE Email Security Cloud - Entra ID Sync User Conflicts

 

Possible actions within this tab are: Delete, Ignore, Export, Deactivate

Example Use-Case

You notice there two users showing in User Conflicts. Let's say that when you were first setting up Entra ID sync, under the Connect tab, you set Delete Users After to 7 days. You're fine with one of the users being deleted because the employee no longer works for your company. The other user, however, is on maternity leave and will be coming back in 12 weeks.

 

  1. Click the checkbox next to the user and select your desired action.

In the example above, you could use Ignore so that the user will not be deleted after 7 days.

 

 

‍ 



Manual

When adding users manually,  you can either use a .csv file to create many users at once or adding users one at a time in the portal. Click on your chosen method below.

Import from .csv File

Importing users from a Comma-Separated Values (CSV) file allows you to create many users at once.

Sample CSV and XLS files

Located on the Import Users tab in the product, VIPRE provides sample files so that you may use the correct format for exporting your existing user list. If you are using an Excel file to export from, you must save it as a CSV file in order to import it into VIPRE.

To import users from a CSV file

  1. From the customer dashboard, expand the Users menu. Then, select Import Users
  2. Perform one of the following:
    • Use the file browser to select a CSV file, or...
    • Drag and drop a CSV file onto the Upload CSV file area, or...
    • In your CSV file editor (such as Excel), highlight user data and copy it, then paste it into the Paste CSV data section
  3. At the bottom of the screen, select Review Import
  4. When finished, select Save

Add via Online Portal

  1. In the navigation pane, expand the Users menu, then select Users.
  2. On the right side of the Users panel, select the green + plus sign.
  3. In the Add:User panel, fill out the information in all required fields.
  4. (Optional) You can add additional information (phone numbers, notes, etc.) by selecting the Additional checkbox.
  5. Once completed, select Save
  6. (Optional) You can edit Settings, Quarantine, Filtering, and Routing information on a per-user basis. 
  7. Confirm the user information is correct, then select Close

Repeat steps 2–5 to add additional users.