Configuration
Entra ID Setup
Create an App Registration in Microsoft Entra ID, generate a certificate for authentication, and grant the Graph API permissions that CYNC requires.
Prerequisites: You need Global Administrator or Application Administrator privileges in your Microsoft Entra ID tenant to create App Registrations and grant admin consent.
1Create an App Registration
- Sign in to the Microsoft Entra admin center.
- Navigate to Identity → Applications → App registrations.
- Click New registration.
- Enter a name, for example
CYNC Contact Sync. - For Supported account types, select “Accounts in this organizational directory only (Single tenant)”.
- Leave the Redirect URI blank - CYNC does not use interactive (delegated) authentication.
- Click Register.
After registration, note the following values from the Overview page:
| Field | Where used |
|---|---|
| Application (client) ID | CYNC dashboard → Configuration → Client ID |
| Directory (tenant) ID | CYNC dashboard → Configuration → Tenant ID |
2Generate a certificate
CYNC authenticates using ClientCertificateCredential from the Azure.Identity library. The private key is stored in the Windows Certificate Store on the machine running the CYNC service. No client secrets or passwords are stored.
Option A: Generate from the CYNC dashboard (recommended)
The CYNC admin dashboard can generate and install the certificate for you:
- Open the CYNC dashboard and navigate to the Configuration page.
- Click Generate/Renew Certificate.
- CYNC creates a self-signed certificate, installs the private key in the Local Machine certificate store, and exports the public key (
.cerfile) for you to upload to Entra ID. - The certificate thumbprint is automatically populated in the Configuration page.
Tip: This is the fastest path. The dashboard handles key generation and store installation in one click. You only need to upload the exported .cer file to your App Registration (see below).
Option B: Generate manually (PowerShell)
If you prefer to generate the certificate yourself (e.g., using your internal PKI or on a Server Core machine without the dashboard):
# Create a self-signed certificate valid for 2 years $cert = New-SelfSignedCertificate ` -Subject "CN=CYNC Contact Sync" ` -CertStoreLocation "Cert:\LocalMachine\My" ` -KeyExportPolicy Exportable ` -KeySpec Signature ` -KeyLength 2048 ` -NotAfter (Get-Date).AddYears(2) # Export the public key (.cer) for upload to Entra ID Export-Certificate ` -Cert $cert ` -FilePath "C:\cync-cert.cer" # Display the thumbprint - enter this in the CYNC dashboard $cert.Thumbprint
Important: The certificate must be in Cert:\LocalMachine\My (Local Machine → Personal store), not the Current User store. The CYNC service runs as LocalSystem and needs access to the private key.
Upload the certificate to Entra ID
Regardless of which method you used to generate the certificate, upload the public key to your App Registration:
- In the Entra admin center, go to your CYNC App Registration.
- Navigate to Certificates & secrets → Certificates.
- Click Upload certificate and select the
.cerfile (exported by the dashboard or by the PowerShell script above). - Add a description (e.g. “CYNC server cert”) and click Add.
3Grant API permissions
CYNC requires three Application permissions (not Delegated) from the Microsoft Graph API:
| Permission | Type | Purpose |
|---|---|---|
| User.Read.All | Application | Read all user profiles from Entra ID (display name, email, department, job title, phone, etc.) |
| Group.Read.All | Application | Read group memberships (required when using source group filtering to sync specific groups) |
| Contacts.ReadWrite | Application | Create, update, and delete contacts in target users' Exchange Online mailboxes |
Steps
- In your App Registration, go to API permissions.
- Click Add a permission → Microsoft Graph → Application permissions.
- Search for and select
User.Read.All. Click Add permissions. - Repeat for
Group.Read.AllandContacts.ReadWrite. - Click Grant admin consent for [your tenant] and confirm.
Admin consent is required. Without admin consent, CYNC cannot read users or write contacts. The permission status should show a green checkmark next to each permission after granting consent.
Service restart required: After changing API permissions, restart the CYNC service to clear the cached access token. The service caches OAuth tokens for up to 75 minutes. Run Restart-Service CyncService on the server.
4Configure CYNC
Enter the three values from the previous steps into the CYNC admin dashboard:
- Open the CYNC dashboard and navigate to the Configuration page.
- Enter your Tenant ID (Directory ID from the App Registration overview).
- Enter your Client ID (Application ID from the App Registration overview).
- Enter the Certificate Thumbprint (SHA-1 thumbprint of the certificate in the Local Machine store).
- Click Test Connection to verify that CYNC can authenticate with Entra ID.
Success: If the test passes, CYNC can authenticate with your Entra ID tenant and read user profiles. You're ready to define target users and run your first sync.
Troubleshooting
"Certificate not found" error
Verify the certificate is in Cert:\LocalMachine\My (not CurrentUser). The CYNC service runs as LocalSystem and needs access to the Local Machine store.
"Insufficient privileges" error
Ensure admin consent has been granted for all three permissions: User.Read.All, Group.Read.All, and Contacts.ReadWrite. Check the API permissions page in the Entra admin center for green checkmarks.
"Invalid tenant" error
Double-check the Tenant ID. It should be a GUID from the App Registration overview page, not the tenant name or domain.
Permissions changed but sync still fails / still works
The CYNC service caches OAuth access tokens for up to 75 minutes. Restart the service (Restart-Service CyncService) to clear the token cache after changing API permissions.