This document explains how to integrate Nightfall with your identity providers (IdPs) like Microsoft Entra ID and Google Workspace Directory Service. This integration simplifies policy management in Nightfall allowing you to include or exclude users and user groups, by leveraging existing user information for easier administration within Nightfall and other SaaS products.
Simplified Policy Management: Nightfall automatically synchronises user and group information from your IDps, eliminating the need for manual user inclusions or exclusions in policies. This continuous sync ensures your policies always reflect the latest user directory information, streamlining management and reducing administrative overhead.
Tailored Policies with User Groups: Leverage existing user groups defined in your IdPs to easily create granular DLP policies within Nightfall. Assign specific access and permission levels to different user groups, ensuring data security and compliance across various SaaS applications like Microsoft Teams, OneDrive, and Google Drive.
Dynamic User Management: As users are added or removed from your IdP directory, Nightfall automatically reflects these changes, updating your DLP policies. This ensures your policies remain accurate and relevant, eliminating the need for manual updates.
The Directory Sync feature allows you to connect your user directories (Microsoft Entra ID and Google Workspace) with Nightfall. This sync is essential for enabling functionalities within Nightfall's SaaS apps like Microsoft 365 Teams, OneDrive for Business, Google Drive, and other apps.
Microsoft Teams Direct Message Monitoring (Azure Entra ID): To monitor direct messages in Microsoft Teams for potential data leaks, Nightfall requires access to your Microsoft Entra ID account. Syncing your Entra ID account grants Nightfall a list of active users and groups, facilitating the monitoring of user communication and data flow.
OneDrive for Business: To monitor user OneDrive for potentially sensitive data leaks Nightfall requires access to your Microsoft OneDrive for Business account. Syncing your Entra ID account grants Nightfall a list of active users and groups, facilitating the monitoring of user One Drives.
Supported Identity Providers
Nightfall currently integrates with the following IDps:
This document explains the process of adding your Google Workspace tenant to Nightfall to enable Directory Sync. To get an overview of the Directory Sync feature in Nightfall, you can read this article and then proceed with this document.
To install Google Directory:
Click the Settings button in Nightfall.
Click the Directory Sync tab.
Click Add directory.
Select Google Workspace as the identity provider.
Copy the Client ID and OAuth Scope ID. Store these values in a secure place. You require them in the further steps.
Login to your Google Workspace with an admin account.
Click the menu icon.
Select Admin.
In the Admin console left pane, expand Security and then expand Access and data control.
Click API controls.
Click MANAGE DOMAIN WIDE DELEGATION under Domain wide delegation.
Click Add New.
Paste the Client ID copied from the Nightfall app, in the Client ID field.
Paste the Scopes ID copied from the Nightfall app, under OAuth Scope field. Use comma to add multiple scope IDs.
Click AUTHORIZE.
Return to the Nightfall app and click Continue.
Click Connect.
Once the setup is completed, Nightfall displays the list of active and inactive users in your Google Workspace. Nightfall syncs with your Identity and Access Provider every four hours. Also, you can manually sync once every hour. To sync data manually, click the ellipsis menu and select Refresh.
Currently, once registered you cannot unregister an Identity and Access Provider from Nightfall. If you do wish to unregister you Identity and Access Provider, please contact Nightfall support.
This document explains the process of adding your Microsoft Azure tenant to Nightfall to enable Directory Sync. To get an overview of the Directory Sync feature in Nightfall, you can read this article and then proceed with this document.
You must have a Microsoft Entra ID (formerly known as Microsoft Azure Active Directory) account.
A Microsoft Entra user account for Nightfall with one of the following roles:
Global Administrator or Privileged Role Administrator, for granting consent for apps requesting any permission, for any API.
Cloud Application Administrator or Application Administrator, for granting consent for apps requesting any permission for any API, except Microsoft Graph app roles (application permissions).
A custom directory role that includes the permission to grant permissions to applications, for the permissions required by the application.
For more information, refer to the Microsoft documentation here.
Click the Settings button in Nightfall.
Click the Directory Sync tab.
Click Add Directory.
Select Azure Entra as the identity provider.
Click Connect.
Enter Email or phone number associated with your Microsoft Azure account.
Click Next.
Enter your password and click Sign In.
When you sign in as an Azure admin, you can consent the installation of Nightfall IDP yourself. You can view the following screen. You must click Accept.
Once you approve the request, the installation proceeds. Once the installation is completed, you can see the following screen. You must click Setup Complete.
After the setup is complete, the first sync may take 15 to 30 min to complete. While the first sync is in progress you would see "pending" under status. Once the sync is complete, the status would transition from "pending" to "synced" and you can view the number of active users, inactive users and groups discovered.
Active users in Azure are the users who actively log in to Azure and perform various tasks.
Inactive users are dormant users who have not logged in to their Azure account for a while. You can refer to this Microsoft document to learn more about managing inactive users.
Nightfall syncs with your Identity and Access Provider every four hours. Also, you can manually sync once every hour. To sync data manually, click the ellipsis menu and select Refresh.
Currently, once registered you cannot unregister an Identity and Access Provider from Nightfall. If you do wish to unregister your Identity and Access Provider, please contact Nightfall support.
