Sync users from Microsoft Entra
Connect Hook to Microsoft Entra (Azure AD), pick groups to sync, preview members, and confirm — so your user list stays current.
Microsoft Entra (Azure AD) is the recommended way to keep your Hook user list current. Once connected, Hook pulls the groups you choose directly from Entra, so you stop chasing CSV exports every time someone joins or leaves. Connecting takes a few minutes with your IT or identity admin on standby for the consent step; picker → preview → confirm is a self-serve task you run as the org admin.
Before you start
You'll need:
- Org admin role in Hook, with the right organization selected in the sidebar org switcher if you manage more than one.
- An identity admin who can grant consent in Entra. Connecting Hook triggers a Microsoft consent screen for read access to your directory and groups. If you can't approve tenant-wide consent yourself, get IT on a quick call.
- A short list of the groups you want in Hook — those that map to how you'll target campaigns and training (departments, locations, roles).
Connect Hook to Entra
The Entra integration lives on the Integrations page in org settings, with a top rail of provider tiles and a Synced directories table below for connected ones.
Open Integrations
From the org portal, go to Settings → Integrations
(/org/settings/integrations).
Start the connect
In Sync new directories, find the Microsoft Entra tile. The empty state reads Sync groups and members from Microsoft Entra (Azure AD) into Hook. Click Connect; the button switches to Starting… while Hook prepares the redirect.
Approve the Microsoft consent prompt
Your browser hands off to Microsoft's sign-in and consent flow. Sign in with an account that can grant consent for your tenant, review the permissions Hook requests (read access to your directory and groups), and approve. Microsoft redirects you back to Hook.
Confirm it landed
You return to Settings → Integrations. The Entra tile now shows a Connected badge with your tenant's display name, and a new row appears in Synced directories. Click the row to expand its workspace pane — counts start at zero until you pick groups.
If consent fails
If Microsoft rejects consent or the redirect comes back with an error, you'll see a toast on the Integrations page. The most common cause is clicking Connect with an account that can't grant tenant-wide consent. Pull in your identity admin and try again.
Pick the groups to sync
From the expanded workspace pane, click Manage groups in the
Synced groups footer to land on the picker at
/org/settings/integrations/microsoft-entra/groups. The header reads
Select groups to sync.
Browse the loaded groups
The picker shows up to the first 1,000 groups from your tenant in a table with Name, Members, and Type columns. Type maps each group to Microsoft 365, Security, or Distribution. If your directory has more than 1,000 groups, a callout notes the result was truncated.
Select the groups you want
Check the box next to each group. The counter on the right (N selected) updates as you go. Use Select all (N) to flip every group on or off at once. If you push past 100 selections, Hook surfaces a heads-up that large selections may take longer to preview.
Continue to preview
When the selection looks right, click Continue to preview. The button switches to Loading preview… while Hook samples members for each selected group.
Unselecting a saved group
If you uncheck a group that was already part of your saved selection, Hook prompts you to confirm. Unsyncing a group removes its members from Hook unless they're also in another synced group.
Preview the sync
The preview at /org/settings/integrations/microsoft-entra/preview
shows each selected group with a sampled member list (up to 10 names
per group) and a N of M members counter.
Scan each group's members
For each group, read down the sample list and look for:
- Unexpected guests or service accounts. Entra often includes guest collaborators and shared mailboxes. If you see addresses that shouldn't receive sends, plan to clean up the group in Entra after saving.
- Users you expect but don't see. A common culprit is a recently-deactivated account or a user moved to a different group.
Check the partial-preview banner
If you see Preview was partial — some groups could not be fetched within the time budget., Hook hit a fetch ceiling while sampling. You can still save; full membership syncs in the background. Per-group Could not load members errors retry on the first post-save sync.
Save or go back
Click Save selection to commit, or Back to return to the picker. A toast confirms Group selection saved. and you land back on Integrations.
Confirm and ongoing sync
After saving, the Synced directories row for your tenant shows non-zero counts for Synced groups and Users. The workspace pane lists each group under the Groups tab with its member count, type, and sample. The All users tab gives a deduplicated view, and the Authorized domains pane surfaces every email domain those users share.
From this point on, Hook refreshes group membership from Entra on a recurring basis — no need to re-run the wizard for routine add/remove churn. To change which groups are synced, reopen Manage groups from the workspace pane footer; previous selections are pre-checked.
When sync looks wrong
A few things to check before opening a support ticket:
- Group permissions in Entra. If a group was changed to hidden membership, Hook may not be able to read members. Loosening visibility in Entra usually fixes it on the next sync.
- Renamed groups. Hook follows the new name on the next sync, but the old name may linger in cached campaign or training audiences briefly.
- Deactivated users. Users blocked or deactivated in Entra continue to appear in Hook until the next sync reconciles them.
Related
- Getting Started — the 15-minute path from sign-in to your first phishing campaign and report
- Assign training to groups — put your freshly-synced groups to work in the enrollment wizard
- Run a phishing campaign — target a synced group with the campaign wizard end-to-end