About External Identities

Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security

In AuthPoint, you can synchronize users from Active Directory, Azure Active Directory, or a Lightweight Directory Access Protocol (LDAP) database. This is a quick way to add users to AuthPoint that you already defined on your network.

To sync users from an external user database, you must add an external identity and create one or more queries. External identities connect to external user databases to get user account information and validate passwords.

There are two types of external identities:


Use the Lightweight Directory Access Protocol (LDAP) external identity type to sync users from Active Directory or an LDAP database.

You must add LDAP external identities to the configuration for a Gateway, and install the AuthPoint Gateway on your corporate network in a location that has Internet access and that can connect to your LDAP server. The Gateway enables communication between WatchGuard Cloud and your Active Directory or LDAP database.

Azure AD

Use the Azure AD external identity type to sync users from Azure AD. This type of external identity does not require the AuthPoint Gateway.

For each external identity, you must specify which users to sync. There are two ways to sync users:

  • Group Sync — Select the groups you want to sync users from and AuthPoint creates a query for you.
  • Advanced Queries — Create your own queries to specify which groups or users to sync.

After you add a group sync or an advanced query, AuthPoint syncs with your external user database at the next synchronization interval and creates an AuthPoint user account for each user that is found. If your query returns more users than you have available licenses, the sync only creates as many users as your license supports.

Users that do not have a first name, user name, or email address defined in the external user database are not included in the synchronization.

AuthPoint does not store passwords for synchronized users. When a synchronized user authenticates, AuthPoint sends the LDAP credentials to the domain controller for validation. After the domain controller validates the credentials, AuthPoint manages any other authentication options specified in the authentication policies.

When you create a query to find your users (manually or with group sync), you choose whether to have AuthPoint create a mobile token for the synced users and send an email to the synced users to activate their mobile token. AuthPoint does this by default. In most cases, we recommend that you assign a token to users and send them the Token Activation email. User accounts need a token to authenticate with AuthPoint. You might choose not to do this for users that use hardware tokens for authentication, or for service accounts that bypass MFA with basic authentication.

To assign a token and send the token activation email to a user that did not have a token created for them automatically, you must resend the Token Activation email. For more information, go to Resend Activation Email.

Quarantined Users

If you move or delete a user account in your LDAP database, the status of the linked AuthPoint user account changes to Quarantined. In the users list, Quarantined user accounts display a yellow icon next to the user name.

An AuthPoint user account can also be quarantined if the external identity was deleted or other domain information changed.

Quarantined user accounts cannot authenticate until you restore or move them back to their original location in the LDAP database. For more information, see Quarantined Users.

Related Topics

Sync Users from Active Directory or LDAP

Sync Users from Azure Active Directory

Test the Connection to an External Identity