10.18. Sync Microsoft Entra Tenants and Contacts for MSP Clients

Microsoft Entra sync helps MSPs keep client contacts current without manually recreating every user from Microsoft 365. After you connect your partner identity source, AlgaPSA can discover managed Entra tenants, match them to client records, and create or update contacts for those clients.

Throughout this guide, the client names are fictional MSP examples. Use this workflow when your MSP manages clients like GreenLeaf Dental Group, Northstar Accounting, or Pioneer Law Group through Microsoft partner access and wants cleaner contact records for tickets, billing contacts, approvals, and client communication.

Figure 1: The Microsoft Entra integration starts with a guided setup: connect, discover tenants, map tenants to clients, then run the initial sync.

What Entra sync does

Area	What AlgaPSA does	MSP benefit
Tenant discovery	Finds managed Microsoft Entra tenants visible to your partner connection.	Reduces manual setup when onboarding multiple Microsoft 365 clients.
Client mapping	Suggests matches between Entra tenants and AlgaPSA clients by domain or name.	Helps avoid syncing GreenLeaf users into the wrong client record.
Contact sync	Creates contacts or links existing contacts by email address.	Keeps service desk and billing contact records aligned with Microsoft 365 users.
Field updates	Optionally updates name, phone, job title, and related identity fields from Entra.	Lets your MSP choose which system is authoritative for contact details.
Reconciliation	Queues ambiguous matches for human review.	Prevents unsafe merges when more than one contact could match the same Entra user.

Entra sync is designed to be non-destructive. It creates, links, updates, or marks contacts inactive when an Entra account is disabled; it does not delete contacts.

Prerequisites

Before you start, confirm the following:

AlgaPSA access: You are an AlgaPSA administrator with permission to update system settings.
Edition and feature access: Microsoft Entra sync is an Enterprise/Premium identity integration. If you do not see Settings > Integrations > Identity, contact your AlgaPSA administrator or account owner.
Microsoft access: Your Microsoft partner tenant has access to the client tenants you want to sync.
Microsoft partner connection: Use Microsoft delegated partner access for managed tenants.
Client records: Create or review AlgaPSA clients before mapping. Add clear websites, billing email domains, or client names so matching works well.

Recommended setup scenario

For this guide, assume your MSP, Northwind MSP, supports these clients:

Entra tenant	AlgaPSA client	Example sync outcome
GreenLeaf Dental Group	GreenLeaf Dental Group	Creates and links dental office contacts for support tickets and billing questions.
Northstar Accounting	Northstar Accounting	Keeps Microsoft 365 user names and phone numbers current for tax-season support.
Pioneer Legal Services	Pioneer Law Group	Requires review because the Entra tenant name differs from the AlgaPSA client name.
Harbor Clinic	No matching client yet	Can be imported as a new client or skipped until onboarding is ready.

Step 1: Open the Entra integration

Go to Settings.
Select Integrations.
Open the Identity category.
Review the Microsoft Entra Integration card.

The setup mode shows four guided steps: Connect, Discover Tenants, Map Tenants to Clients, and Initial Sync. Complete them in order.

Step 2: Connect Microsoft Entra

In the Connection Options area, choose the direct Microsoft partner connection.

Click the direct Microsoft connection option.
Sign in with the appropriate Microsoft partner administrator account.
Review and approve the requested Microsoft permissions.
Return to AlgaPSA and confirm the connection health shows connected.

Operational check: Use a named integration owner, such as your service operations manager or identity lead, so token rotations and permission reviews have a clear owner.

Step 3: Discover managed tenants

After the connection is active, click Run Discovery.

AlgaPSA loads the managed Entra tenants visible to your connection and records the last discovery time. Discovery does not create contacts yet. It only prepares the tenant list for mapping.

Use Run Discovery Again later when you add a new Microsoft 365 client, complete GDAP setup, or change partner tenant access.

Step 4: Map Entra tenants to AlgaPSA clients

Open Review Mappings to confirm how discovered Entra tenants should connect to AlgaPSA client records.

Figure 2: Review auto-matched tenants, choose a client for unmatched tenants, import a new client, or skip tenants that are not ready for sync.

Mapping statuses you may see:

Status	Meaning	Recommended action
Auto-matched	AlgaPSA found a strong match, usually by domain.	Review it, then confirm if correct.
Needs review	AlgaPSA found a possible match but is not confident enough to choose automatically.	Select the correct client manually.
Unmatched	No likely client was found.	Select a client, import as a new client, or skip.
Skipped	You chose not to map this tenant right now.	Remap later when the client is ready.

For example, greenleafdental.example may match GreenLeaf Dental Group automatically. A tenant named Pioneer Legal Services may need manual review if the AlgaPSA client is named Pioneer Law Group.

After reviewing rows, click Confirm Selected Mappings.

Operational check: Do not confirm mappings solely by display name. Check the primary domain, client billing domain, and client website before syncing contacts.

Step 5: Choose field sync controls

Field sync controls decide which Entra values can overwrite fields on already-linked AlgaPSA contacts.

Common MSP choices:

Field	Typical setting	Why
Display Name	On	Useful when Microsoft 365 is the source of truth for staff names.
Email	Usually Off	Prevents accidental contact routing changes if aliases or UPNs differ.
Phone	On	Keeps help desk callback details current.
Role	On	Keeps job titles such as Office Manager or Controller current.
UPN	Usually Off	Enable only if your team uses UPN for identity troubleshooting.

Click Save Field Sync Controls after changing the switches.

Step 6: Run the initial sync

After at least one tenant is mapped, click Run Initial Sync.

During the sync, AlgaPSA processes each mapped tenant and handles users as follows:

Ignored: Disabled accounts, users without valid email identities, and common service account patterns are skipped.
Created: New people are created as contacts under the mapped AlgaPSA client.
Linked: Existing contacts are linked when there is one clear email match.
Updated: Enabled field sync controls may update linked contact fields.
Queued: Ambiguous matches are sent to the reconciliation queue for review.
Inactivated: Contacts linked to disabled Entra accounts may be marked inactive rather than deleted.

Step 7: Monitor sync runs and resolve ambiguous matches

After setup, the integration changes to ongoing operations mode. Use this area to run discovery again, start a full sync, review recent sync runs, and clear the ambiguous match queue.

Figure 3: After sync, review run results and resolve ambiguous contact matches before they affect service desk records.

Review sync history

The Recent Sync Runs panel shows:

Run type, such as initial or all-tenants.
Completion status.
Start and completion time.
Number of tenants processed.
Success and failure counts.

Click View details when you need per-client results, such as how many contacts were created, linked, updated, inactivated, or queued as ambiguous.

Resolve ambiguous matches

Ambiguous matches happen when AlgaPSA finds more than one possible contact for the same Entra user. For example, Jordan Lee at GreenLeaf Dental Group might match both an office manager contact and a billing contact.

For each queue item:

Review the Entra user name and email.
Review the candidate contacts.
Choose an existing contact when one is correct, then click Resolve to Existing.
Click Resolve to New if the Entra user should become a separate contact.

Operational check: Assign someone on the service desk or client success team to review ambiguous matches after each initial client onboarding sync.

Ongoing operations checklist

Use this checklist after the initial sync is complete:

Run discovery after adding a new Microsoft 365 client or changing Microsoft partner access.
Review unmapped and skipped tenants monthly.
Check recent sync runs for failed tenants.
Clear the ambiguous match queue before major client communication campaigns.
Review field sync controls before turning on email or UPN updates.
Confirm inactive contacts before removing them from client-facing workflows.

Troubleshooting

Problem	What to check
The Identity category is missing	Confirm Enterprise/Premium access and that the Entra integration is enabled for your tenant.
Discovery finds no tenants	Confirm Microsoft partner access and GDAP relationships.
A tenant matched the wrong client	Do not confirm it. Select the correct client manually or improve the client website/billing domain first.
A tenant is unmatched	Select a client manually, import it as a new client, or skip it until onboarding is ready.
Contacts are not updating	Check field sync controls; only enabled fields can overwrite linked contacts.
Service accounts appear in sync	Add exclusion patterns for naming conventions such as `svc-`, `automation`, or `noreply`.
A user matched multiple contacts	Resolve the item in the ambiguous match queue instead of creating duplicates.

Best practices for MSPs

Keep client domains accurate in AlgaPSA before running discovery.
Map tenants in batches and review each domain before confirming.
Leave email overwrite disabled unless your operations team has agreed that Entra should control contact email addresses.
Use the reconciliation queue as part of onboarding closeout for new managed clients.
Treat disabled Entra accounts as an offboarding signal, but review important billing or executive contacts before removing them from workflows.

Navigation