Skip to content

Active Directory Federation

VaultStream integrates with on-premises Active Directory through Microsoft Entra Connect and ADFS.

Supported Topologies

Configuration Description
Entra ID Connect (Cloud Sync) AD → Entra ID → VaultStream (recommended)
ADFS 2019+ Direct federation via SAML
Entra Domain Services Managed domain with LDAP/Kerberos

Entra ID Connect Setup

  1. Deploy Entra Connect Cloud Sync agent on a domain-joined server
  2. Configure attribute flow: mail, displayName, userPrincipalName
  3. Set up group writeback for team-based access control
  4. Register VaultStream as an Enterprise Application in Entra ID
  5. Assign users and groups to the application

ADFS Setup

  1. Add VaultStream as a Relying Party Trust in ADFS
  2. Configure claim rules:
  3. E-Mail AddressName ID
  4. Display Nameurn:oid:2.5.4.42
  5. Token-Groups - Unqualified Names → group claims
  6. Import the CYFR SP metadata
  7. Enable the Relying Party Trust

Conditional Access

When federated through Entra ID, customers can apply Conditional Access policies:

  • Require MFA
  • Require hybrid-joined or compliant device
  • Block by location (geo-fencing)
  • Sign-in risk policies

Kerberos Constrained Delegation

For on-premises integrations, VaultStream supports Kerberos constrained delegation to allow the VaultStream agent to impersonate users when accessing internal file shares for content ingestion. See the Content Ingestion Guide for watch-folder configuration.