Configure Entra ID based Policies
ScoutDNS supports policy enforcement by user groups synced from Entra ID (formerly Azure AD). This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS syncs with Entra ID and how policy decisions are applied.
If you wish to assign policy by Active Directory instead of Entra ID, visit the Active Directory Policy guide.
About Entra ID Policy Function
ScoutDNS Entra ID group based polices are based on an Enterprise App connection between ScoutDNS and your Entra ID tenant. Once the connection is made and read only permissions granted, the ScoutDNS policy engine matches users and tenants from roaming clients to synced groups and users from Entra ID applying policy as configured in the Persona. Users who are unable to be matched to a group set policy within the persona will fall back to the Device Profile policy as set in the Device Profile settings.
Allow User Policies in Device Profiles
Since Entra ID policies apply to roaming clients, we must first configure Device Profiles and deploy roaming clients to the users we want to manage policies for. If you have not yet deployed roaming clients, start here.
You will need to enable the User Policies switch, which allows ScoutDNS to collect user and tenant information and ensures that group-based policies override the Device Profile policy. Keep in mind that the Device Profile default policy will apply to any user who is a member of a group that does not yet have an assigned policy via the Persona.
Create Persona
Now that we have configured device profiles to allow user-based policies, we need to create a Persona, which defines how ScoutDNS applies group-based policies. Navigate to the Users tab and select the Configure sub-tab. On the far right, select New Persona. You will need to name the persona in the Settings tab. Now select the Entra ID sub tab.
Add and Bind Tenant
Click on Add Tenant and accept the read only permissions for the ScoutDNS Enterprise App. ScoutDNS will need select read only access permissions through the Entra ID Graph API in order to discover users and groups. ScoutDNS does not gain access to emails, messages, or information other than is required to sync users and groups. These permissions can be removed anytime from within your Entra ID management console.
Once you have granted permission, you can then select the tenant and Bind this to the Persona. In a multi-tenant account, the default tenant will be the Primary Tenant.
Multi-Tenant Entra ID Accounts
For multi-tenant Entra ID accounts, such as those used by managed service providers, you can add additional tenants using the Add Tenant function. Once you have connected the primary account, simply input the Microsoft Tenant Domain (ending in onmicrosoft.com) of the tenant you wish to connect and select Add Tenant. This tenant domain will now appear in the drop-down selector for you to Bind. Select Bind to set it to the Persona.
A tenant can only be bound to one Persona at a time. If you wish to reuse the same tenant in another account or persona, you must UNBIND it first.
A tenant can only be bound to one Persona at a time.
Define Group Policy and Priority
Once you have chosen the tenant to bind, you can view all groups discovered via the Entra ID sync process. For large group installs, it may take a few hours to complete the initial sync. ScoutDNS performs regular syncs in the background to capture new groups and users. Optionally, you can initiate a manual sync through the UI.
To assign a policy to a user group, choose the group from the Observed Groups column, and move it to the Configured Groups column. Here we can assign the policy for this group as well as set the group/policy priority. Setting a priority defines the order or priority of groups and policies in case a user is a member of multiple groups with different policies. A priority of 1 is considered the highest. Simply save the Persona, and ScoutDNS will apply the policy accordingly.
Any security group can be selected for policy.
Link Persona to Organization
For accounts with the Organization Management tab, you should link the Persona to the appropriate organization to ensure that the User tab and associated reporting data align correctly. This functions similarly to linking a Site (for network-based deployments) and Profiles (for roaming clients). Like the other objects mentioned, you can automatically link a Persona to any organization by creating the Persona from within a selected Organization view.
Don't forget to link the Persona to the correct organization.
Related Articles
Configure AD (Active Directory) Policies
ScoutDNS supports policy enforcement by user groups synced from Active Directory. This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS syncs with ...Single Sign On (SSO) Configuration - Entra ID
Entra ID SSO Enabling Single Sign On (SSO), allows admins to manage access for their instance through Entra ID SSO. ScoutDNS uses the Open ID Connect (OIDC) protocol for secure commination with Entra ID. SSO will disable all existing ScoutDNS ...Add System Users - Role Based Access
ScoutDNS supports role-based access, allowing multiple operators within a single account to access the system. This article describes how to configure role-based access directly in ScoutDNS. To configure and manage role-based access from Entra ID ...Relay - Setup and Configure
ScoutDNS supports a Relay configuration, allowing operators to install a lightweight service within their network. The relay acts as a local forwarding resolver, processing internal queries while forwarding public queries to the ScoutDNS cloud ...Roaming Clients / Device Agents - Setup, Configure, and Manage
ScoutDNS provides device agents for organizations that wish to protect devices with DNS-layer security both on and off the network. The ScoutDNS device agent is an extremely lightweight application, best installed on managed devices where ...