AD Connector – Network
The GrantFlow Agent securely connects your on-premises Active Directory to the GrantFlow SaaS.
It operates via an outbound-only connection, meaning your Domain Controller (DC) or Agent host never needs to expose inbound ports to the Internet.
For UI configuration, form fields, and testing the connection, see Creating an AD Connector.
Communication Overview
| Direction | Source | Destination | Protocol / Port | Purpose |
|---|---|---|---|---|
| Outbound | Domain Controller or Agent host | enrollment.grantflow.cloud | HTTPS (TCP/443) | Required for Agent Enrollment and Certificate Renewal |
| Outbound | Domain Controller or Agent host | agents.grantflow.cloud | HTTPS (TCP/443) | Secure API communication (GrantFlow ↔ AD Agent) |
| Inbound | – | – | None required | All communication is initiated outbound |
The Agent:
- Executes privileged actions (e.g., group membership updates, account enable/disable) via a service account.
- Sends status, logs, and audit events back to the GrantFlow cloud.
- Uses TLS 1.3 encryption and mutual authentication (mTLS) for all sessions.
Agent to Domain Controller Communication
When the AD Agent is installed on a separate host (not on the DC itself), it needs to communicate with your Domain Controllers to perform AD operations.
| Direction | Source | Destination | Protocol / Port | Purpose |
|---|---|---|---|---|
| Outbound | AD Agent host | Domain Controller(s) | LDAP (TCP/389) | Standard LDAP queries and updates |
| Outbound | AD Agent host | Domain Controller(s) | LDAPS (TCP/636) | Secure LDAP over TLS (recommended) |
Notes:
- LDAPS (port 636) is strongly recommended for secure communication. Ensure your DCs have valid certificates configured.
- The agent must be able to resolve DC hostnames via DNS.
- Ensure time synchronization (NTP) between the agent host and Domain Controllers; significant clock skew can break mTLS.
If the agent is installed directly on the Domain Controller(s), operations are handled locally on the host. If the agent runs on a separate host, do not disable LDAPS or skip TLS verification to ensure secure handling of all operations.
Active Directory enforces TLS for password change operations. If you use Account Password Rollover, ensure your Domain Controllers present valid TLS certificates and upload the root/intermediate CA certificates to the AD Connector configuration. See Use TLS (LDAPS) for connector-side settings.
Firewall Rules Summary
Allow outbound HTTPS (TCP/443) from:
- The Domain Controller or the system hosting the connector
- To:
agents.grantflow.cloudenrollment.grantflow.cloud
No inbound ports are required.
Using a Web Proxy
The AD Agent/Connector does not support HTTP(S) proxies for control‑plane traffic. Route traffic directly to GrantFlow endpoints and bypass any proxy for these hosts.
Configure your network to bypass proxies (PAC/no_proxy) for at least:
agents.grantflow.cloudenrollment.grantflow.cloud(enrollment and certificate renewal)
SSL/TLS inspection must be disabled — connections use end‑to‑end mTLS and cannot be intercepted.
If your organization mandates a proxy for all outbound traffic, create explicit exceptions for the hosts above and allow direct egress on HTTPS (TCP/443).
Service Account Permissions
Use a dedicated, least‑privilege service account for the connector. For a complete breakdown of required rights by use case (read, group membership, enable/disable, password operations) and delegation steps, see AD Connector – Service Account Permissions.
Data Residency
All communication terminates in EU‑based Azure regions; no data leaves the EU.
GrantFlow is developed and maintained in Vienna, Austria, ensuring full compliance with GDPR and EU data protection laws.
If you require hosting in a different region, contact our support team to discuss options and timelines.
Entra Connect Agent (Delta Sync)
When GrantFlow modifies AD objects that affect cloud privileges (e.g., elevating or revoking Azure administrators via AD groups), the changes must be synchronized to Microsoft Entra ID.
Install the lightweight GrantFlow agent on your Microsoft Entra Connect server (formerly Azure AD Connect). The agent triggers an on‑demand delta synchronization immediately after GrantFlow completes relevant AD updates.
- Supported sync engines: Microsoft Entra Connect (classic). If you use Microsoft Entra Cloud Sync, contact support to enable the on‑demand provisioning trigger.
- Required permissions on the Entra Connect server: membership in the local
ADSyncOperatorsgroup (or equivalent) to invoke sync cycles. - The agent does not require Domain Admin rights.
Example (executed by the agent):
# Trigger Entra Connect delta sync after an AD change
Start-ADSyncSyncCycle -PolicyType Delta
Firewall for the Entra Connect Agent
Allow outbound HTTPS (TCP/443) from the Entra Connect server to:
*.grantflow.cloudlogin.microsoftonline.comgraph.microsoft.com*.azure.com
No inbound ports are required; the agent only initiates outbound connections.