CiraSync gives the ability to perform certain sync operations between Exchange, Active Directory and user Outlook clients and corporate mobile devices. This tool provices certain capabilities that are lacking natively within Microsoft. The initial proposition is enticing if it can work as advertised. Review collected by and hosted on G2.com.
As part of our current evaluation we are looking at an Enterprise implementation starting with a pilot. During the initial discovery our admins working with the CiraSync engineers had a certain design in place that we believed was a standard Enterprise implementation. The basis of how this tool works, is by impersonating the user profile to complete the sync operations required. The initial understanding is that this would be possible without domain admin rights on the entire domain - we were led to believe that we should set up a service accounts with elevated rights, short of domain admin and we could restrict the service account to have these rights only on a specific OU. However it appears that CiraSync was not quite accurate with this and it has been trial-and-error to get this tool functional to the point where they believe that the only way to do this is by giving their (3rd party) account full domain admin rights on our entire domain! This does not pass our Cyber Security requirements. We are still working with CiraSync as they believe they can offer another solution that would entail setting up an on-prem server, but we are not hopeful that this will take away the need for the service account for the tool requiring full global admin rights on our domain just to perform the impersonation function needed for this to work. Review collected by and hosted on G2.com.
Hi Anish, thank you for taking the time to share your detailed feedback.
We appreciate every opportunity to improve our service and support. I'm sorry to hear about the challenges you experienced around access consent. Please note that CiraSync does not require admin access to customer tenants at any point in time. The issue was around token creation. When you want to connect a third-party application to your tenant, Microsoft asks you to consent and it creates a temporary access token. Per Microsoft's default settings, only a Global Admin can consent to third-party applications and this is why the service account requires the Global Admin role during the sign-in process only. The other issue was that the verbatim permissions listed in the initial consent window did not match the technical requirements to perform a sync (wording discrepancy).
However, since we last spoke we have made some changes, and new sign-ups default to Graph API. Again, we thank you for your feedback as they are valid concerns and it has helped us make the necessary changes to improve our service. If you are still interested, please reach out to us so we can determine whether the recent changes will meet your requirements.
See how CiraSync improved
