Note: These instructions are for the NEW Azure portal. If you are using classic Azure portal, please use these instructions. If you're unsure which portal you are using, if your URL is "https://manage.windowsazure.com/..." you are using the CLASSIC portal; if your URL is "https://portal.azure.com/..." you are using the NEW portal.
Overview:
The Azure AD Integration allows system administrators to synchronize your users from your Azure active directory into the archive system. This feature is mainly designed to minimize the administration of users across multiple systems. Once the integration is established, users from your Azure active directory will be synchronized with the archive system.
Note: This is just a synchronization of user details. Setting up single sign-on is a seperate process.
To setup or manage an existing integration navigate to the main settings page by selecting the cog in the top navigation bar, then select "Manage" in the Azure AD Sync panel.
Initial Sync:
- Add the archive application to your Azure Active Directory admin center
- From your Azure management portal, navigate to Applications sections (Active Directory>[Directory]>App Registrations). Select 'New Application Registration'
- Give the application a name that will identify it within your Azure management portal and select 'web application and/or web API'
- Enter the Sign-on URL and App ID URI provided in step 1 of setting up a new directory sync from within the archive system.
- Set the permissions for the newly registered application
- Once you have added the archiving application to your Azure management portal, navigate to the application you just created in the 'App registration' section. Click the 'Required permissions section' and select the 'Windows Azure Active Directory...' API
- Ensure that ONLY 'Read directory data' is selected under BOTH the 'Application permissions' and 'Delegated permissions' sections.
- Save these permissions and select 'Grant permissions'
- NOTE: The permissions need to be both saved AND granted.
- Add your Azure credentials to the archive application
- Once you have added the archiving application to your Azure management portal and set the appropriate permissions, you'll need to add the credentials for your directory application to the archiving application for a successful sync process, navigate to the application you just created in the 'App registration' section if you're not already there. Click 'Keys' under 'All settings'
- Provide a description for the key
- Select a duration for Key.
- Click the 'SAVE' icon.
- The Key has now been generated in the Key field. Copy and store the key value.
- NOTE: You won't be able to retrieve this key after you leave this page.
- You will need this generated key, and the Application ID for the application
- Next, you'll need your Directory ID
- Your Directory ID can be found in your main Azure Active Directory properties
- Enter the Application ID, generated Key, and Direcotry ID into the specified fields in the archive application
- NOTE: It can take up to 60 minutes for the Microsoft systems to full propagate the application/key pair to allow a successful authentication to your Azure Active Directory
- Enter the Application ID into the 'Client ID' Field
- Enter the generated key into the 'Key' Field
- Enter the Directory ID into the 'Tenant ID' Field
- Once you have added the archiving application to your Azure management portal and set the appropriate permissions, you'll need to add the credentials for your directory application to the archiving application for a successful sync process, navigate to the application you just created in the 'App registration' section if you're not already there. Click 'Keys' under 'All settings'
- Map the attributes
- Once you've successfully established a connection between Azure and the archive application, you'll be able to map your attributes to the relevant fields.
- NOTE: It can take up to 60 minutes for the Microsoft systems to full propagate the application/key pair to allow a successful authentication to your Azure Active Directory
- Primary Email address (this should be the address that users authenticate using), username (which can be the email address if you wish), and name should be mapped to the appropriate fields in your directory. Any additional aliases for the user will be automatically synchronized and associated with the user in the archiving application.
- Once you've successfully established a connection between Azure and the archive application, you'll be able to map your attributes to the relevant fields.
- Review and Finish
- Lastly, the system will summarize your mapping and confirm the sync frequency. Currently this is a nightly option, as the application evolves you'll be able to customize this frequency.
- Finishing the setup will start an initial sync.
Status and Management
Once integrated, the status of your active directory integration can be monitored from within the settings page. Details on the status, last sync, and any conflicts can be reviewed and managed from this page as well as any necessary updates to credentials or attribute mappings by selecting 'Manage' within any of the relevant sections.
Users in your Azure active directory will be automatically created in the archive system. These users will initially be 'disabled' (see the KB article related to Enabling users for more information). Additionally, synchronized users will not be assigned any role in the system, when enabling them, a role will also need to be assigned (see the KB article related to assigning user roles for more information as this can be done individually or in bulk).
Similarly, users that are deleted from your Azure active directory after having been added to the archive system will be disabled on the next sync to ensure their access restricted.
Carlos Rios
Comments