Skip Navigation LinksALVAO 11.2Admin guideUser managementUser authentication in applicationsMicrosoft Entra ID authentication Skip Navigation Links.


Change Alvao version
Change language
Skip Navigation LinksALVAO 11.2 / Admin guide / User management / User authentication in applications / Microsoft Entra ID authentication

Microsoft Entra ID authentication

Only users from a single Microsoft Entra ID (ME-ID) tenant and external users (guests) of that tenant can log in to Alvao. If you enable ME-ID authentication in Alvao, no other users outside of ME-ID will be able to log in to Alvao.

Caution:
If you are switching from Active Directory (AD) authentication to ME-ID authentication, pay attention to the options for limiting the set of users and groups imported from ME-ID that differ from AD, see Scope below. Before setting up user import from ME-ID, first disable the existing user import from AD (ImportAD).

Import users from ME-ID (user provisioning)

Create Alvao app with Tutorial: Configure ALVAO for automatic user provisioning.

Caution:
Always connect one MS Entra application to a specific AlvaoRestApi (database). Never alter the database to which AlvaoRestApi is connected if user provisioning is set, as this could lead to irreversible damage to the user data in the database.

Setting up ME-ID authentication

  1. In the Microsoft Azure portal, navigate to Microsoft Entra ID - App registrations and select the previously created Alvao app.
  2. Go to the Authentication tab, click on Add platform and select Web.
  3. In the Configurate Web form, set Redirect URIs to URL from Administration - Settings - WebApp - WebApp (URL) plus /Account/LoginMicrosoftEndpoint and check Access tokens (used for implicit flows) and ID tokens (used for implicit flows).
  4. On the API permissions page:
    1. Click Add a permission, go to APIs my organization uses tab and select the first created ALVAO app.
    2. Check user_impersonation permission and click Add permissions.
    3. Grant admin consent for previously added permission
    4. Click Add a permission, select Microsoft Graph, select Delegated permissions, check Presence.Read.All and click Add permissions. This allows to enable Show users presence option.
  5. On the Properties page of the Enterprise application, switch the Assigment required switcher to NO.
  6. Make a note of the values from the application registration that you will need later:
    1. Client ID
    2. Directory (tenant) ID
    3. Client credentials - Client secrets - New client secret - Client Secret
  7. In the following SQL script, insert the Directory (tenant) ID and Client ID values obtained above and run the script on your Alvao database.
    INSERT INTO AzureAdTenant (AzureTenantId) VALUES (N'<Directory (tenant) ID>')
    EXEC spUpdateInsertProperty N'AzureApplicationId', N'<Client ID>'
  8. On the server in IIS Manager:
    1. In Alvao (WebApp), change the authentication method to anonymous and forms.
      In the forms login details, specify
      ~/Account/LoginMicrosoft address.
    2. In AssetWebService (AM WS), set the authentication method to anonymous.
    3. In AlvaoRestApi, set the authentication method to anonymous.
    4. In AlvaoCustomAppsWebService (CA WS), set the authentication method to anonymous.
  9. In the following configuration files, fill the AAD_ClientSecret setting with the Client Secret value obtained above:
    1. WebApp – web.config file
    2. AssetWebService – web.config
    3. AlvaoService – appsettings.json
    4. AlvaoRestApi – web.config
    5. AlvaoCustomAppsWebService – web.config

For more information on registering apps in ME-ID, see Register your app with the Azure AD v2.0 endpoint - Microsoft Graph | Microsoft Docs.

Import users into object tree

If ALVAO Asset Management is activated, users are also automatically imported into the object tree in the Loaded Objects from Active Directory folder, from where they are moved to the correct location in the tree. The same set of users is imported into the object tree as in Administration - Users.

When removing a user from the ME-ID, the user is automatically blocked in the object tree (see the Account is blocked property) but not removed. Once in a while, we recommend checking the tree for blocked users and removing them if necessary.

If you activate Asset Management after importing users into administration, the existing users are not automatically created in the tree. You can additionally create them with a prepared SQL script that creates all users from administration that do not already exist in the object tree. The property values are set according to the default attribute mapping. Existing users will remain unchanged.

Note:
You can also manually create a small number of users in the object tree and set their property values according to the information in the administration (especially the User Name property, which is key).
Note:

You can disable the import of users into the object tree in Administration - Asset Management - Settings - General - Import User objects from Microsoft Entra ID.

After adjusting the setting, we recommend recycling the Alvao application pool on the IIS server so that the import shutdown takes effect immediately.

SCIM

Importing (provisioning) users from ME-ID to Alvao uses the SCIM interface, through which Alvao automatically:

  • Creates, updates and deletes users in Administration - Users
  • Creates, updates, and deletes groups in Administration - Groups
  • Updates user and group memberships in groups
  • Creates and updates users in the object tree in ALVAO Asset Management

ME-ID sends information about changes to Alvao via the SCIM interface on an ongoing basis. Most changes are reflected in Alvao within 40 minutes, some, such as locking out a user, even sooner. This interval is entirely under the control of ME-ID and cannot be changed.

The SCIM interface is part of the Alvao REST API, which must be installed on a server accessible from the Internet (or Azure).

 

Did not find what you were looking for? Ask our technical support team.