Microsoft Entra ID authentication
Microsoft Entra ID (ME-ID) authentication can't be combined with other authentication methods, i.e., if you enable ME-ID authentication in Alvao, no other users outside of ME-ID will be able to log in to Alvao.
By default, only users and guest users registered in a single ME-ID tenant can log in to Alvao. To provision users from multiple ME-ID tenants, use the ALVAO AM/SD Microsoft Multidomain Authentication modules.
If you are switching from Active Directory (AD) authentication to ME-ID authentication, please note that there are restrictions on the set of users and groups imported from ME-ID that differ from AD. See Define who is in scope for provisioning. Before setting up user import from ME-ID, first disable the existing user import from AD.
Import users from ME-ID (user provisioning)
Create Alvao app with Tutorial: Configure Alvao for automatic user provisioning.
Always connect one MS Entra application to a specific AlvaoRestApi instance (i.e., specific Alvao database). Never alter the database to which AlvaoRestApi is connected if user provisioning is set, as this could lead to irreversible damage to the user data in the database.
Video guide:
Setting up ME-ID authentication
-
In the Microsoft Azure portal, navigate to Microsoft Entra ID - App registrations and select the previously created Alvao app.
-
Go to the Authentication tab, click on Add platform and select Web.
-
In the Configure Web panel, enter the login page url into the Redirect URIs field, e.g.
https://contoso.alvao.com/Alvao/Account/LoginMicrosoftEndpoint. You will find the url of your Alvao in Administration - Settings - WebApp - WebApp (URL). Also enable the Access tokens (used for implicit flows) and ID tokens (used for implicit flows and hybrid flows) options.
Redirect URIs are case-sensitive and must match the case of the WA URI / IIS app folder name.
-
On the API permissions page:
- Click Add a permission, go to APIs my organization uses tab and select the first created Alvao app.
- Check user_impersonation permission and click Add permissions.
- Grant admin consent for previously added permission
- Click Add a permission, select Microsoft Graph, select Application permissions, check Presence.Read.All and click Add permissions. Then do the same with Delegated permissions - check User.Read This allows to enable Users presence option. Also add permissions for another Alvao components you plan to use.
-
On the Properties page, switch the Assignment required switcher to No.
-
Make a note of the values from the Overview page of the application registration that you will need later:
- Application (client) ID
- Directory (tenant) ID
-
Go to the Certificates & secrets page - Client secrets tab. Use the New client secret command to create the secret. Immediately copy the secret string from the Value column and save it for later use in this procedure.
-
In Alvao WebApp go to Administration - Settings - Microsoft Entra ID page. Add new tenant and use the Directory (tenant) ID value obtained in the previous step.
-
In the following SQL script, insert the Application (client) ID value obtained above and run the script on your Alvao database using SSMS.
EXEC spUpdateInsertProperty N'AzureApplicationId', N'<Application (client) ID>'
-
Open the appsettings.json file located in the Alvao WebApp folder in a text editor.
-
Make sure that the LoginUrl attribute is set to
/Account/LoginMicrosoft. -
In IIS Manager on the server, change the authentication method to anonymous for the following applications:
- Alvao (WebApp)
- AlvaoCustomAppsWebService (CA WS)
-
Enter the secret string obtained above into the AAD_ClientSecret item in appsettings.json files of the following applications:
- WebApp
- AlvaoService
- AlvaoRestApi
For more information on registering apps in ME-ID, see Register your app with the Azure AD v2.0 endpoint - Microsoft Graph | Microsoft Docs.
Import users into object tree
If ALVAO Asset Management is activated, users are also automatically imported into the object tree in the Imported from Microsoft Entra ID folder, from where they are moved to the correct location in the tree. The same set of users is imported into the object tree as in Administration - Users.
When removing a user from the ME-ID, the user is automatically blocked in the object tree (see the Account is blocked property) but not removed. Once in a while, we recommend checking the tree for blocked users and removing them if necessary.
If you activate Asset Management after importing users into Administration, the existing users are not automatically created in the tree. You can additionally create them with a prepared SQL script am-import-users.sql that creates all users from Administration that do not already exist in the object tree. The property values are set according to the default attribute mapping. Existing users will remain unchanged.
You can also manually create a small number of users in the object tree and set their property values according to the information in the Administration (especially the UserName property, which is key).
You can disable the import of users into the object tree in Administration - Asset Management - Settings - General - Import User objects from Microsoft Entra ID.
After adjusting the setting, we recommend recycling the Alvao application pool on the IIS server so that the import shutdown takes effect immediately.
SCIM
Importing (provisioning) users from ME-ID to Alvao uses the SCIM interface, through which Alvao automatically:
- Creates, updates and deletes users in Administration - Users
- Creates, updates, and deletes groups in Administration - Groups
- Updates user and group memberships in groups
- Pairs info of imported users with existing external users.
- Creates and updates users in the object tree in ALVAO Asset Management
ME-ID sends information about changes to Alvao via the SCIM interface on an ongoing basis. Most changes are reflected in Alvao within 40 minutes, some, such as locking out a user, even sooner. This interval is entirely under the control of ME-ID and cannot be changed.
The SCIM interface is part of the Alvao REST API, which must be installed on a server accessible from the Internet (or Azure). Only TLS 1.2 is supported.