Skip to main content

Microsoft Entra ID authentication

By default, only users and guests registered in a single Microsoft Entra ID (ME-ID) tenant can log in to Alvao. To provision users from multiple ME-ID tenants, use the ALVAO Microsoft Multidomain Authentication module.

ME-ID authentication can't be combined with other authentication methods, i.e., if you enable ME-ID authentication in Alvao, no other users outside of ME-ID will be able to log in to Alvao.

warning

If you are switching from Active Directory (AD) authentication to ME-ID authentication, pay attention to the options for limiting the set of users and groups imported from ME-ID that differ from AD, see Scope below. Before setting up user import from ME-ID, first disable the existing user import from AD ( ImportAD).

Import users from ME-ID (user provisioning)

Create Alvao app with Tutorial: Configure Alvao for automatic user provisioning.

warning

Always connect one MS Entra application to a specific AlvaoRestApi (database). Never alter the database to which AlvaoRestApi is connected if user provisioning is set, as this could lead to irreversible damage to the user data in the database.

Setting up ME-ID authentication

  1. In the Microsoft Azure portal, navigate to Microsoft Entra ID - App registrations and select the previously created Alvao app.

  2. Go to the Authentication tab, click on Add platform and select Web.

  3. In the Configure Web form, set Redirect URIs to URL from Administration - Settings - WebApp - WebApp (URL) plus /Account/LoginMicrosoftEndpoint and check Access tokens (used for implicit flows) and ID tokens (used for implicit flows).

  4. On the API permissions page:

    • Click Add a permission, go to APIs my organization uses tab and select the first created Alvao app.
    • Check user_impersonation permission and click Add permissions.
    • Grant admin consent for previously added permission
    • Click Add a permission, select Microsoft Graph, select Application permissions, check Presence.Read.All and click Add permissions. This allows to enable Show users presence option.

  5. On the Properties page of the Enterprise application, switch the Assignment required switcher to NO.

  6. Make a note of the values from the application registration that you will need later:

    • Client ID
    • Directory (tenant) ID
    • Client credentials - Client secrets - New client secret - Client Secret

  7. In Alvao WebApp go to Administration - Settings - Microsoft Entra ID page. Add new tenant and use Entra Tenant ID value obtained in the previous step.

  8. In the following SQL script, insert the Client ID value obtained above and run the script on your Alvao database.

EXEC spUpdateInsertProperty N'AzureApplicationId', N' <Client ID>'

  1. Open the appsettings.json file located in the Alvao WebApp folder in a text editor.

  2. Make sure that the LoginUrl attribute is set to /Account/LoginIntegrated.

  3. On the server in IIS Manager:

    • In Alvao (WebApp), change the authentication method to anonymous.
    • In AlvaoCustomAppsWebService (CA WS), set the authentication method to anonymous.

  4. In the following configuration files, fill the AAD_ClientSecret setting with the Client Secret value obtained above:

    • WebApp – appsettings.json file
    • AlvaoService – appsettings.json
    • AlvaoRestApi – appsettings.json

For more information on registering apps in ME-ID, see Register your app with the Azure AD v2.0 endpoint - Microsoft Graph | Microsoft Docs.

Import users into object tree

If ALVAO Asset Management is activated, users are also automatically imported into the object tree in the Loaded Objects from Active Directory folder, from where they are moved to the correct location in the tree. The same set of users is imported into the object tree as in Administration - Users.

When removing a user from the ME-ID, the user is automatically blocked in the object tree (see the Account is blocked property) but not removed. Once in a while, we recommend checking the tree for blocked users and removing them if necessary.

If you activate Asset Management after importing users into administration, the existing users are not automatically created in the tree. You can additionally create them with a prepared SQL script am-import-users.sql that creates all users from Administration that do not already exist in the object tree. The property values are set according to the default attribute mapping. Existing users will remain unchanged.

note

You can also manually create a small number of users in the object tree and set their property values according to the information in the administration (especially the UserName property, which is key).

note

You can disable the import of users into the object tree in Administration - Asset Management - Settings -General- Import User objects from Microsoft Entra ID.

After adjusting the setting, we recommend recycling the Alvao application pool on the IIS server so that the import shutdown takes effect immediately.

SCIM

Importing (provisioning) users from ME-ID to Alvao uses the SCIM interface, through which Alvao automatically:

  • Creates, updates and deletes users in Administration -Users
  • Creates, updates, and deletes groups in Administration -Groups
  • Updates user and group memberships in groups
  • Creates and updates users in the object tree in ALVAO Asset Management

ME-ID sends information about changes to Alvao via the SCIM interface on an ongoing basis. Most changes are reflected in Alvao within 40 minutes, some, such as locking out a user, even sooner. This interval is entirely under the control of ME-ID and cannot be changed.

The SCIM interface is part of the Alvao REST API, which must be installed on a server accessible from the Internet (or Azure).