Versions Compared

Version Old Version 1 New Version Current
Changes made by

Jason Reel (Deactivated)

Jason Reel (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Goal The goal here is to document what was done in Azure during the Unit Portal deployment.

  • Azure AD is required to edit data but the system token (API) to read data.

  • Need to ensure that email is set on user properties in AD.

How security is setup:

  • As users log into UP they will appear in the User list with default (read-only) permissions.

  • If set to “Tampa” group, at the location level, the user can only edit that location and the units below.

  • Admins would need to be in a group mapped to the top level. As long as you are in a group that is mapped to THQ then the user would have access to everything in that division.

  • If a user is mapped to several groups you’d have edit access to those units and anything below.

Setup Application API in Azure AD

  • New app registrationregistrations

    • Named UnitPortalAPI

    • Single-tenant

    • Redirect web: : “UnitPortalAPI”

    • Who can use or access this API: “Single-tenant”

    • Redirect URI, set to web and https://unitportalapi.sauss.net/

      • Need DNS entry for URL.

    • Send Devnext the resulting “Application (client) ID”

  • Click Authentication

    • Select ID Tokens the “ID Tokens” checkbox.

  • Certs Click Certificates & Secrets

    • Create new client secret

    • Description: UnitPortalWebAPI, expires 24 months REMINDER TO RENEW?.

    • Send Devnext the “Secret ID”.

  • Click Token Configuration

    • Add optional claim

      • “ID”

      Email

      • Set the following claims: email, family_name, given_name, perfered_username, upn.

        • Choose the option to turn on Microsoft Graph.

    • Add groups claim

      • Security groups checkbox.

        • ID - On

        premises

        • Premises Group Security Identifier.

        • Access - On

        premises

        • Premises Group Security Identifier.

        • SAML - On

        premises

        • Premises Group Security Identifier.

  • Click API Permissions

    • “Add a Permission”There should already be three values under Microsoft Graph (email, profile, User.Read).

    • Add a Permission

      • Choose Microsoft Graph

      • Set

      options as: delegated, Open ID email, open id HELP - REVIEW RECORDING

      • as “Delegated Permissions”

        • Expand “OpenId permissions” and check email, openid, and profile.

        • Add permissions.

  • Click Expose an API

    • Add a scope

      • Apply the default Application ID URI.

      • Save & Continue.

      • Scope name “access_as_user”.

      • Who can consent? “Admins Only”.

      • Admin consent “User_Read”.

      • Admin consent desc “Allows user to read data”.

      Save

      • Add Scope.

    • Add a client application.

      • Enter the client ID provided by Devnext

      Select “authorized scope”

      • .

      • Check the “Authorized scopes” checkbox.

      • Add application

    Open front end UnitPortal authentication

    • Authentication

    • Uncheck “access

      • .

  • Return to the Azure App Registrations screen and open “UnitPortal”.

    • Click Authentication.

    • Uncheck “Access tokens” and “ID Tokens”

Now David installed items behind the scenes.

System group testing and issues…not really sure what to write about the troubleshooting they did.

How security is setup:

Admins would need to be in a group mapped to the top level. As long as you are in a group that is mapped to THQ then the user would have access to everything.

If mapped to several groups you’d have edit access to those units and anything below.

As users log into UP they will appear in the User list with default (read-only) permissions.

...

    • .

    • Disable implicit grants.

    • Save