USS Unit Portal AD Deployment

Owned by Jason Reel (Deactivated)
Last updated: Sept 15, 2021
2 min read

The goal here is to document what was done in Azure during the Unit Portal deployment.

  • Azure AD is required to edit data but the system token (API) to read data.

  • Need to ensure that email is set on user properties in AD.

How security is setup:

  • As users log into UP they will appear in the User list with default (read-only) permissions.

  • If set to “Tampa” group, at the location level, the user can only edit that location and the units below.

  • Admins would need to be in a group mapped to the top level. As long as you are in a group that is mapped to THQ then the user would have access to everything in that division.

  • If a user is mapped to several groups you’d have edit access to those units and anything below.

 

Setup Application API in Azure AD

  • New app registrations

    • Named: “UnitPortalAPI”

    • Who can use or access this API: “Single-tenant”

    • Redirect URI, set to web and https://unitportalapi.sauss.net/

      • Need DNS entry for URL.

    • Send Devnext the resulting “Application (client) ID”

  • Click Authentication

    • Select the “ID Tokens” checkbox.

  • Click Certificates & Secrets

    • Create new client secret

    • Description: UnitPortalWebAPI, expires 24 months.

    • Send Devnext the “Secret ID”.

  • Click Token Configuration

    • Add optional claim

      • “ID”

      • Set the following claims: email, family_name, given_name, perfered_username, upn.

        • Choose the option to turn on Microsoft Graph.

    • Add groups claim

      • Security groups checkbox.

        • ID - On Premises Group Security Identifier.

        • Access - On Premises Group Security Identifier.

        • SAML - On Premises Group Security Identifier.

  • Click API Permissions

    • There should already be three values under Microsoft Graph (email, profile, User.Read).

    • Add a Permission

      • Choose Microsoft Graph

      • Set as “Delegated Permissions”

        • Expand “OpenId permissions” and check email, openid, and profile.

        • Add permissions.

  • Click Expose an API

    • Add a scope

      • Apply the default Application ID URI.

      • Save & Continue.

      • Scope name “access_as_user”.

      • Who can consent? “Admins Only”.

      • Admin consent “User_Read”.

      • Admin consent desc “Allows user to read data”.

      • Add Scope.

    • Add a client application.

      • Enter the client ID provided by Devnext.

      • Check the “Authorized scopes” checkbox.

      • Add application.

  • Return to the Azure App Registrations screen and open “UnitPortal”.

    • Click Authentication.

    • Uncheck “Access tokens” and “ID Tokens”.

    • Disable implicit grants.

    • Save