Active Directory settings - Microsoft Entra ID (Azure AD)

  • Updated

 

Note: Perfion does not provide support on how to setup Active Directory on Windows Server or in Azure.

Here is an example of how we have set it up, but you may need some other configurations.

Microsoft Entra ID (Azure AD)

Register application

To register an application in the Azure portal and go to Entra ID, select App registration and New Registration.

Provide a name such as Perfion Authentication.

Select supported account types – Accounts in this organizational directory only (Perfion SaaS only - Single tenant)

Add redirect URI for Single Page application (SPA)  – This is required for the Perfion Web Client and the URL will be of the form https://your-subdomain.perfioncloud.com

Now your application is created, and we need some additional settings to get it to work with Perfion. 

Generate client secret

Go to Certificates & secrets to create a client secret. When you have created the secret remember to copy the value. 

Add redirect URI for Test system (If applicable) 

Go to Authentication > Add Redirect URI and define it as an SPA (Single page application). Define the URI (typically https://your-subdomain-test.perfioncloud.com).

Your Authentication section should now have two SPA entries, one for each of live and test Perfion Web URIs.

Create Windows Client Platform 

Go to Authentication to add a platform for the Windows client by clicking Add redirect URI and choosing the Mobile and desktop applications option 


Select ‘https://login.microsoftonline.com/common/oauth2/nativeclient’ as the Redirect URI 


Your Authentication section should now have the following entries for Redirect URIs:

Configure permissions 

Go to API Permissions to add the required permissions for Perfion. Press on Add a permission and select Microsoft Graph

Under Delegated permissions add following:

  • Email
  • Group.Read.All
  • GroupMember.Read.All
  • Profile
  • User.Read

 
And under Application permissions add following:

  • Group.Create
  • Group.Read.All
  • User.Read.All
  • Group.ReadWrite.All (Only required for non-simple integration where Perfion User groups are managed in Entra, not Perfion)

Your API permissions should look similar to the below:

Grant admin consent

After adding all permissions, you need an admin to grant consent.

Login Process

The next stage is to verify login for a user using SSO. Any user within the Entra AD linked to this application can now access Perfion by choosing the Log in with single sign-on option. 

The first attempt at logging in will sync that user to Perfion and create a Perfion user account for that profile. 
When using the simple integration option, as group membership is managed in Perfion, the user will then need to be allocated to the relevant user groups to ensure they have access to the related sections and data within the application. 

As a result they are unlikely to have any options within Perfion other than to log out. Have the user log out and then ensure a Perfion Administrator assigns the newly created user(s) to the required groups. Once this is done, request that the user attempts to log in again at which point they should have access to the application.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.