Azure AD SSO Integration

1/2023 - rev 4

Overview

Oort’s platform can authenticate your users against your Azure AD. To enable SSO, you will need to configure an app registration inside of Azure AD. This is done to allow Oort to use your Azure AD for authentication of users. This document will walk you through the process of setting up the App Registration inside of Azure AD.

Goal

The goal of this document is to serve as a guide to set up authentication with your Azure AD directory.  

Audience

This document is meant for the CISO to share with their teams to set up the integration with Azure AD that Oort will use to authenticate users.

Next Steps

Once the app registration is complete you will work share the client id from your directory with Oort.

Azure AD SSO Integration

To enable SSO, you will need to configure an app registration inside of Azure AD. This is done to allow Oort to use your Azure AD for authentication of users.

Permission requirements for setting up Azure AD integration

To add the necessary configuration in Azure AD, you need to have admin access to the following:

The main thing that you will need to configure in Azure AD:

  • Add an App inside your Azure AD tenant that defines the keys and permissions needed by Oort

Setup Steps

There are 3 steps you need to go through to set up your Azure AD API key then connect it to Oort.

  1. Enable Azure AD resource provider (if needed)
  2. Setup App and API secret in Azure AD
  3. Provide client id and secret to Oort

Enable Azure AD resource provider

Enable AzureAD resource provider under your license.

  1. Go to Home...Subscriptions…...Resource Providers

    • Search for Microsoft.AzureActiveDirectory and select it.
  2. If the Status says NotRegistered

  • Click on the Register button to register the Microsoft AzureAD resource provider.

    azure subscription 1   microsoft azure

  1. If the Status says Registered, you can move on to the next step.

Setup App and API secret in Azure AD

Next, we will create the app in your Azure AD tenant, assign the correct permissions, and add an API secret. 

Add an app in your Azure AD tenant

  1. Go to Azure Active Directory...App registrations

  2. Click on New registration

  3. Fill in the details for the new app

register an application   microsoft azure

  1. Click on Register

  2. Save the following information as it will get entered into the Oort dashboard.

    • Application ID (this will be the client id you will provide Oort)

oort dashboard   microsoft azure

Add API Permissions

  1. Go to API Permissions under your newly created Oort Integration app

oort dashboard   microsoft azure api permissions

  1. Click on Add a permission
  2. Click on Microsoft Graph

request api permissions   microsoft azure

  1. Click on Application Permissions
  2. Search for “Directory.Read.All”
  3. Check the box next to Directory*.Read.All* 

2023 01 10 14 31 09

  1. Please repeat steps 5 and 6 to add the following permission as well:

    • User.Read.All
  2. Once added to the list, click Add Permissions

  3. Click on Grant admin consent

  4. Click Yes to accept admin consent. When finished, the API permissions should look as shown below.

2023 01 10 14 33 54

Create API secret

  1. Go to Certificates & Secrets under your Oort Integration app
  2. Click on New client secret

oort dashboard   microsoft azure secret new

  1. Fill in the details for the secret and click Add

add a client secret   microsoft secret create

  1. Save the Secret Value as this will be used later in the Oort dashboard

    • Click the copy icon to copy and save it somewhere
    • Important: Once you leave this page you WILL NOT be able to get the key again and will have to delete and create a new one.

oort dashboard   microsoft azure secret

Provide Client ID and Client Secret to Oort Success & Support Team

As part of this process, Oort Customer Success or Support team will guide you in securely transmitting the App Registration data below so that the configurations can be finished on the Oort authentication platform.

  • Client ID
  • Client secret
  • Azure tenant external FQDN or primary domain (e.g. company.com or company.onmicrosoft.com)

Make the Azure App Visible to End Users

Oort strongly recommends you make the Azure SSO app visible to your Oort users, so that they have quick access to the Oort console from their Azure apps page.

Navigate to the Enterprise App associated with the App Registration that you created above.

Under the Properties section, ensure the two settings below are both set to Yes.

2023 01 12 16 32 49