Page Comparison

Anchor

	top
	top

If your organization has one or more Azure tenants managed by EmpowerID, you can configure EmpowerID to allow users with accounts in those tenants to authenticate to EmpowerID with their Azure AD credentials. This feature uses the OAuth Password Grant type flow, which requires you to register registering an application in with a client secret and at least one exposed scope.

Steps

To set up EmpowerID for Azure AD authentication, you will perform the following tasks:

Easy html macro

theme

{"label":"solarized_dark","value":"solarized_dark"}

contentByMode

{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n<div class = \"bd-callout bd-callout-info\">\r\n <h4>Before you begin</h4>\r\n <p>To configure EmpowerID for Azure AD authentication, you first need to connect EmpowerID to <i>each</i> \r\n Azure tenant you want to enable this feature. See <a href=\"https://dotnetworkflow.jira.com/wiki/spaces/EAGV22/pages/2809048927/Azure+AD+SCIM+Deployment+and+Configuration\">Azure AD SCIM Deployment and Configuration</a> \r\n for the details.</p>\r\n \r\n</div>","javascript":"","css":".bd-callout {\n overflow:hidden;\n}"}

Step 1 – Register the application in Azure AD

In Azure, navigate to your Azure Active Directory.
On the Azure Active Directory navbar, click App registrations.
On the App registrations page, click New registration.
Once the application is registered, copy the Application (client) ID from the Overview page. You need this to configure EmpowerID for Azure AD auth.

Step 2 – Create a client secret for the application

Navigate to the Certificates & secrets blade for the application, select the Client Secrets tab and click New Client Secret.
Create the secret and then copy the Value. You need this to configure EmpowerID for Azure AD auth.

Step 3 – Add an API permission to the application

In this step, we add openid as the API permission to self-document the purpose of the application; however, you can select any permission.

Navigate to the API permissions blade for the application and click Add a permission.
Select Microsoft Graph as the API and then select Delegated permissions.
Under OpenId permissions, select openid and then click Add permissions.

Step 4 – Configure the EmpowerID account store for Azure AD auth

In EmpowerID, navigate to the Find Account Store page by expanding Admin > Applications and Directories and clicking Account Stores and Systems.
Select the Account Stores tab and search for your Azure AD tenant.
Click the Account Store link.
Image RemovedImage Added

This directs you to the Account Stores and Resource Systems page for the tenant.
Image RemovedImage Added
Click the Edit button to put the account store in edit mode.
Image RemovedImage Added
Under Authentication and Password Settings, select Use for Authentication and Allow Search for User Name in Authentication.
Image RemovedImage Added
Click Save.
After EmpowerID saves your changes, you should be directed back the Account Store and Resource system page. Expand Authentication Settings and verify your changes.
Image RemovedImage Added

Step 5 – Configure resource system parameters for Azure AD auth

For this step, you add the following new Configuration Parameters to the Azure AD resource system with the relevant values for your system:

AzureAuthClientSecretAzureOAuthPwdGrantTypeClientSecret
AzureAuthClientIDAzureOAuthPwdGrantTypeClientID
AzureAuthScopesAzureOAuthPwdGrantTypeScope

On the Account Store and Resource System page, click the Resource System tab and then expand the Configuration Parameters accordion.
Click the Add New button.
Image RemovedImage Added
In the General dialog that opens, do the following:
1. Enter AzureAuthClientSecret AzureOAuthPwdGrantTypeClientSecret in the Name field.
2. Enter the client secret for the Azure app you created earlier in the Value field.
3. Select Encrypt Data and then click Save.
  Image RemovedImage Added
Click the Add New button again and add AzureAuthClientID AzureOAuthPwdGrantTypeClientID as a Configuration Parameter. Be sure to add the ClientID of the Azure app in the Value field.
Image RemovedImage Added
Click the Add New button again and add AzureAuthScopes AzureOAuthPwdGrantTypeScope as a Configuration Parameter. Be sure to add the API permission you set for the Azure app in the Value field.
Image RemovedImage Added

Insert excerpt

	IL:External Stylesheet
	IL:External Stylesheet
nopanel	true

Button macro

buttonText	Go to top
isButtonShadowOn	true
emoji	{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
buttonColor	#00000000#ffffffff
buttonBorderColor	transparent
buttonNewTab	false
buttonFontColor	#ffffff#ffffffff
buttonSize	large
buttonWidthDetection	18060
buttonIconColor	#00000000#ffffffff
buttonHoverColor	transparent
buttonIcon	bootstrap/CloudsFill
buttonType	icon_left
buttonNewLink
buttonLink	""
buttonRadius	3
buttonShadow	0
emojiEnabled	false
buttonWidth	18020