Azure AD Authentication

If your organization has one or more Azure tenants managed by EmpowerID, you can configure EmpowerID to allow users with accounts in those tenants to authenticate to EmpowerID with their Azure AD credentials. This feature uses the OAuth Password Grant type flow, which requires registering an application with a client secret and at least one exposed scope.

Steps

To set up EmpowerID for Azure AD authentication, you will perform the following tasks:

1. Register an application in Azure AD

2. Create a client secret for the Azure application

3. Add an API permission to the Azure application

4. Update the EmpowerID account store connected to the Azure tenant for Azure AD auth

5. Update the EmpowerID resource system for the Azure tenant with Azure Auth configuration parameters

Step 1 – Register the application in Azure AD

1. In Azure, navigate to your Azure Active Directory.

2. On the Azure Active Directory navbar, click App registrations.

3. On the App registrations page, click New registration.
   
   

   Open

   

    

4. Once the application is registered, copy the Application (client) ID from the Overview page. You need this to configure EmpowerID for Azure AD auth.
   
   

   Open

   

    

Step 2 – Create a client secret for the application

1. Navigate to the Certificates & secrets blade for the application, select the Client Secrets tab and click New Client Secret.
   
   

    

2. Create the secret and then copy the Value. You need this to configure EmpowerID for Azure AD auth.
   
   

    

Step 3 – Add an API permission to the application

In this step, we add openid as the API permission to self-document the purpose of the application; however, you can select any permission.

1. Navigate to the API permissions blade for the application and click Add a permission.
   
   

    

2. Select Microsoft Graph as the API and then select Delegated permissions.
   
   

    

3. Under OpenId permissions, select openid and then click Add permissions.
   
   

   
   
   

Step 4 – Configure the EmpowerID account store for Azure AD auth

1. In EmpowerID, navigate to the Find Account Store page by expanding Admin > Applications and Directories and clicking Account Stores and Systems.

2. Select the Account Stores tab and search for your Azure AD tenant.

3. Click the Account Store link.
   
   

   
   This directs you to the Account Stores and Resource Systems page for the tenant.
   
   

    

4. Click the Edit button to put the account store in edit mode.
   
   

    

5. Under Authentication and Password Settings, select Use for Authentication and Allow Search for User Name in Authentication.
   
   

    

6. Click Save.

7. After EmpowerID saves your changes, you should be directed back the Account Store and Resource system page. Expand Authentication Settings and verify your changes.
   
   

    

Step 5 – Configure resource system parameters for Azure AD auth

For this step, you add the following new Configuration Parameters to the Azure AD resource system with the relevant values for your system:

• AzureOAuthPwdGrantTypeClientSecret

• AzureOAuthPwdGrantTypeClientID

• AzureOAuthPwdGrantTypeScope

1. On the Account Store and Resource System page, click the Resource System tab and then expand the Configuration Parameters accordion.

2. Click the Add New button.
   
   

    

3. In the General dialog that opens, do the following:

   1. Enter AzureOAuthPwdGrantTypeClientSecret in the Name field.

   2. Enter the client secret for the Azure app you created earlier in the Value field.

   3. Select Encrypt Data and then click Save.
      
      

       

4. Click the Add New button again and add AzureOAuthPwdGrantTypeClientID as a Configuration Parameter. Be sure to add the ClientID of the Azure app in the Value field.
   
   

    

5. Click the Add New button again and add AzureOAuthPwdGrantTypeScope as a Configuration Parameter. Be sure to add the API permission you set for the Azure app in the Value field.