Azure Active Directory Connection Setup
Register CxAlloy as an enterprise application on Azure AD
Prerequisites
- An Azure account that has an active subscription. Create an account for free.
- The Azure account must have permission to manage applications in Azure Active Directory (Azure AD). Any of the following Azure AD roles include the required permissions:
- Completion of the Set up a tenant quickstart.
Register CxAlloy as a new app registration
Important:
Steps in this article may vary slightly based on the portal you start from.
Once created, the application object cannot be moved between different tenants.
Follow these steps to create the app registration:
- Sign in to the Azure portal.
If you have access to multiple tenants, use the Directories + subscriptions filter in the top menu to switch to the tenant in which you want to register the application. - Search for and select Azure Active Directory.
- Under Manage, select App registrations > New registration.
- Enter a display Name for your application. Users of your application might see the display name when they use the app, for example during sign-in. You can change the display name at any time and multiple app registrations can share the same name. The app registration's automatically generated Application (client) ID, not its display name, uniquely identifies your app within the identity platform.
** Please record the value for Application (client) ID as you will need to use this to setup the CxAlloy SSO connection in the next steps.
- Specify who can use the application, sometimes called its sign-in audience.
Supported account types Description Accounts in this organizational directory only Select this option if you're building an application for use only by users (or guests) in your tenant.
Often called a line-of-business (LOB) application, this app is a single-tenant application in the Microsoft identity platform.Accounts in any organizational directory Select this option if you want users in any Azure Active Directory (Azure AD) tenant to be able to use your application. This option is appropriate if, for example, you're building a software-as-a-service (SaaS) application that you intend to provide to multiple organizations.
This type of app is known as a multitenant application in the Microsoft identity platform.Accounts in any organizational directory and personal Microsoft accounts Select this option to target the widest set of customers.
By selecting this option, you're registering a multitenant application that can also support users who have personal Microsoft accounts. Personal Microsoft accounts include Skype, Xbox, Live, and Hotmail accounts.Personal Microsoft accounts Select this option if you're building an application only for users who have personal Microsoft accounts. Personal Microsoft accounts include Skype, Xbox, Live, and Hotmail accounts. - Enter https://cxalloy-production.us.auth0.com/login/callback for Redirect URI and make sure Web is selected for the type.
- Select Register to complete the initial app registration.
If you have more than one Azure AD directory, make sure you are in the correct directory when you register the app you want to use with CxAlloy.
During registration, configure the following settings:
| Option | Setting |
|---|---|
| Supported account types | To allow users from external organizations (like other Azure AD directories) choose the appropriate multitenant option. Multitenant options include the following: Accounts in any organizational directory (Any Azure AD directory - Multitenant). |
| Redirect URI | Select a Redirect URI type of Web, and enter your callback URL: https://auth.cxalloy.com/login/callback. |
Record your client ID (Application ID)
During this process, Microsoft generates an Application (client) ID for your application; you can find this on the app's Overview screen. Make note of this value.
Add a client secret
Sometimes called an application password, a client secret is a string value your app can use in place of a certificate to identity itself.
- In the Azure portal, in App registrations, select your application.
- Select Certificates & secrets > Client secrets > New client secret.
- Add a description for your client secret.
- Select an expiration for the secret or specify a custom lifetime.
- Client secret lifetime is limited to two years (24 months) or less. You can't specify a custom lifetime longer than 24 months.
- Microsoft recommends that you set an expiration value of less than 12 months.
- Select Add.
- Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.
For application security recommendations, see Microsoft identity platform best practices and recommendations.
Once generated, make note of this value:
If you configure an expiring secret, make sure to record the expiration date! You will need to renew the key before that day to avoid a service interruption.
Add permissions
To add permissions, see Microsoft's Quickstart: Configure a client application to access web APIs - Add permissions to access web APIs.
While configuring permissions, you will need to configure the following permissions for the CxAlloy SSO connection to work properly:
| Delegated Permissions | Description |
|---|---|
| Users > User.Read | So your app can sign in users and read the signed-in users' profiles. |
| Directory > Directory.Read.All | So your app can read directory data on the signed-in user's behalf. |
Get the Azure Publisher Domain
To get the domain go to "branding & properties"
At this point you have enough information to add a new SSO Azure Active Directory connection in CxAlloy.
You have the:
- AD Publisher domain
- client ID
- client secret
- Your company email address domain (the domain from your work email address)
Go back to the CxAlloy "Add SSO Connection" screen and enter these values into the form provided to create the connection.
- To get back to the "SSO connections" configuration in CxAlloy. Go to your account and then click on settings tab at the top.
- Then select the "SSO Connections" link in the navigation menu on the left to go to that section.
- From there click "Add SSO Connection" which brings up this modal where you will choose "AZURE" as the connection type.
- Enter the information gathered earlier in each form field and click "next step".
- Review the data that is displayed and if it matches the values you intended to enter then click "save Connection" to create the connection. This will save your new connection.
NOTE: I had to use gmail.com as an example work email domain only to make this tutorial for demo purposes only.
Yours will be your companies domain that is present in your work email address!
NOTE: I had to use gmail.com as an example work email domain only to make this tutorial for demo purposes only.
Please note:
This connection will need to be enabled and tested before it will be available to your users
This can be done by clicking the "enable connection" button and following the prompts.
When a connection is correctly set up, tested and enabled it will have a green checkmark for tested and enabled columns.
If both fields have a green checkmark then your connection should be active able to login your users.
If you need additional help setting up an SSO connection please reach out to CxAlloy Support for help getting this feature setup.