Azure AD Authentication

A guide on how to setup Microsoft/Azure authentication

Registering your application establishes a trust relationship between your app and the Microsoft identity platform. The trust is unidirectional: your app trusts the Microsoft identity platform, and not the other way around.

Follow these steps to create the app registration:

1. Sign in to the Azure portal.
2. If you have access to multiple tenants, use the Directories + subscriptions filter in the top menu to switch to the tenant in which you want to register the application.
3. Search for and select Azure Active Directory.
4. Under Manage, select App registrations > New registration.
5. Enter a display Name for your application. Users of your application might see the display name when they use the app, for example during sign-in. You can change the display name at any time and multiple app registrations can share the same name. The app registration's automatically generated Application (client) ID, not its display name, uniquely identifies your app within the identity platform.

A redirect URI is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication.

For Veva this is in the format: https://default-host-header/signin-oidc

1. Use the App a permssion button and
2. Select Microsoft Graph
3. Click Delegated permssions
4. Enter group in the filter field
5. Select Group.Read.All
6. Press Add permission

Under the Token configuration tab

1. Click the Add groups claim,
2. Select All groups
3. Under Id, Access and SAML select sAMAccountName
4. Click Add

Under the Certificates & secrets tab click New client secret enter a description and select an expire period. Click Add

Now you must copy the new Value and Secret ID and store it somewhere save, once you navigate from this page it can not be retrieved again.

To enable Microsoft authentication the Lisa.Modules.Authentication.Microsoft must be installed. 
The package contains the required services and handlers to communicate with azure ad and create users in Veva.

Open the global settings dialog. There under Microsoft Authentication the ClientId, Client Secret and Tenant ID must be populated with the id's from azure app creation.

By default when user authenticate through external authentication providers a local User is created but is not enrolled in any authorization roles. This can be done manually after the user has authenticated for the first time, but it can also be done automatically through User Role mapping.

Under User role settings there is a list of rules.