Azure Active Directory (Microsoft Entra ID) Integration

OVERVIEW

SnapComms offers different methods of Azure Active Directory (Microsoft Entra ID) integration to import your groups from Azure into your SnapComms Content Manager for targeting.

 

Note that the SnapComms Windows App has built-in capabilities to import groups are attributes from on-premise Active Directory, please review the disabled groups from your SnapComms Content Manager > Users & Groups > Groups section (remove the status filter), as groups from Azure AD may already be synced if your organization has a hybrid environment.

 

AZURE AD INTEGRATION VIA SCIM

For simple Azure AD integration that meets the requirements below, the configuration can be done within your SnapComms Content Manager utilizing the SCIM endpoints. 

  • The group-based assignment only supports Security Groups
  • There are no nested groups - nested group membership and Office 365 groups are not currently supported by Azure AD
  • Extension attributes won't be needed for targeting. SCIM currently does not support the mapping of extended attributes.
  • The User Principal Name (UPN) is available in the Content Manager for all users.
    Note: The Azure AD authentication for SnapComms Apps can be enabled to allow the SnapComms App to collect the UPN from Azure AD, especially for Azure-only environments and non-corporate domain/network-bound users.

PREREQUISITES

A prerequisite for this integration is that user accounts must have a User Principal Name (UPN) associated. The UPN is an attribute from Active Directory that the SnapComms Windows App reads and imports as one of the default user attributes. The system will use that UPN to match the username from Azure AD and merge it with an existing user in your Content Manager.

If the UPN format from Azure and in SnapComms is different, our recommendation is to implement the Azure AD Integration via Graph API.

When the Azure AD user and the user inside the Content Manager are successfully matched, user attributes will also be imported to SnapComms.
 

STEPS TO INTEGRATE SNAPCOMMS AND AZURE AD (via SCIM)

Prepare the SnapComms Content Manager for Azure AD Integration

  1. Inside the Content Manager, navigate to Management >> Integrations, then click on Azure Active Directory

  2. Enter a Display Name

  3. Take note of the Tenant URL and Secret Token values - these will be copied to Azure later

Set up an Azure Enterprise Application (Non-Gallery)

  1. Create an Enterprise Application from the Azure Portal. Navigate to Azure Active Directory >> Enterprise applications >> New application >> Non-gallery application. Designate a Name (e.g. SCIM-SnapComms) and click Add.

  2. Inside the Enterprise Application, assign 'User and Groups'. Select the groups that you want to sync from Azure AD to the Content Manager. 

For testing purposes, select one group first which includes a few users that have members with the SnapComms Windows App already installed. If everything works well, you can go back to this section and add all the groups you want to sync for targeting via SnapComms.

 
  1. Go to Provisioning >> Manage Provisioning >> Update Credentials, and set the Provisioning Mode to 'Automatic'. Click Save.

The values for Admin Credentials can be found inside the Content Manager >> Management >> Integrations >> Azure Active Directory. Double click on the Secret Token to reveal the actual values, then copy and paste them accordingly. 

  1. Paste the value of the Tenant URL copied from the Content Manager

  2. Paste the value of the Secret Token copied from the Content Manager

  3. Click the 'Test Connection' button to confirm connectivity

  4. Click 'Save' to save the credentials

 
  1. Still inside the Provisioning tab, click on Mappings and go to 'Synchronize Azure Active Directory Users to customappsso'. Uncheck 'Create' and ensure that only 'Update' and 'Delete' are selected. Click Save. (Note that unchecking 'Create' is an important step and necessary to avoid user duplication).

  1. Under the 'Settings' of the Provisioning page, change the Scope to 'Sync only assigned users and groups'. 

Steps 4 and 5 ensure that only the user attributes and group membership of users that exist in SnapComms will be synced and no new user records will be created if the user only exists in Azure AD.

  1. To start the synchronization, check 'Clear current state and restart synchronization' then click Save. The status will change to 100% complete once the sync is finished. The sync will automatically be triggered every 40 minutes.

 

 

VERIFY SUCCESSFUL IMPORT

To check if groups have been successfully imported to SnapComms, inside the Content Manager go to Users & Groups >> Groups. It may take a while for the groups to show up.

The server-side integration also imports User Attributes from Azure AD. To check attributes imported, go to Users & Groups >> Attributes and click the 'Add Attribute' button. Select the Azure AD Display Name created earlier from the Data Source drop-down list. The attributes imported will be listed in the 'Data Source Attribute' drop-down list. To use these for Attribute Targeting, assign a name for the attribute, toggle 'Enable Attribute' and click Save.

 

 

AZURE AD INTEGRATION VIA GRAPH API

If the requirements for the server-side integration using SCIM cannot be met, another option is to integrate with Azure AD using Graph API. To utilize this method, email the information below to the SnapComms Technical Consulting team. Review how to manage the groups imported from Azure AD via Graph API.

REQUIREMENTS

To ensure the Azure AD integration method is appropriate for your environment, please email tech.consulting@everbridge.com with the following details:

  • Type of Azure AD implementation (e.g. if users and groups  are solely managed in Azure AD, or if it's a hybrid that is syncing with an on-premise AD)
  • Type of Azure AD groups (e.g. static security groups, dynamic distribution groups)
  • Group filter (if not importing all groups in Azure AD, e.g. displayName starts with 'string')
  • Type and number of devices you'll deploy the SnapComms Apps to (Windows, MAC, Mobile)
  • Matching criteria, whether the username in the SnapComms Content Manager matches the Azure AD username prefix; otherwise, what is the common user attribute between SnapComms and Azure
  • The SnapComms Technical Consulting Team will schedule a daily automation for this Azure AD integration to run, receiving email notifications is optional for customers.

The Azure AD Graph API integration requires the following:

  • these features are enabled in your license - CSV Import, API Access, and AD Synchronization Support

  • a dedicated administrator and Import Category created by SnapComms' technical consulting team

  • a new App Registration created in Azure

 

STEPS TO CREATE THE APP REGISTRATION FOR GRAPH API

  1. Select Graph API and Application permission.

  2. Grant the following permissions: Group.Read.All, GroupMember.Read.All, User.Export.All, User.Read.All

  3. Grant Admin consent

  4. Once the App Registration is created, SnapComms will require the following:

    • Application (client ID)

    • Tenant ID

    • Client Secret Value (Note: the actual value is needed, not the ID. This also needs to be created with the longest expiry if possible)

Managing Groups imported from Azure AD (via Graph API)

From the 'Users & Groups' > Groups page, the groups imported from Azure AD will initially be under the disabled status. The groups that will be used for targeting need to be activated and the members will be processed on the next integration run (scheduled to run daily) once the groups are active.

Remove the 'Status: Active' filter (as highlighted in red)

 

Under the Domain Name, type in Azure AD (as highlighted in yellow) and search for groups (as highlighted in green)

Once the groups are selected, select 'Activate'

Note that the SnapComms App needs to be installed and deployed to users first as the user creation is still based on the App installation. The users will also only appear in the groups imported from Azure AD if their user account exists, so the number of members will start to increase as Apps are deployed to users. Inactive users (e.g., if their user's app hasn't been connected for 30 days) will be hidden from the group count from Azure AD.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.