Configuration in Azure

  1. Log in to the Microsoft Azure portal and go to App registrations.

    MS Azure - App registrations
  2. Select your Azure AD application from the list.

  3. In the application overview page, save the Application (client) ID and the Directory (tenant) ID, as they are needed for the MyQ configuration.

  4. Click on Client credentials and save the Secret ID, as it is needed for the MyQ configuration.

  5. On the left-hand menu, click API permissions and configure the permissions as seen in the image below. The required permissions are: Microsoft Graph \ Group.Read.All, Microsoft Graph \ User.Read, Microsoft Graph \ User.Read.All

    The Status of each permission should be "Granted for Default Directory" and marked green. All needed permissions can be added and configured with the buttons at the top of the list of permissions. Use "Add a permission" to add a new permission. Use "Grant admin consent for Default Directory" to set the status of the permission as "Granted for Default Directory".

Configuration in MyQ

Go to MyQ, Settings, Connections to connect MyQ to Azure. Click Add and select Azure from the list. In the pop-up window, fill in the required information:

Azure connection properties
  • Title: Add a title for the connection.

  • Tenant ID: Add the Directory (tenant) ID you saved from MS Azure.

  • Client ID: Add the Application (client) ID you saved from MS Azure.

  • Security key: Add the Secret ID you saved from MS Azure.

Click Save and your Azure connection is now complete.

Synchronization and authentication through an Azure Active Directory with Microsoft Graph can be used via the following steps:

  1. Adding an Azure authentication server in MyQ, Settings, Authentication Servers.

  2. Adding an Azure synchronization source in MyQ, Settings, User Synchronization.

 

Microsoft single sign-on

To use Microsoft single sign-on:

  1. Enable the Use as an authentication server setting in your Azure synchronization source prior to synchronizing users or enable Azure as an authentication server manually for selected users in their properties on the Users main tab.

  2. In the Azure authentication server settings, enable the Sign in with Microsoft option.

What happens when a user tries to sign in with Microsoft in the MyQ Web UI:

  • The user clicks the single sign-on button.

    • If the user is not signed in to Microsoft in the browser, they are forwarded to the Microsoft login page to sign in, and then logged into MyQ with the provided account.

    • If the user is signed in to Microsoft with one account only, they are automatically logged into MyQ with this account (limitation).

    • If the user is signed into two Microsoft accounts, they are forwarded to the Microsoft login page and are given a choice to select the account to continue with.

      • Only accounts currently signed in the browser who are in line with the configured Azure Active Directory domain are displayed.

  • Logout in MyQ Web UI signs out the user only locally, not from Microsoft. 

 

Limitations

  • When Microsoft single sign-on is enabled, the Sign in with Microsoft button is always displayed on the MyQ Web UI login page, but only users who use Azure as their authentication server can use it to log in.

    • Any attempt to use Microsoft single sign-on on a user who does not use the Azure authentication system renders an error in the MyQ Log.

  • Only one instance of an Azure authentication server and Azure synchronization source can be created in MyQ.

  • Central-Site Configuration: If the configuration (authentication server, connection) is removed on Central, it is currently not removed from Sites during the following synchronization to Sites where it had been previously synchronized; it has to be removed manually on Sites.

  • If a user uses the Sign in with Microsoft button and they are currently signed into one Microsoft account in the browser, they are automatically logged into MyQ with this account. There is no option to switch to another account. To use another account, the user has to sign out on any Microsoft service first, and upon the next use of the single-sign-on button they will be asked for a new login.