Skip to main content
Skip table of contents

Microsoft Entra ID with Microsoft Graph setup

Microsoft has renamed Azure Active Directory (Azure AD) to Microsoft Entra ID for the following reasons: (1) to communicate the multicloud, multiplatform functionality of the products, (2) to alleviate confusion with Windows Server Active Directory, and (3) to unify the Microsoft Entra product family.

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/new-name

Microsoft Entra ID Application Configuration

Entra ID (Azure) Multi-Tenant Synchronization and Authentication

You can now use multiple Entra ID tenants in MyQ environments to synchronize and authenticate users. This is particularly useful in shared print infrastructure settings, such as those found in the public sector, where multiple organizations manage printers from a single location, while each uses its own Entra ID.

Follow the process as described below but repeat it to set up multiple instances. Ensure that clear and unique naming is given to each tenant, which will allow users to identify which is relevant for their use.

  1. Log in to the Microsoft Azure portal and go to App registrations.

    MS Azure - App registrations
  2. Click New registration to create a new application or select an existing application.

  3. If you are creating a new application, set the Name and in Supported account types select Accounts in this organizational directory only ({Tenant name} only - Single tenant) option if all your users are members of your tenant. Multitenant application can also be used if required, depending on the target audience of the application.

  4. You can skip the Redirect URI settings for now (described in step 7). Click Register to create the application.

  5. From the application’s Overview screen, go to API Permissions and select Microsoft Graph API and the required type of permission (Delegated or Application) as illustrated below. The required permissions are:
    Microsoft Graph \ Group.Read.All, Microsoft Graph \ User.Read, Microsoft Graph \ User.Read.All

  6. The status "Granted for Default Directory" needs to be set on all permissions that require them. All needed permissions can be added and configured with the buttons at the top of the list of permissions.

    Granting admin consent

    Use "Add a permission" to add new permission.
    Use "Grant admin consent for Default Directory" to set the status of the permission as "Granted for Default Directory".

  7. Go to the Authentication settings, and under Platform configurations, click Add a platform. Then select Web, and list all redirect URLs for your MS Entra ID application. For the actual URLs, use the hostname (and port) of your server in the following format: https://{hostname:port}/auth and click Configure.

    Setting up redirect URLs
  8. In the application’s overview page, save the Application (client) ID and the Directory (tenant) ID, as they are needed for the MyQ configuration.

  9. Click Add a certificate or secret next to Client credentials and complete the following steps:

    Client secret options
    1. Click New client secret.

    2. Add a Description.

    3. Set the expiration for the key.

    4. Click Add.

    5. Save the client secret key Value, because you need it for the configuration in MyQ and you cannot retrieve it later.

Configuration in MyQ

Go to MyQ, Settings, Connections to connect MyQ to Microsoft Entra ID. Click Add and select Microsoft Entra ID from the list. In the pop-up window, fill in the required information:

MS Entra connection properties

  • Title: Add a title for the connection.

  • Tenant ID: Add the Directory (tenant) ID you saved from Microsoft Entra.

  • Client ID: Add the Application (client) ID you saved from Microsoft Entra.

  • Security key: Add the (secret) Value you saved from Microsoft Entra.

Click Save and your Microsoft Entra ID connection is now complete.

Microsoft single sign-on

To use Microsoft single sign-on:

  1. Enable "Use as an authentication server" in Microsoft Entra ID synchronization source - Users tab prior to synchronizing users or enable Microsoft Entra ID as an authentication server manually for selected users in their details on the Users main page.

  2. In the Microsoft Entra ID authentication server settings, enable displaying the 'Sign in with Microsoft' login method.

When Microsoft single sign-on is enabled, the Sign in with Microsoft button is always displayed on the MyQ Web UI login page, but only users who use Microsoft Entra ID as their authentication server can use it to log in. Any attempt to use Microsoft single sign-on by a user who does not use the Microsoft Entra ID authentication system will end with an error.

What happens when a user tries to sign in with Microsoft in the MyQ Web UI:

  • The user clicks the single sign-on button.

    • If the user is not signed in to Microsoft in the browser, they are forwarded to the Microsoft login page to sign in, and then logged into MyQ with the provided account.

    • If the user is signed into two Microsoft accounts, they are forwarded to the Microsoft login page and are given a choice to select the account to continue with.

  • Logout in MyQ Web UI signs out the user only locally, not from Microsoft. 

  • In cases where multiple Entra ID authentication servers are configured, the login page will display multiple "Continue with Microsoft" buttons.

    image-20240408-073038.png

Limitations 

  • Users using Microsoft Entra ID authentication server cannot sign in on the MyQ Web User Interface with a PIN. However, they can use their PIN on the MyQ Embedded terminals and MyQ Desktop Client up to version 10.0.

Synchronization and authentication through Microsoft Entra ID with Microsoft Graph can now be used via the following steps:

  1. Adding a Microsoft Entra ID authentication server in MyQ, Settings, Authentication Servers.

  2. Adding a Microsoft Entra ID synchronization source in MyQ, Settings, User Synchronization.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.