Skip to main content
Skip table of contents

Azure AD with Microsoft Graph setup

Azure Application Configuration

  1. Log in to the Microsoft Azure portal and go to App registrations.

    MS Azure - App registrations
  2. Click New registration to create a new application or select an existing application.

  3. If you are creating a new application, set the Name and in Supported account types select Accounts in this organizational directory only ({Tenant name} only - Single tenant) option if all your users are members of your tenant. Multitenant application can also be used if required, depending on the target audience of the application.

  4. You can skip the Redirect URI settings for now (described in step 7). Click Register to create the application.

  5. From the application’s Overview screen, go to API Permissions and select Microsoft Graph API and the required type of permission (Delegated or Application) as illustrated below. The required permissions are:
    Microsoft Graph \ Group.Read.All, Microsoft Graph \ User.Read, Microsoft Graph \ User.Read.All

  6. The status "Granted for Default Directory" needs to be set on all permissions that require them. All needed permissions can be added and configured with the buttons at the top of the list of permissions.

    Granting admin consent

    Use "Add a permission" to add new permission.
    Use "Grant admin consent for Default Directory" to set the status of the permission as "Granted for Default Directory".

  7. Go to the Authentication settings, and under Platform configurations, click Add a platform. Then select Web, and list all redirect URLs for your Azure application. For the actual URLs, use the hostname (and port) of your server in the following format: https://{hostname:port}/auth and click Configure.

    Setting up redirect URLs

  8. In the application’s overview page, save the Application (client) ID and the Directory (tenant) ID, as they are needed for the MyQ configuration.

  9. Click Add a certificate or secret next to Client credentials and complete the following steps:

    Client secret options
    1. Click New client secret.

    2. Add a Description.

    3. Set the expiration for the key.

    4. Click Add.

    5. Save the client secret key Value, because you need it for the configuration in MyQ and you cannot retrieve it later.

Configuration in MyQ

Go to MyQ, Settings, Connections to connect MyQ to Azure AD. Click Add and select Azure AD from the list. In the pop-up window, fill in the required information:

Azure AD connection properties

  • Title: Add a title for the connection.

  • Tenant ID: Add the Directory (tenant) ID you saved from Azure.

  • Client ID: Add the Application (client) ID you saved from Azure.

  • Security key: Add the (secret) Value you saved from Azure.

Click Save and your Azure AD connection is now complete.

Microsoft single sign-on

To use Microsoft single sign-on:

  1. Enable "Use as an authentication server" in Azure AD synchronization source - Users tab prior to synchronizing users or enable Azure as an authentication server manually for selected users in their details on the Users main page.

  2. In the Azure authentication server settings, enable displaying the 'Sign in with Microsoft' login method.

When Microsoft single sign-on is enabled, the Sign in with Microsoft button is always displayed on the MyQ Web UI login page, but only users who use Azure AD as their authentication server can use it to log in. Any attempt to use Microsoft single sign-on by a user who does not use the Azure AD authentication system will end with an error.

What happens when a user tries to sign in with Microsoft in the MyQ Web UI:

  • The user clicks the single sign-on button.

    • If the user is not signed in to Microsoft in the browser, they are forwarded to the Microsoft login page to sign in, and then logged into MyQ with the provided account.

    • If the user is signed in to Microsoft with one account only, they are automatically logged into MyQ with this account (limitation).

    • If the user is signed into two Microsoft accounts, they are forwarded to the Microsoft login page and are given a choice to select the account to continue with.

  • Logout in MyQ Web UI signs out the user only locally, not from Microsoft. 

Limitations

  • If a user uses the Sign in with Microsoft button and they are currently signed into one Microsoft account in the browser, they are automatically logged into MyQ with this account. There is no option to switch to another account. To use another account, the user has to sign out on any Microsoft services first, and upon the next use of the single-sign-on button, they will be asked for a new login. 

  • Users using Azure AD authentication server cannot sign in on the MyQ Web User Interface with a PIN. However, they can use their PIN on the MyQ Embedded terminals or in MyQ Desktop Client.

Synchronization and authentication through an Azure AD with Microsoft Graph can now be used via the following steps:

  1. Adding an Azure AD authentication server in MyQ, Settings, Authentication Servers.

  2. Adding an Azure AD synchronization source in MyQ, Settings, User Synchronization.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.