Configuring Azure Active Directory

You can configure your Microsoft Azure Active Directory (Azure AD) as a directory in Crowd. All changes to your users, groups, and memberships will be synced between Azure AD and Crowd periodically, or whenever you request it. You'll be able to view information about your users directly in Crowd by using the User Browser and Group Browser.

Before you begin

Before you configure your Azure AD, you should know about the following restrictions:

  • In Azure AD, you can have multiple groups with the same name (displayName), but it's not supported in Crowd and results in a failing synchronization. Make sure you change your Azure AD group names to unique ones.
  • Crowd doesn't support multi-factor authentication. You'll need to disable it for your users in Azure AD, or they will not be able to log in to Crowd or any integrated applications. 
  • If you need to make any changes to your users, make them directly in Azure AD. You can't edit your Azure AD users in Crowd.

Configuring Azure Active Directory

To configure Azure AD, you’ll need to create two applications in your Azure Portal, and then use them to add Azure AD to Crowd.

1. In Azure web application. 

Tell me more...

1. Create a web application to allow Crowd to communicate with Azure AD:
  1. Log in to your Azure Portal.
  2. Go to Azure Active Directory > App registrations.
  3. Create a new application registration with the following details:
    • Application type: Web (Option is available under Redirect URI sub-section)
    • Sign-on URL: <Crowd's base URL>

      Where can I find my Crowd's base URL?
      In Crowd, go to  > General, and check the value of Base URL.

After the application is created, note down the Application (client) ID assigned to it. You will need it later on to configure the integration in Crowd.


2. Configure permissions for the web application to allow Crowd to read data from Azure AD:
  1. In your web application, click API permissions.
  2. In the API permissions section, click Add a permission.
  3. Under Microsoft APIs select Microsoft Graph, and select Application permissions for the type of permissions required for this application
  4. Add the following permission from:
    • Directory.Read.All
  5. Click Add Permissions and then, under Grant consent section, click Grant admin consent button.
  6. Click Yes and confirm.


3. Create a key for the web application. Crowd will use this key to authenticate to Azure AD:
  1. Click your web application.
  2. In the Certificates & secrets section, click New client secret.
  3. Choose a description and an expiry date for your key then save it. 

    Keep in mind that when the key expires and you don't replace it, Crowd will not be able to communicate with Azure AD.
  4. Copy and store the key value.

    You will not be able to view it after navigating away from the key settings.

2. In Azure native application

Tell me more...
4. Create a native application that will be used by Crowd to validate user credentials:
  1. Go to App registrations, and create a new application registration with the following details:
    • Type: Native (Option is available under Redirect URI sub-section)
    • Redirect URL: <Crowd's base URL>

Note down the Application ID assigned to it. You will need it later on to configure the integration in Crowd.

5. Configure permissions for the native application to allow Crowd to validate user credentials:
  1. Click your native application.
  2. Click API Permissions
  3. Under Grant consent section, click Grant admin consent button.
  4. Click Yes and confirm.
6. Configure manifest for the native application to allow Crowd to validate user credentials:
  1. Click your native application.
  2. Click Manifest
  3. In the manifest editor, set the allowPublicClient property to true
  4. In the bar above the manifest editor, click Save 
7. Get the Tenant ID to configure the integration in Crowd:
  1. Go to the main Azure Active Directory blade.
  2. Click Properties
    Note down the Directory ID - this is the Tenant ID you will need later on to configure the integration in Crowd.

3. Steps in Crowd

Tell me more...
 8. Add Azure AD to Crowd.
  1. Log in to the Crowd Administration Console.
  2. In the top navigation bar, click Directories
  3. Click Add Directory, and then select Azure Active Directory as type.
  4. Fill out the required fields.
    You will need to specify the Tenant ID, Web application ID, Web application key and Native application ID that you received when you configured Azure Active directory.
  5. If you are integrating with an Azure Active DIrectory region that uses alternative API URLs (for example Azure Germany), you can pick the region from the Region drop-down.
    If your region is not listed, you can pick Custom, and enter the appropriate API URLs manually.
  6. (optional) DATA CENTER ONLYIn the Group filtering section, instead of adding the whole user directory to Crowd, you can choose specific groups from Azure AD. Only members of these groups will be added to Crowd. 
  7. (optional) Modify the default synchronization settings to match your needs.

    DATA CENTER ONLY If you check Enable group filtering and Enable nested groups checkboxes, the Synchronize group memberships when logging setting is automatically set to Never and can't be changed.

  8. (optionalClick Test Connection to verify if data you entered is correct.

You've added your Azure AD to Crowd. You should now see a brief summary of your directory, and details about the synchronization.

In some cases, the synchronization might be failing at first because the new permission wasn't yet propagated in Azure AD. Just wait a few minutes, the problem will fix itself.

Crowd will automatically pull data from Azure AD. If that doesn't happen, you can click Synchronise nowOnce the synchronization is complete, you can check your users and groups from Azure AD by going to Users/Groups in the top navigation bar.

Field mapping

The following tables show how fields in Azure AD are mapped to those in Crowd. We're comparing Azure AD's API fields with Crowd's UI fields.

Users

Azure ADCrowd
userPrincipalNameUsername
displayNameDisplay name
givenNameFirst name
familyNameLast name
accountEnabledActive
idExternal ID
MailE-mail address

Groups

Azure AD fieldCrowd field
displayNameName
descriptionDescription
idExternal ID
Last modified on Jun 17, 2020

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.