Prime 16 Online User's Manual - User contributions [en]

Web:Kemp's SharePoint Document Storage

2026-05-08T18:40:08Z

Jspenceratty: Created page with "=Prime SharePoint Document Storage Setup= __FORCETOC__ {| class="wikitable" |- ! '''Purpose''' This document walks an administrator through setting up SharePoint storage for Prime documents from the very beginning. It uses Microsoft Graph PowerShell device authentication for the administrative setup and site-permission grant because that approach avoids the browser-login problems that can occur on some servers and administrative workstations. |} {| class="wikitable" |..."

=Prime SharePoint Document Storage Setup=
__FORCETOC__

{| class="wikitable"
|-
! '''Purpose'''

This document walks an administrator through setting up SharePoint storage for Prime documents from the very beginning. It uses Microsoft Graph PowerShell device authentication for the administrative setup and site-permission grant because that approach avoids the browser-login problems that can occur on some servers and administrative workstations.
|}

{| class="wikitable"
|-
! '''Document item'''
! '''Value'''
|-
| Prepared for
| Prime Web Application / Prime16
|-
| Prepared on
| May 6, 2026
|-
| Authentication method used for setup
| Microsoft Graph PowerShell device code authentication
|-
| Recommended permission model
| Sites.Selected application permission + site-level write grant
|}


== 1. What this setup does ==

Prime can be configured to store uploaded documents in a SharePoint document library instead of keeping the document bytes only inside SQL Server. The setup has two separate parts:

* '''Prime runtime access:''' Prime uses an app registration in Microsoft Entra ID to get an app-only token and read/write documents in the selected SharePoint site.
* '''Administrator setup access:''' An administrator signs in with Microsoft Graph PowerShell using device authentication to find the SharePoint identifiers and grant the Prime app permission to the specific site.

{| class="wikitable"
|-
! '''Important distinction'''

Device authentication is used only while setting up and granting access. Prime itself normally uses the Tenant ID, Client ID, and Client Secret or certificate stored in the Prime configuration table to run without an interactive user login.
|}


=== Recommended security model ===

* Create a dedicated SharePoint site for Prime document storage.
* Give the Prime app the Microsoft Graph Sites. Selected application permission, not broad all-sites access.
* Use the device-authenticated admin session to grant the app write access only to the selected SharePoint site.
* Store the client secret value securely in Prime and rotate it before it expires.
* Use a certificate instead of a client secret when the Prime code/configuration is ready for certificate-based authentication.



== 2. Before you begin ==


=== Accounts and roles ===

* A Microsoft 365 tenant with SharePoint Online.
* An account that can create or manage the SharePoint site. A SharePoint Administrator or Global Administrator is ideal.
* An account that can create Microsoft Entra app registrations, or an administrator who can create the app registration for you.
* Administrative approval to grant Microsoft Graph application permissions.


=== Workstation requirements ===

* Windows PowerShell 5.1 or PowerShell 7 installed on an administrative workstation.
* Internet access to Microsoft 365, Microsoft Graph, and the PowerShell Gallery.
* Ability to open a browser on any device for device-code sign-in. The browser does not have to be on the same computer running PowerShell.


=== Prime information you should know ===

* Which Prime organization/customer is being configured.
* Whether SharePoint should be enabled immediately or tested first.
* Where the Prime SharePoint configuration page is located in your installation, usually in an administrative setup area.
* Whether existing SQL-stored documents should be moved to SharePoint after the setup passes testing.


== 3. Decide where documents will live in SharePoint ==

Use a dedicated site rather than mixing Prime documents with a general staff document library. That makes permissions, backups, retention, troubleshooting, and future migration much cleaner.

{| class="wikitable"
|-
! '''Decision'''
! '''Recommended value'''
! '''Why it matters'''
|-
| Site type
| Private Team site or other private dedicated SharePoint site
| Keeps Prime documents isolated from unrelated files.
|-
| Site name
| Prime Documents or Prime Case Documents
| Makes the purpose clear to Microsoft 365 administrators.
|-
| Document library
| Documents, Shared Documents, or a new library such as PrimeDocuments
| Prime needs the drive ID for the library it will use.
|-
| Root folder
| Prime or PrimeDocuments
| Keeps Prime-created folders/files separated from other library content.
|-
| Permissions
| Limit human access; let Prime app access the site through Graph
| Reduces accidental file changes and privacy exposure.
|}


== 4. Create the SharePoint site and document library ==

# Sign in to the Microsoft 365 admin center or SharePoint admin center with an administrator account.
# Open the SharePoint admin center.
# Go to Active sites and choose Create.
# Choose a Team site (use Standard team template) in your tenant. If Microsoft requires a group, create the group and keep membership limited.
# Name the site Prime Documents. The admin user may be made the Group owner.
# Set privacy to Private if the option is shown.
# Finish site creation.
# Open the new site in SharePoint.
# In the new site, create a new document library for Prime. Go to New and choose Document library. Choose a Blank library. Name the library Prime Library.
# Create a top-level folder. Go to Create or upload and choose Folder. Name this folder Client Documents. This folder name will be entered in Prime as the root folder.

{| class="wikitable"
|-
! '''Record this URL'''

After the site is created, copy the site URL. Example: https://contoso.sharepoint.com/sites/PrimeDocuments. From this URL, the host name is contoso.sharepoint.com and the site path is /sites/PrimeDocuments. Also record the site name, document library name, and top-level folder name. These will all be entered in Prime.
|}


== 5. Register the Prime application in Microsoft Entra ID ==

<ol start="1" style="list-style-type: decimal;">
<li>Open the Microsoft Entra admin center.</li>
<li>Go to App registrations.</li>
<li>Select New registration.</li>
<li>Name the application Prime SharePoint Document Storage.</li>
<li>For supported account types, choose Single tenant only.</li>
<li>Leave Redirect URI blank. Prime document storage is an app-only/background integration and does not need a browser redirect for normal file storage.</li>
<li>Select Register.</li>
<li>On the app Overview page, copy the Application (client) ID and Directory (tenant) ID. You will enter both in Prime later.</li></ol>

{| class="wikitable"
|-
! '''Do not confuse IDs'''

The Application (client) ID identifies the Prime app registration. The Directory (tenant) ID identifies the Microsoft 365 tenant. Prime needs both.
|}



== 6. Add the Microsoft Graph API permission ==

<ol start="1" style="list-style-type: decimal;">
<li>In the app registration, open API permissions.</li>
<li>Choose Add a permission.</li>
<li>Choose Microsoft Graph.</li>
<li>Choose Application permissions, not Delegated permissions.</li>
<li>Search for Sites.Selected.</li>
<li>Select Sites.Selected, then choose Add permissions.</li>
<li>Choose Grant admin consent for the tenant, then confirm.</li>
<li>Verify the permission status shows granted for the tenant.</li></ol>

{| class="wikitable"
|-
! '''Why Sites.Selected'''

Sites.Selected allows the app to access only site collections that are separately granted to it. The site-specific grant is performed later with device-authenticated Microsoft Graph PowerShell.
|}

{| class="wikitable"
|-
! '''Avoid broad permissions'''

Do not grant Sites.ReadWrite.All, Sites.FullControl.All, Files.ReadWrite.All, or other broad application permissions to the Prime app unless you intentionally want Prime to access much more than the single selected site. Sites.Selected plus the site grant is the safer pattern.
|}



== 7. Create the app credential used by Prime ==

<ol start="1" style="list-style-type: decimal;">
<li>In the same app registration, open Certificates & secrets.</li>
<li>For a first setup, choose Client secrets > New client secret.</li>
<li>Enter the description as Prime SharePoint Production Secret.</li>
<li>Choose an expiration period and record the expiration date in your maintenance calendar.</li>
<li>Select Add.</li>
<li>Immediately copy the secret '''Value'''. This is the only time Microsoft shows the value.</li>
<li>Store the value securely and enter it into Prime only through the Prime configuration page or other approved secure setup process.</li></ol>

{| class="wikitable"
|-
! '''Production security note'''

Microsoft recommends certificates over client secrets for production confidential-client applications. If Prime is later updated to support certificate authentication for this integration, prefer a certificate and store/manage it securely.
|}



== 8. Connect the API to the SharePoint Site ==

On a Windows machine, open Windows PowerShell ISE. Make sure you can see the Script Pane (View🡪Show Script Pane is checked). In the script pane—typically on the top with a blank line numbered one—copy and paste the following script and save this as a ps1 file:
<div class="mw-collapsible mw-collapsed">
'''Show PowerShell script'''
<pre>
# ============================================================
# Prime SharePoint setup - clean Graph/device-auth version
# ============================================================

# Tenant/app/site values
$tenantId = "PASTE-DIRECTORY-TENANT-ID-HERE"
$appClientId = "PASTE-APPLICATION-CLIENT-ID-HERE"
$appClientSecret = "PASTE-CLIENT-SECRET-VALUE-HERE"

# SharePoint host and path
# IMPORTANT: no https:// in the host name
$sharePointHostName = "PASTE-SHAREPOINT-HOSTNAME-HERE" #Example: "contoso0.sharepoint.com"
$sitePath = "/sites/PrimeDocuments"

# Friendly display name for the app permission grant
$appDisplayName = "Prime SharePoint Documents"

Read-Host "Press Enter to start"

# ------------------------------------------------------------
# 1. Load Graph modules
# ------------------------------------------------------------

Write-Host "Installing and importing modules. Please be patient."
Install-Module Microsoft.Graph -Scope CurrentUser -Force -AllowClobber

Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Sites

Write-Host “”
Write-Host “Finished installation and importing of modules.”
Write-Host “”
Write-Host “”

Read-Host "Press Enter to continue"

# ------------------------------------------------------------
# 2. Fresh device-code admin login
# ------------------------------------------------------------

Write-Host "Starting administrative login. Use an account with administrative rights to Microsoft systems."

Disconnect-MgGraph -ErrorAction SilentlyContinue

Connect-MgGraph `
-TenantId $tenantId `
-Scopes "User.Read","Sites.Read.All","Sites.FullControl.All" `
-UseDeviceCode `
-ContextScope Process `
-NoWelcome

Write-Host ""
Write-Host "Graph context:"
Get-MgContext | Format-List

# Test delegated login
Write-Host ""
Write-Host "Testing delegated Graph login..."
Invoke-MgGraphRequest `
-Method GET `
-Uri "https://graph.microsoft.com/v1.0/me" | Out-Host

Read-Host "Press Enter to continue"

# ------------------------------------------------------------
# 3. Get SharePoint site
# ------------------------------------------------------------
$siteUri = "https://graph.microsoft.com/v1.0/sites/{0}:{1}" -f $sharePointHostName, $sitePath

Write-Host ""
Write-Host "Looking up site:"
Write-Host $siteUri

$site = Invoke-MgGraphRequest `
-Method GET `
-Uri $siteUri

$siteId = $site["id"]

Write-Host ""
Write-Host "Site:"
[PSCustomObject]@{
 Id = $site["id"]
 DisplayName = $site["displayName"]
 WebUrl = $site["webUrl"]
} | Format-List

Write-Host "Admin login section complete."

Read-Host "Press Enter to continue"

# ------------------------------------------------------------
# 4. Get document library / drive
# ------------------------------------------------------------
Write-Host ""
Write-Host "Getting document libraries..."

$drives = Invoke-MgGraphRequest `
-Method GET `
-Uri "https://graph.microsoft.com/v1.0/sites/$siteId/drives"

$drives["value"] | ForEach-Object {
 [PSCustomObject]@{
 Name = $_["name"]
 Id = $_["id"]
 WebUrl = $_["webUrl"]
 }
} | Format-Table -AutoSize

$drive = $drives["value"] | Where-Object { $_["name"] -eq "Documents" } | Select-Object -First 1

if ($null -eq $drive) {
 throw "Could not find a document library named 'Documents'. Review the library list above and select the correct one manually."
}

$driveId = $drive["id"]

Write-Host ""
Write-Host "Selected drive:"
[PSCustomObject]@{
 Name = $drive["name"]
 Id = $drive["id"]
 WebUrl = $drive["webUrl"]
} | Format-List

Read-Host "Press Enter to continue"

# ------------------------------------------------------------
# 5. Grant Prime app write access to this site
# ------------------------------------------------------------
Write-Host ""
Write-Host "Granting app access to selected SharePoint site..."

$permissionBody = @{
 roles = @(
 "write"
 )
 grantedToIdentities = @(
 @{
 application = @{
 id = $appClientId
 displayName = $appDisplayName
 }
 }
 )
}

$permission = Invoke-MgGraphRequest `
-Method POST `
-Uri "https://graph.microsoft.com/v1.0/sites/$siteId/permissions" `
-Body ($permissionBody | ConvertTo-Json -Depth 10) `
-ContentType "application/json"

Write-Host ""
Write-Host "Created permission:"
$permission | Out-Host

Read-Host "Press Enter to continue"

# ------------------------------------------------------------
# 6. Verify permission grant
# ------------------------------------------------------------
Write-Host ""
Write-Host "Current site permission grants:"

$sitePermissions = Invoke-MgGraphRequest `
-Method GET `
-Uri "https://graph.microsoft.com/v1.0/sites/$siteId/permissions"

$sitePermissions["value"] | ForEach-Object {
 $app = $null

 if ($_["grantedToIdentitiesV2"]) {
 $app = $_["grantedToIdentitiesV2"][0]["application"]
 } elseif ($_["grantedToIdentities"]) {
 $app = $_["grantedToIdentities"][0]["application"]
 }

 [PSCustomObject]@{
 PermissionId = $_["id"]
 Roles = ($_[ "roles" ] -join ", ")
 AppId = if ($app) { $app["id"] } else { "" }
 AppName = if ($app) { $app["displayName"] } else { "" }
 }
} | Format-Table -AutoSize

Read-Host "Press Enter to continue"

# ------------------------------------------------------------
# 7. Test app-only access with client secret
# ------------------------------------------------------------
Write-Host ""
Write-Host "Testing app-only access..."

$tokenResponse = Invoke-RestMethod `
-Method POST `
-Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" `
-ContentType "application/x-www-form-urlencoded" `
-Body @{
 client_id = $appClientId
 scope = "https://graph.microsoft.com/.default"
 client_secret = $appClientSecret
 grant_type = "client_credentials"
}

$appToken = $tokenResponse.access_token

$appDriveRoot = Invoke-RestMethod `
-Method GET `
-Uri "https://graph.microsoft.com/v1.0/drives/$driveId/root" `
-Headers @{
 Authorization = "Bearer $appToken"
}

Write-Host ""
Write-Host "App-only drive root test succeeded:"
$appDriveRoot | Format-List

Read-Host "Press Enter to continue"

# ------------------------------------------------------------
# 8. Output values for Prime
# ------------------------------------------------------------
Write-Host ""
Write-Host "============================================================"
Write-Host "VALUES FOR PRIME"
Write-Host "============================================================"
Write-Host "Tenant ID:"
Write-Host $tenantId
Write-Host ""
Write-Host "Client ID:"
Write-Host $appClientId
Write-Host ""
Write-Host "SharePoint Host Name:"
Write-Host $sharePointHostName
Write-Host ""
Write-Host "Site Path:"
Write-Host $sitePath
Write-Host ""
Write-Host "Site ID:"
Write-Host $siteId
Write-Host ""
Write-Host "Drive ID:"
Write-Host $driveId
Write-Host "============================================================"

# Copy the two longest values to clipboard in a useful block
@"
Tenant ID: $tenantId
Client ID: $appClientId
SharePoint Host Name: $sharePointHostName
Site Path: $sitePath
Site ID: $siteId
Drive ID: $driveId
"@ | Set-Clipboard

Write-Host ""
Write-Host "Prime values copied to clipboard."
</pre>
</div>

Replace the four values at the top, including $tenantId, $appClientId, $appClientSecret, and $sharePointHostName. The $tenantId and $appClientId entries come from the API registration. The $appClientSecret comes from the API client secret gathered before. The $sharePointHostName comes from the beginning of the URL to your new SharePoint site.



== 9. Enter the values into Prime ==

After the Microsoft 365 side is ready, open Prime and go to the SharePoint configuration/setup page for the organization. The exact menu label may vary by installation, but it should be in the administrator/system setup area.

{| class="wikitable"
|-
! '''Prime setup field'''
! '''Enter this value'''
! '''Where to get it'''
|-
| Enable SharePoint / Use SharePoint
| Checked / True
| Prime setup page
|-
| Tenant ID / Directory ID
| Directory (tenant) ID
| Microsoft Entra app Overview page
|-
| Client ID / Application ID
| Application (client) ID
| Microsoft Entra app Overview page
|-
| Client Secret
| Secret Value
| Certificates & secrets page immediately after creating the secret
|-
| SharePoint Host Name
| Example: contoso.sharepoint.com
| From the SharePoint site URL or PowerShell output
|-
| Site Path
| Example: /sites/PrimeDocuments
| From the SharePoint site URL or PowerShell output
|-
| Site ID
| Long ID containing host and GUIDs
| PowerShell output from the site lookup
|-
| Drive ID
| Long document-library drive ID
| PowerShell output from the drive list
|-
| Document Library Name
| Documents or your chosen library
| PowerShell drive list
|-
| Root Folder
| Prime, PrimeDocuments, or blank if not used
| Your SharePoint design decision
|}

{| class="wikitable"
|-
! '''Secret handling'''

Paste the client secret Value, not the Secret ID. The Secret ID is only an identifier for the credential. The Value is the password-like string Prime uses to authenticate.
|}


== 10. Test the setup ==


=== Recommended Prime test sequence ===

Save the SharePoint settings in Prime but leave broad rollout disabled if your setup page has a test mode.

<ol start="1" style="list-style-type: decimal;">
<li>Use the Prime test button, if available. A complete test should confirm token acquisition, site access, drive access, upload, download/read, and cleanup of a test file.</li>
<li>Upload a small harmless test PDF or text file to a test case in Prime.</li>
<li>Open the SharePoint library in a browser and confirm the file appeared in the expected folder.</li>
<li>Open or download the file from Prime and confirm it loads correctly.</li>
<li>Edit the document notes/category/metadata in Prime if those fields are part of your system and verify the file remains accessible.</li>
<li>Only after the test succeeds should you enable SharePoint for live staff use.</li></ol>



=== Manual Graph smoke test ===

If Prime says SharePoint is unavailable, use this PowerShell test to confirm the app can reach the site. This checks the administrative grant path; Prime may also have its own application-token test.

{| class="wikitable"
|-
<pre>! # Confirm the permission exists on the target site.
Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/sites/$siteId/permissions" |
ConvertTo-Json -Depth 10

# Confirm the drive is visible to the admin session.
Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/drives/$driveId" |
Select-Object id, name, webUrl
</pre>
|}



== 11. Move existing SQL-stored documents to SharePoint ==

After SharePoint is working, Prime may show tools for moving documents that are still stored in SQL over to SharePoint. The exact button names may differ by page, but the safe migration approach is the same.


===Move one test file first ===

Open a test case with at least one SQL-stored document.

<ol start="1" style="list-style-type: decimal;">
<li>Select one non-critical document.</li>
<li>Use the button that moves that file from SQL to SharePoint.</li>
<li>Confirm the file appears in SharePoint.</li>
<li>Confirm the file opens/downloads correctly from Prime.</li>
<li>Confirm the file review/details area now shows SharePoint storage instead of SQL storage.</li></ol>



=== Then use Move All for the case ===

<ol start="1" style="list-style-type: decimal;">
<li>Use Move All SQL Files to SharePoint only after the one-file test succeeds.</li>
<li>Run it on one case first, not the whole database.</li>
<li>Review the result list or error messages.</li>
<li>Open several moved files from Prime and directly in SharePoint.</li>
<li>After confidence is established, repeat case by case or according to your planned migration process.</li></ol>

{| class="wikitable"
|-
! '''Expected button visibility'''

Migration buttons should appear only when SharePoint is enabled and available for the organization. If SharePoint is not configured or the test fails, staff should not be offered a move-to-SharePoint action.
|}



== 12. Ongoing maintenance ==

{| class="wikitable"
|-
! '''Maintenance item'''
! '''Recommended practice'''
|-
| Client secret expiration
| Track the expiration date. Create a replacement secret before the old one expires, update Prime, test, then remove the old secret.
|-
| App permissions
| Periodically confirm the app has Sites.Selected and only the needed site-level grant.
|-
| SharePoint site membership
| Keep human site membership limited to administrators and approved staff.
|-
| Backups/retention
| Ensure SharePoint retention, backup, and legal hold practices match your organization’s document requirements.
|-
| Prime testing
| After Prime updates, run the SharePoint test and upload/download a small file before broad use.
|-
| Audit
| Review SharePoint and Entra audit logs according to your organization’s security policy.
|}


== 13. Troubleshooting ==

{| class="wikitable"
|-
! '''Problem'''
! '''Likely cause'''
! '''What to do'''
|-
| Connect-MgGraph appears to do nothing
| Existing cached session, hidden prompt, embedded console, or suppressed welcome text
| Run Get-MgContext. If no context exists, remove -NoWelcome, add -Verbose, use -UseDeviceAuthentication, and run from a normal PowerShell window.
|-
| Device code appears but sign-in fails
| Wrong tenant or account lacks admin rights
| Confirm the Directory tenant ID and sign in with a SharePoint Administrator or Global Administrator.
|-
| New-MgSitePermission returns access denied
| Admin session lacks Sites.FullControl.All or user lacks required admin role
| Reconnect with -Scopes Sites.FullControl.All and sign in as SharePoint Administrator or higher.
|-
| Prime test says invalid client secret
| Secret ID was entered instead of secret Value, or the secret expired
| Create a new client secret and paste the Value into Prime.
|-
| Prime test says unauthorized or access denied
| Sites.Selected was not granted admin consent or site permission was not granted
| Confirm API permission admin consent and rerun New-MgSitePermission for the correct site ID.
|-
| Wrong SharePoint site is used
| Host/path copied incorrectly
| Recheck the URL. Host is only the domain; site path starts with /sites/ or /teams/.
|-
| Wrong library is used
| Drive ID from a different document library
| Rerun the drive list command and copy the drive ID for the correct library.
|-
| Migration button does not work
| SharePoint config unavailable, JavaScript/postback issue, or server-side error
| First confirm the Prime SharePoint test succeeds; then check server logs and browser developer tools for the click/postback error.
|-
| Files upload but do not open
| Path encoding, filename, or permission issue
| Test with a simple filename first, then check special characters, folder path, and Graph response/error logs.
|}


== Appendix A. Values worksheet ==

{| class="wikitable"
|-
! '''Done'''
! '''Task'''
! '''Notes / value'''
|-
| ☐
| Create dedicated SharePoint site
| Site name: ______________________________
|-
| ☐
| Create/select document library
| Library name: ___________________________
|-
| ☐
| Record SharePoint URL
| URL: ____________________________________
|-
| ☐
| Record host name
| Host: ___________________________________
|-
| ☐
| Record site path
| Path: ___________________________________
|-
| ☐
| Create Entra app registration
| App name: _______________________________
|-
| ☐
| Record tenant ID
| Tenant ID: ______________________________
|-
| ☐
| Record client ID
| Client ID: ______________________________
|-
| ☐
| Add Sites.Selected application permission
| Granted admin consent: Yes / No
|-
| ☐
| Create client secret
| Expiration date: _________________________
|-
| ☐
| Record site ID from PowerShell
| Site ID: ________________________________
|-
| ☐
| Record drive ID from PowerShell
| Drive ID: _______________________________
|-
| ☐
| Grant site permission with device auth
| Role: read / write / other: _____________
|-
| ☐
| Enter settings in Prime
| Completed by: ___________________________
|-
| ☐
| Run Prime SharePoint test
| Result/date: ____________________________
|-
| ☐
| Move one SQL-stored test file
| Result/date: ____________________________
|}


== Appendix B. Source references ==

These references were used to align the setup steps with current Microsoft documentation:

* Microsoft Learn: Register an application in Microsoft Entra ID — https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app
* Microsoft Learn: Add and manage application credentials in Microsoft Entra ID — https://learn.microsoft.com/en-us/entra/identity-platform/how-to-add-credentials
* Microsoft Learn: Connect-MgGraph — https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.authentication/connect-mggraph
* Microsoft Learn: Get a SharePoint site resource by path — https://learn.microsoft.com/en-us/graph/api/site-getbypath
* Microsoft Learn: List drives — https://learn.microsoft.com/en-us/graph/api/drive-list
* Microsoft Learn: Create permission on a site — https://learn.microsoft.com/en-us/graph/api/site-post-permissions
* Microsoft Learn: Microsoft Graph permissions reference — https://learn.microsoft.com/en-us/graph/permissions-reference

Web:Advanced Features

2026-05-08T18:39:39Z

Jspenceratty:

[[Web:Smart Duplication]]

[[Web:Master Case Use]]

[[Web:Special Programs]]

[[Web:Funding Code Analyzer]]

[[Web:Interview System]]

[[Web:Project Management]]

[[Web:Document Tracking/Management]]

[[Web:Finance]]

[[Web:Email]]

[[Calculated Fields]]

[[Automatic Backup of Deleted Records]]

[[Web:Online Application System]]

[[Texting Using Prime 16]]

[[Web Based Optional Programs]]

[[Web:Office 365 Calendar Sync]]

[[Web:Payroll Leave Use | Payroll Leave Use <5/4/2021>]]

[[Web:USPS Validate Address | USPS Validate Address <5/7/2021>, <6/1/2022>, <2/22/2024>]]

[[Web:Geocodio - Political Districts| Geocodio - Political Districts <5/21/2021>, <3/6/2024>]]

[[Web:Search All Addresses | Search All Addresses <6/1/2021>]]

[[Web:Email HTML | Email HTML Format <6/2/2021>]]

[[Web:Address Mapping | Address Mapping <6/3/2021>]]

[[Web:Comprehensive Reports | Comprehensive Reports <6/4/2021>]]

[[Web:All Fields Search | All Fields Search <6/16/2021> <updated 11/8/2021>]]

[[Web:Organization Email | Organization Email <10/27/2021>]]

[[Web:Default Document Folders | Default Document Folders <11/3/2021>]]

[[Web:Multi-Factor Authentication Expansion | Multi-Factor Authentication Expansion <3/7/2022>]]

[[Web:Google Authenticator Multi-Factor Authentication Expansion | Google Authenticator Multi-Factor Authentication Expansion <3/12/2022>]]

[[Web:Other Service Time Keeping | Other Service Time Keeping <3/24/2022>]]

[[Web:DocuSign | DocuSign <7/15/2022>]]

[[Web:Automated Difficult Person and Conflict Check of Applicant | Automated Difficult Person and Conflict Check of Applicant <3/21/2023>]]

[[Web:Password Change and Compliance Settings | Password Change and Compliance Settings <3/22/2023>]]

[[Web:LSC §1611 Extended Eligibility Documentation | LSC §1611 Extended Eligibility Documentation <1/4/2024>]]

[[Web:USPS API 3.0 | USPS Address Validator using API 3.0 <3/12/2025>]]

[[Web:Kemp's API | Kemp's API <4/6/2025>]]

[[Web:Kemp's Microsoft Entra Logon | Kemp's Microsoft Entra Logon <4/23/2026>]]

[[Web:Kemp's SharePoint Document Storage | Kemp's SharePoint Document Storage <5/8/2026>]]

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:42:48Z

Jspenceratty: /* Configuring Entra Sign-In */

=Microsoft Entra Sign-In Feature=

==Overview==

The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.

==Key Benefits==
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies.
• Convenience: Users can sign in with their Entra credentials without remembering separate passwords.
• Audit Trail: All successful and failed login attempts are logged for monitoring.
• Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed.
• Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.
==User Guide==
===Prerequisites===
* Your administrator must enable and configure the Entra sign-in feature.
* You must have a valid Entra account in the allowed tenant.
* Your staff account must be active and current.

===Linking Your Entra Account===
To use Entra sign-in, you must first link your Entra account to your staff profile:

# Log in to the application using your staff number and password.
# Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
# Click Link Microsoft Account.
# Sign in with your Microsoft Entra credentials when prompted.
# Upon successful linking, your Entra account will be associated with your staff number.

===Signing In with Entra===
Once linked:
# Go to the login page.
# If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
# Click Sign in with Microsoft.
# Sign in with your Entra credentials.
# You will be redirected to the application dashboard.

===Unlinking Your Account===
To stop using Entra sign-in:
# Log in normally.
# Go to Account > Manage Microsoft Link.
# Click Unlink Microsoft Account.
# Confirm the action. Your Entra account will no longer be linked.

===Troubleshooting===
* Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
* Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
* Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.

==Administrator Guide==
===Setup Requirements===
* Access to your organization's Microsoft Entra admin center.
* Permissions to create app registrations in Entra.
* Database access to configure settings.

===Configuring Entra Sign-In===
# Create an App Registration:
#* Go to the Microsoft Entra admin center.
#* Navigate to Applications > App registrations > New registration.
#* Set the name (e.g., "Prime16 Staff Sign-In").
#* Choose supported account types (typically "Accounts in this organizational directory only").
#* Set the redirect URI to: <nowiki>https://your-domain/Account/MicrosoftLinkCallback.aspx</nowiki> (replace with your actual domain). Remember you may have more than one for Prime 16. For example, you may have a normal site, and the new kemps.app site. Contact us for assistance with these.
# Obtain Credentials:
#* From the app registration, note the Application (client) ID and Directory (tenant) ID.
#* Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
# Configure in the Application:
#* Log in as an administrator.
#* Go to Admin > Staff - SMember Entra Setup.
#* Enable the feature.
#* Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
#* Set the Redirect URI (must match the Entra app registration).
#* Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
#* Save the settings.
# Grant Permissions:
#* In the Entra app registration, go to API permissions.
#* Add delegated permissions for Microsoft Graph: openid, profile, email.
#* Grant admin consent.

===Managing User Links===
* Go to Admin > Staff - SMember Entra Links.
* Search for staff members by SNUM, name, or linked Entra account.
* View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
* To remove a link: Select the staff member, click Remove Link, and confirm.

===Monitoring and Logs===
* All login attempts (successful and failed) are logged in the system's audit trail.
* Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
* If the client secret expires, update it in the admin setup and test sign-in.

===Security Considerations===
* Client secrets should be rotated regularly (e.g., annually).
* Use Entra's conditional access policies for additional security.
* Disable the feature in the admin setup if not needed.
* Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).

===Troubleshooting===
* Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity.
* Link Errors: Check for duplicate links or invalid Entra accounts.
* Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly.
For further assistance, contact your system administrator or refer to Microsoft Entra documentation.

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:42:10Z

Jspenceratty: /* Configuring Entra Sign-In */

=Microsoft Entra Sign-In Feature=

==Overview==

The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.

==Key Benefits==
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies.
• Convenience: Users can sign in with their Entra credentials without remembering separate passwords.
• Audit Trail: All successful and failed login attempts are logged for monitoring.
• Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed.
• Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.
==User Guide==
===Prerequisites===
* Your administrator must enable and configure the Entra sign-in feature.
* You must have a valid Entra account in the allowed tenant.
* Your staff account must be active and current.

===Linking Your Entra Account===
To use Entra sign-in, you must first link your Entra account to your staff profile:

# Log in to the application using your staff number and password.
# Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
# Click Link Microsoft Account.
# Sign in with your Microsoft Entra credentials when prompted.
# Upon successful linking, your Entra account will be associated with your staff number.

===Signing In with Entra===
Once linked:
# Go to the login page.
# If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
# Click Sign in with Microsoft.
# Sign in with your Entra credentials.
# You will be redirected to the application dashboard.

===Unlinking Your Account===
To stop using Entra sign-in:
# Log in normally.
# Go to Account > Manage Microsoft Link.
# Click Unlink Microsoft Account.
# Confirm the action. Your Entra account will no longer be linked.

===Troubleshooting===
* Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
* Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
* Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.

==Administrator Guide==
===Setup Requirements===
* Access to your organization's Microsoft Entra admin center.
* Permissions to create app registrations in Entra.
* Database access to configure settings.

===Configuring Entra Sign-In===
# Create an App Registration:
#* Go to the Microsoft Entra admin center.
#* Navigate to Applications > App registrations > New registration.
#* Set the name (e.g., "Prime16 Staff Sign-In").
#* Choose supported account types (typically "Accounts in this organizational directory only").
#* Set the redirect URI to: <nowiki>https://your-domain/Account/MicrosoftLinkCallback.aspx</nowiki> (replace with your actual domain). Remember you may have more than one for Prime 16. For example, you may have a normal site, and the new kemps.app site. Contact us for assistance with these.
# Obtain Credentials:
#* From the app registration, note the Application (client) ID and Directory (tenant) ID.
#* Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
# Configure in the Application:
#* Log in as an administrator.
#* Go to Admin > Staff - SMember Entra Setup.
#* Enable the feature.
#* Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
#* Set the Redirect URI (must match the Entra app registration).
#* Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
#* Save the settings.
# Grant Permissions:
#* In the Entra app registration, go to API permissions.
#* Add delegated permissions for Microsoft Graph: openid, profile, email.
#* Grant admin consent if required.

===Managing User Links===
* Go to Admin > Staff - SMember Entra Links.
* Search for staff members by SNUM, name, or linked Entra account.
* View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
* To remove a link: Select the staff member, click Remove Link, and confirm.

===Monitoring and Logs===
* All login attempts (successful and failed) are logged in the system's audit trail.
* Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
* If the client secret expires, update it in the admin setup and test sign-in.

===Security Considerations===
* Client secrets should be rotated regularly (e.g., annually).
* Use Entra's conditional access policies for additional security.
* Disable the feature in the admin setup if not needed.
* Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).

===Troubleshooting===
* Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity.
* Link Errors: Check for duplicate links or invalid Entra accounts.
* Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly.
For further assistance, contact your system administrator or refer to Microsoft Entra documentation.

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:41:08Z

Jspenceratty: /* Configuring Entra Sign-In */

=Microsoft Entra Sign-In Feature=

==Overview==

The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.

==Key Benefits==
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies.
• Convenience: Users can sign in with their Entra credentials without remembering separate passwords.
• Audit Trail: All successful and failed login attempts are logged for monitoring.
• Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed.
• Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.
==User Guide==
===Prerequisites===
* Your administrator must enable and configure the Entra sign-in feature.
* You must have a valid Entra account in the allowed tenant.
* Your staff account must be active and current.

===Linking Your Entra Account===
To use Entra sign-in, you must first link your Entra account to your staff profile:

# Log in to the application using your staff number and password.
# Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
# Click Link Microsoft Account.
# Sign in with your Microsoft Entra credentials when prompted.
# Upon successful linking, your Entra account will be associated with your staff number.

===Signing In with Entra===
Once linked:
# Go to the login page.
# If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
# Click Sign in with Microsoft.
# Sign in with your Entra credentials.
# You will be redirected to the application dashboard.

===Unlinking Your Account===
To stop using Entra sign-in:
# Log in normally.
# Go to Account > Manage Microsoft Link.
# Click Unlink Microsoft Account.
# Confirm the action. Your Entra account will no longer be linked.

===Troubleshooting===
* Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
* Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
* Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.

==Administrator Guide==
===Setup Requirements===
* Access to your organization's Microsoft Entra admin center.
* Permissions to create app registrations in Entra.
* Database access to configure settings.

===Configuring Entra Sign-In===
# Create an App Registration:
#* Go to the Microsoft Entra admin center.
#* Navigate to Applications > App registrations > New registration.
#* Set the name (e.g., "Prime16 Staff Sign-In").
#* Choose supported account types (typically "Accounts in this organizational directory only").
#* Set the redirect URI to: <nowiki>https://your-domain/Account/MicrosoftLinkCallback.aspx</nowiki> (replace with your actual domain). Remember you may have more than one for Prime 16. For example, you may have a test site, normal site, and the new kemps.app site. Contact us for assistance with these.
# Obtain Credentials:
#* From the app registration, note the Application (client) ID and Directory (tenant) ID.
#* Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
# Configure in the Application:
#* Log in as an administrator.
#* Go to Admin > Staff > SMember Entra Setup.
#* Enable the feature.
#* Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
#* Set the Redirect URI (must match the Entra app registration).
#* Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
#* Save the settings.
# Grant Permissions:
#* In the Entra app registration, go to API permissions.
#* Add delegated permissions for Microsoft Graph: openid, profile, email.
#* Grant admin consent if required.

===Managing User Links===
* Go to Admin > Staff - SMember Entra Links.
* Search for staff members by SNUM, name, or linked Entra account.
* View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
* To remove a link: Select the staff member, click Remove Link, and confirm.

===Monitoring and Logs===
* All login attempts (successful and failed) are logged in the system's audit trail.
* Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
* If the client secret expires, update it in the admin setup and test sign-in.

===Security Considerations===
* Client secrets should be rotated regularly (e.g., annually).
* Use Entra's conditional access policies for additional security.
* Disable the feature in the admin setup if not needed.
* Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).

===Troubleshooting===
* Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity.
* Link Errors: Check for duplicate links or invalid Entra accounts.
* Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly.
For further assistance, contact your system administrator or refer to Microsoft Entra documentation.

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:39:01Z

Jspenceratty: /* Troubleshooting */

=Microsoft Entra Sign-In Feature=

==Overview==

The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.

==Key Benefits==
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies.
• Convenience: Users can sign in with their Entra credentials without remembering separate passwords.
• Audit Trail: All successful and failed login attempts are logged for monitoring.
• Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed.
• Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.
==User Guide==
===Prerequisites===
* Your administrator must enable and configure the Entra sign-in feature.
* You must have a valid Entra account in the allowed tenant.
* Your staff account must be active and current.

===Linking Your Entra Account===
To use Entra sign-in, you must first link your Entra account to your staff profile:

# Log in to the application using your staff number and password.
# Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
# Click Link Microsoft Account.
# Sign in with your Microsoft Entra credentials when prompted.
# Upon successful linking, your Entra account will be associated with your staff number.

===Signing In with Entra===
Once linked:
# Go to the login page.
# If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
# Click Sign in with Microsoft.
# Sign in with your Entra credentials.
# You will be redirected to the application dashboard.

===Unlinking Your Account===
To stop using Entra sign-in:
# Log in normally.
# Go to Account > Manage Microsoft Link.
# Click Unlink Microsoft Account.
# Confirm the action. Your Entra account will no longer be linked.

===Troubleshooting===
* Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
* Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
* Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.

==Administrator Guide==
===Setup Requirements===
* Access to your organization's Microsoft Entra admin center.
* Permissions to create app registrations in Entra.
* Database access to configure settings.

===Configuring Entra Sign-In===
# Create an App Registration:
#* Go to the Microsoft Entra admin center.
#* Navigate to Applications > App registrations > New registration.
#* Set the name (e.g., "Prime16 Staff Sign-In").
#* Choose supported account types (typically "Accounts in this organizational directory only").
#* Set the redirect URI to: https://your-domain/Account/MicrosoftLinkCallback.aspx (replace with your actual domain).
# Obtain Credentials:
#* From the app registration, note the Application (client) ID and Directory (tenant) ID.
#* Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
# Configure in the Application:
#* Log in as an administrator.
#* Go to Admin > Staff > SMember Entra Setup.
#* Enable the feature.
#* Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
#* Set the Redirect URI (must match the Entra app registration).
#* Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
#* Save the settings.
# Grant Permissions:
#* In the Entra app registration, go to API permissions.
#* Add delegated permissions for Microsoft Graph: openid, profile, email.
#* Grant admin consent if required.

===Managing User Links===
* Go to Admin > Staff - SMember Entra Links.
* Search for staff members by SNUM, name, or linked Entra account.
* View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
* To remove a link: Select the staff member, click Remove Link, and confirm.

===Monitoring and Logs===
* All login attempts (successful and failed) are logged in the system's audit trail.
* Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
* If the client secret expires, update it in the admin setup and test sign-in.

===Security Considerations===
* Client secrets should be rotated regularly (e.g., annually).
* Use Entra's conditional access policies for additional security.
* Disable the feature in the admin setup if not needed.
* Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).

===Troubleshooting===
* Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity.
* Link Errors: Check for duplicate links or invalid Entra accounts.
* Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly.
For further assistance, contact your system administrator or refer to Microsoft Entra documentation.

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:38:40Z

Jspenceratty: /* Security Considerations */

=Microsoft Entra Sign-In Feature=

==Overview==

The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.

==Key Benefits==
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies.
• Convenience: Users can sign in with their Entra credentials without remembering separate passwords.
• Audit Trail: All successful and failed login attempts are logged for monitoring.
• Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed.
• Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.
==User Guide==
===Prerequisites===
* Your administrator must enable and configure the Entra sign-in feature.
* You must have a valid Entra account in the allowed tenant.
* Your staff account must be active and current.

===Linking Your Entra Account===
To use Entra sign-in, you must first link your Entra account to your staff profile:

# Log in to the application using your staff number and password.
# Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
# Click Link Microsoft Account.
# Sign in with your Microsoft Entra credentials when prompted.
# Upon successful linking, your Entra account will be associated with your staff number.

===Signing In with Entra===
Once linked:
# Go to the login page.
# If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
# Click Sign in with Microsoft.
# Sign in with your Entra credentials.
# You will be redirected to the application dashboard.

===Unlinking Your Account===
To stop using Entra sign-in:
# Log in normally.
# Go to Account > Manage Microsoft Link.
# Click Unlink Microsoft Account.
# Confirm the action. Your Entra account will no longer be linked.

===Troubleshooting===
* Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
* Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
* Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.

==Administrator Guide==
===Setup Requirements===
* Access to your organization's Microsoft Entra admin center.
* Permissions to create app registrations in Entra.
* Database access to configure settings.

===Configuring Entra Sign-In===
# Create an App Registration:
#* Go to the Microsoft Entra admin center.
#* Navigate to Applications > App registrations > New registration.
#* Set the name (e.g., "Prime16 Staff Sign-In").
#* Choose supported account types (typically "Accounts in this organizational directory only").
#* Set the redirect URI to: https://your-domain/Account/MicrosoftLinkCallback.aspx (replace with your actual domain).
# Obtain Credentials:
#* From the app registration, note the Application (client) ID and Directory (tenant) ID.
#* Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
# Configure in the Application:
#* Log in as an administrator.
#* Go to Admin > Staff > SMember Entra Setup.
#* Enable the feature.
#* Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
#* Set the Redirect URI (must match the Entra app registration).
#* Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
#* Save the settings.
# Grant Permissions:
#* In the Entra app registration, go to API permissions.
#* Add delegated permissions for Microsoft Graph: openid, profile, email.
#* Grant admin consent if required.

===Managing User Links===
* Go to Admin > Staff - SMember Entra Links.
* Search for staff members by SNUM, name, or linked Entra account.
* View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
* To remove a link: Select the staff member, click Remove Link, and confirm.

===Monitoring and Logs===
* All login attempts (successful and failed) are logged in the system's audit trail.
* Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
* If the client secret expires, update it in the admin setup and test sign-in.

===Security Considerations===
* Client secrets should be rotated regularly (e.g., annually).
* Use Entra's conditional access policies for additional security.
* Disable the feature in the admin setup if not needed.
* Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).

===Troubleshooting===
• Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity.
• Link Errors: Check for duplicate links or invalid Entra accounts.
• Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly.
For further assistance, contact your system administrator or refer to Microsoft Entra documentation.

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:38:25Z

Jspenceratty: /* Monitoring and Logs */

=Microsoft Entra Sign-In Feature=

==Overview==

The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.

==Key Benefits==
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies.
• Convenience: Users can sign in with their Entra credentials without remembering separate passwords.
• Audit Trail: All successful and failed login attempts are logged for monitoring.
• Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed.
• Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.
==User Guide==
===Prerequisites===
* Your administrator must enable and configure the Entra sign-in feature.
* You must have a valid Entra account in the allowed tenant.
* Your staff account must be active and current.

===Linking Your Entra Account===
To use Entra sign-in, you must first link your Entra account to your staff profile:

# Log in to the application using your staff number and password.
# Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
# Click Link Microsoft Account.
# Sign in with your Microsoft Entra credentials when prompted.
# Upon successful linking, your Entra account will be associated with your staff number.

===Signing In with Entra===
Once linked:
# Go to the login page.
# If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
# Click Sign in with Microsoft.
# Sign in with your Entra credentials.
# You will be redirected to the application dashboard.

===Unlinking Your Account===
To stop using Entra sign-in:
# Log in normally.
# Go to Account > Manage Microsoft Link.
# Click Unlink Microsoft Account.
# Confirm the action. Your Entra account will no longer be linked.

===Troubleshooting===
* Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
* Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
* Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.

==Administrator Guide==
===Setup Requirements===
* Access to your organization's Microsoft Entra admin center.
* Permissions to create app registrations in Entra.
* Database access to configure settings.

===Configuring Entra Sign-In===
# Create an App Registration:
#* Go to the Microsoft Entra admin center.
#* Navigate to Applications > App registrations > New registration.
#* Set the name (e.g., "Prime16 Staff Sign-In").
#* Choose supported account types (typically "Accounts in this organizational directory only").
#* Set the redirect URI to: https://your-domain/Account/MicrosoftLinkCallback.aspx (replace with your actual domain).
# Obtain Credentials:
#* From the app registration, note the Application (client) ID and Directory (tenant) ID.
#* Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
# Configure in the Application:
#* Log in as an administrator.
#* Go to Admin > Staff > SMember Entra Setup.
#* Enable the feature.
#* Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
#* Set the Redirect URI (must match the Entra app registration).
#* Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
#* Save the settings.
# Grant Permissions:
#* In the Entra app registration, go to API permissions.
#* Add delegated permissions for Microsoft Graph: openid, profile, email.
#* Grant admin consent if required.

===Managing User Links===
* Go to Admin > Staff - SMember Entra Links.
* Search for staff members by SNUM, name, or linked Entra account.
* View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
* To remove a link: Select the staff member, click Remove Link, and confirm.

===Monitoring and Logs===
* All login attempts (successful and failed) are logged in the system's audit trail.
* Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
* If the client secret expires, update it in the admin setup and test sign-in.

===Security Considerations===
• Client secrets should be rotated regularly (e.g., annually).
• Use Entra's conditional access policies for additional security.
• Disable the feature in the admin setup if not needed.
• Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).
===Troubleshooting===
• Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity.
• Link Errors: Check for duplicate links or invalid Entra accounts.
• Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly.
For further assistance, contact your system administrator or refer to Microsoft Entra documentation.

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:38:10Z

Jspenceratty: /* Managing User Links */

=Microsoft Entra Sign-In Feature=

==Overview==

The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.

==Key Benefits==
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies.
• Convenience: Users can sign in with their Entra credentials without remembering separate passwords.
• Audit Trail: All successful and failed login attempts are logged for monitoring.
• Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed.
• Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.
==User Guide==
===Prerequisites===
* Your administrator must enable and configure the Entra sign-in feature.
* You must have a valid Entra account in the allowed tenant.
* Your staff account must be active and current.

===Linking Your Entra Account===
To use Entra sign-in, you must first link your Entra account to your staff profile:

# Log in to the application using your staff number and password.
# Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
# Click Link Microsoft Account.
# Sign in with your Microsoft Entra credentials when prompted.
# Upon successful linking, your Entra account will be associated with your staff number.

===Signing In with Entra===
Once linked:
# Go to the login page.
# If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
# Click Sign in with Microsoft.
# Sign in with your Entra credentials.
# You will be redirected to the application dashboard.

===Unlinking Your Account===
To stop using Entra sign-in:
# Log in normally.
# Go to Account > Manage Microsoft Link.
# Click Unlink Microsoft Account.
# Confirm the action. Your Entra account will no longer be linked.

===Troubleshooting===
* Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
* Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
* Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.

==Administrator Guide==
===Setup Requirements===
* Access to your organization's Microsoft Entra admin center.
* Permissions to create app registrations in Entra.
* Database access to configure settings.

===Configuring Entra Sign-In===
# Create an App Registration:
#* Go to the Microsoft Entra admin center.
#* Navigate to Applications > App registrations > New registration.
#* Set the name (e.g., "Prime16 Staff Sign-In").
#* Choose supported account types (typically "Accounts in this organizational directory only").
#* Set the redirect URI to: https://your-domain/Account/MicrosoftLinkCallback.aspx (replace with your actual domain).
# Obtain Credentials:
#* From the app registration, note the Application (client) ID and Directory (tenant) ID.
#* Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
# Configure in the Application:
#* Log in as an administrator.
#* Go to Admin > Staff > SMember Entra Setup.
#* Enable the feature.
#* Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
#* Set the Redirect URI (must match the Entra app registration).
#* Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
#* Save the settings.
# Grant Permissions:
#* In the Entra app registration, go to API permissions.
#* Add delegated permissions for Microsoft Graph: openid, profile, email.
#* Grant admin consent if required.

===Managing User Links===
* Go to Admin > Staff - SMember Entra Links.
* Search for staff members by SNUM, name, or linked Entra account.
* View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
* To remove a link: Select the staff member, click Remove Link, and confirm.

===Monitoring and Logs===
• All login attempts (successful and failed) are logged in the system's audit trail.
• Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
• If the client secret expires, update it in the admin setup and test sign-in.
===Security Considerations===
• Client secrets should be rotated regularly (e.g., annually).
• Use Entra's conditional access policies for additional security.
• Disable the feature in the admin setup if not needed.
• Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).
===Troubleshooting===
• Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity.
• Link Errors: Check for duplicate links or invalid Entra accounts.
• Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly.
For further assistance, contact your system administrator or refer to Microsoft Entra documentation.

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:37:00Z

Jspenceratty: /* Configuring Entra Sign-In */

=Microsoft Entra Sign-In Feature=

==Overview==

The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.

==Key Benefits==
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies.
• Convenience: Users can sign in with their Entra credentials without remembering separate passwords.
• Audit Trail: All successful and failed login attempts are logged for monitoring.
• Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed.
• Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.
==User Guide==
===Prerequisites===
* Your administrator must enable and configure the Entra sign-in feature.
* You must have a valid Entra account in the allowed tenant.
* Your staff account must be active and current.

===Linking Your Entra Account===
To use Entra sign-in, you must first link your Entra account to your staff profile:

# Log in to the application using your staff number and password.
# Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
# Click Link Microsoft Account.
# Sign in with your Microsoft Entra credentials when prompted.
# Upon successful linking, your Entra account will be associated with your staff number.

===Signing In with Entra===
Once linked:
# Go to the login page.
# If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
# Click Sign in with Microsoft.
# Sign in with your Entra credentials.
# You will be redirected to the application dashboard.

===Unlinking Your Account===
To stop using Entra sign-in:
# Log in normally.
# Go to Account > Manage Microsoft Link.
# Click Unlink Microsoft Account.
# Confirm the action. Your Entra account will no longer be linked.

===Troubleshooting===
* Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
* Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
* Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.

==Administrator Guide==
===Setup Requirements===
* Access to your organization's Microsoft Entra admin center.
* Permissions to create app registrations in Entra.
* Database access to configure settings.

===Configuring Entra Sign-In===
# Create an App Registration:
#* Go to the Microsoft Entra admin center.
#* Navigate to Applications > App registrations > New registration.
#* Set the name (e.g., "Prime16 Staff Sign-In").
#* Choose supported account types (typically "Accounts in this organizational directory only").
#* Set the redirect URI to: https://your-domain/Account/MicrosoftLinkCallback.aspx (replace with your actual domain).
# Obtain Credentials:
#* From the app registration, note the Application (client) ID and Directory (tenant) ID.
#* Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
# Configure in the Application:
#* Log in as an administrator.
#* Go to Admin > Staff > SMember Entra Setup.
#* Enable the feature.
#* Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
#* Set the Redirect URI (must match the Entra app registration).
#* Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
#* Save the settings.
# Grant Permissions:
#* In the Entra app registration, go to API permissions.
#* Add delegated permissions for Microsoft Graph: openid, profile, email.
#* Grant admin consent if required.

===Managing User Links===
• Go to Admin > Staff > SMember Entra Links.
• Search for staff members by SNUM, name, or linked Entra account.
• View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
• To remove a link: Select the staff member, click Remove Link, and confirm.
===Monitoring and Logs===
• All login attempts (successful and failed) are logged in the system's audit trail.
• Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
• If the client secret expires, update it in the admin setup and test sign-in.
===Security Considerations===
• Client secrets should be rotated regularly (e.g., annually).
• Use Entra's conditional access policies for additional security.
• Disable the feature in the admin setup if not needed.
• Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).
===Troubleshooting===
• Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity.
• Link Errors: Check for duplicate links or invalid Entra accounts.
• Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly.
For further assistance, contact your system administrator or refer to Microsoft Entra documentation.

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:34:20Z

Jspenceratty: /* Setup Requirements */

=Microsoft Entra Sign-In Feature=

==Overview==

The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.

==Key Benefits==
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies.
• Convenience: Users can sign in with their Entra credentials without remembering separate passwords.
• Audit Trail: All successful and failed login attempts are logged for monitoring.
• Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed.
• Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.
==User Guide==
===Prerequisites===
* Your administrator must enable and configure the Entra sign-in feature.
* You must have a valid Entra account in the allowed tenant.
* Your staff account must be active and current.

===Linking Your Entra Account===
To use Entra sign-in, you must first link your Entra account to your staff profile:

# Log in to the application using your staff number and password.
# Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
# Click Link Microsoft Account.
# Sign in with your Microsoft Entra credentials when prompted.
# Upon successful linking, your Entra account will be associated with your staff number.

===Signing In with Entra===
Once linked:
# Go to the login page.
# If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
# Click Sign in with Microsoft.
# Sign in with your Entra credentials.
# You will be redirected to the application dashboard.

===Unlinking Your Account===
To stop using Entra sign-in:
# Log in normally.
# Go to Account > Manage Microsoft Link.
# Click Unlink Microsoft Account.
# Confirm the action. Your Entra account will no longer be linked.

===Troubleshooting===
* Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
* Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
* Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.

==Administrator Guide==
===Setup Requirements===
* Access to your organization's Microsoft Entra admin center.
* Permissions to create app registrations in Entra.
* Database access to configure settings.

===Configuring Entra Sign-In===
1. Create an App Registration:
• Go to the Microsoft Entra admin center.
• Navigate to Applications > App registrations > New registration.
• Set the name (e.g., "Prime16 Staff Sign-In").
• Choose supported account types (typically "Accounts in this organizational directory only").
• Set the redirect URI to: https://your-domain/Account/MicrosoftLinkCallback.aspx (replace with your actual domain).
2. Obtain Credentials:
• From the app registration, note the Application (client) ID and Directory (tenant) ID.
• Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
3. Configure in the Application:
• Log in as an administrator.
• Go to Admin > Staff > SMember Entra Setup.
• Enable the feature.
• Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
• Set the Redirect URI (must match the Entra app registration).
• Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
• Save the settings.
4. Grant Permissions:
• In the Entra app registration, go to API permissions.
• Add delegated permissions for Microsoft Graph: openid, profile, email.
• Grant admin consent if required.
===Managing User Links===
• Go to Admin > Staff > SMember Entra Links.
• Search for staff members by SNUM, name, or linked Entra account.
• View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
• To remove a link: Select the staff member, click Remove Link, and confirm.
===Monitoring and Logs===
• All login attempts (successful and failed) are logged in the system's audit trail.
• Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
• If the client secret expires, update it in the admin setup and test sign-in.
===Security Considerations===
• Client secrets should be rotated regularly (e.g., annually).
• Use Entra's conditional access policies for additional security.
• Disable the feature in the admin setup if not needed.
• Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).
===Troubleshooting===
• Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity.
• Link Errors: Check for duplicate links or invalid Entra accounts.
• Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly.
For further assistance, contact your system administrator or refer to Microsoft Entra documentation.

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:34:08Z

Jspenceratty: /* Troubleshooting */

=Microsoft Entra Sign-In Feature=

==Overview==

The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.

==Key Benefits==
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies.
• Convenience: Users can sign in with their Entra credentials without remembering separate passwords.
• Audit Trail: All successful and failed login attempts are logged for monitoring.
• Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed.
• Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.
==User Guide==
===Prerequisites===
* Your administrator must enable and configure the Entra sign-in feature.
* You must have a valid Entra account in the allowed tenant.
* Your staff account must be active and current.

===Linking Your Entra Account===
To use Entra sign-in, you must first link your Entra account to your staff profile:

# Log in to the application using your staff number and password.
# Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
# Click Link Microsoft Account.
# Sign in with your Microsoft Entra credentials when prompted.
# Upon successful linking, your Entra account will be associated with your staff number.

===Signing In with Entra===
Once linked:
# Go to the login page.
# If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
# Click Sign in with Microsoft.
# Sign in with your Entra credentials.
# You will be redirected to the application dashboard.

===Unlinking Your Account===
To stop using Entra sign-in:
# Log in normally.
# Go to Account > Manage Microsoft Link.
# Click Unlink Microsoft Account.
# Confirm the action. Your Entra account will no longer be linked.

===Troubleshooting===
* Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
* Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
* Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.

==Administrator Guide==
===Setup Requirements===
• Access to your organization's Microsoft Entra admin center.
• Permissions to create app registrations in Entra.
• Database access to configure settings.
===Configuring Entra Sign-In===
1. Create an App Registration:
• Go to the Microsoft Entra admin center.
• Navigate to Applications > App registrations > New registration.
• Set the name (e.g., "Prime16 Staff Sign-In").
• Choose supported account types (typically "Accounts in this organizational directory only").
• Set the redirect URI to: https://your-domain/Account/MicrosoftLinkCallback.aspx (replace with your actual domain).
2. Obtain Credentials:
• From the app registration, note the Application (client) ID and Directory (tenant) ID.
• Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
3. Configure in the Application:
• Log in as an administrator.
• Go to Admin > Staff > SMember Entra Setup.
• Enable the feature.
• Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
• Set the Redirect URI (must match the Entra app registration).
• Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
• Save the settings.
4. Grant Permissions:
• In the Entra app registration, go to API permissions.
• Add delegated permissions for Microsoft Graph: openid, profile, email.
• Grant admin consent if required.
===Managing User Links===
• Go to Admin > Staff > SMember Entra Links.
• Search for staff members by SNUM, name, or linked Entra account.
• View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
• To remove a link: Select the staff member, click Remove Link, and confirm.
===Monitoring and Logs===
• All login attempts (successful and failed) are logged in the system's audit trail.
• Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
• If the client secret expires, update it in the admin setup and test sign-in.
===Security Considerations===
• Client secrets should be rotated regularly (e.g., annually).
• Use Entra's conditional access policies for additional security.
• Disable the feature in the admin setup if not needed.
• Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).
===Troubleshooting===
• Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity.
• Link Errors: Check for duplicate links or invalid Entra accounts.
• Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly.
For further assistance, contact your system administrator or refer to Microsoft Entra documentation.

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:33:49Z

Jspenceratty: /* Unlinking Your Account */

=Microsoft Entra Sign-In Feature=

==Overview==

The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.

==Key Benefits==
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies.
• Convenience: Users can sign in with their Entra credentials without remembering separate passwords.
• Audit Trail: All successful and failed login attempts are logged for monitoring.
• Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed.
• Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.
==User Guide==
===Prerequisites===
* Your administrator must enable and configure the Entra sign-in feature.
* You must have a valid Entra account in the allowed tenant.
* Your staff account must be active and current.

===Linking Your Entra Account===
To use Entra sign-in, you must first link your Entra account to your staff profile:

# Log in to the application using your staff number and password.
# Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
# Click Link Microsoft Account.
# Sign in with your Microsoft Entra credentials when prompted.
# Upon successful linking, your Entra account will be associated with your staff number.

===Signing In with Entra===
Once linked:
# Go to the login page.
# If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
# Click Sign in with Microsoft.
# Sign in with your Entra credentials.
# You will be redirected to the application dashboard.

===Unlinking Your Account===
To stop using Entra sign-in:
# Log in normally.
# Go to Account > Manage Microsoft Link.
# Click Unlink Microsoft Account.
# Confirm the action. Your Entra account will no longer be linked.

===Troubleshooting===
• Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
• Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
• Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.
==Administrator Guide==
===Setup Requirements===
• Access to your organization's Microsoft Entra admin center.
• Permissions to create app registrations in Entra.
• Database access to configure settings.
===Configuring Entra Sign-In===
1. Create an App Registration:
• Go to the Microsoft Entra admin center.
• Navigate to Applications > App registrations > New registration.
• Set the name (e.g., "Prime16 Staff Sign-In").
• Choose supported account types (typically "Accounts in this organizational directory only").
• Set the redirect URI to: https://your-domain/Account/MicrosoftLinkCallback.aspx (replace with your actual domain).
2. Obtain Credentials:
• From the app registration, note the Application (client) ID and Directory (tenant) ID.
• Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
3. Configure in the Application:
• Log in as an administrator.
• Go to Admin > Staff > SMember Entra Setup.
• Enable the feature.
• Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
• Set the Redirect URI (must match the Entra app registration).
• Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
• Save the settings.
4. Grant Permissions:
• In the Entra app registration, go to API permissions.
• Add delegated permissions for Microsoft Graph: openid, profile, email.
• Grant admin consent if required.
===Managing User Links===
• Go to Admin > Staff > SMember Entra Links.
• Search for staff members by SNUM, name, or linked Entra account.
• View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
• To remove a link: Select the staff member, click Remove Link, and confirm.
===Monitoring and Logs===
• All login attempts (successful and failed) are logged in the system's audit trail.
• Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
• If the client secret expires, update it in the admin setup and test sign-in.
===Security Considerations===
• Client secrets should be rotated regularly (e.g., annually).
• Use Entra's conditional access policies for additional security.
• Disable the feature in the admin setup if not needed.
• Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).
===Troubleshooting===
• Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity.
• Link Errors: Check for duplicate links or invalid Entra accounts.
• Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly.
For further assistance, contact your system administrator or refer to Microsoft Entra documentation.

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:33:36Z

Jspenceratty: /* Signing In with Entra */

=Microsoft Entra Sign-In Feature=

==Overview==

The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.

==Key Benefits==
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies.
• Convenience: Users can sign in with their Entra credentials without remembering separate passwords.
• Audit Trail: All successful and failed login attempts are logged for monitoring.
• Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed.
• Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.
==User Guide==
===Prerequisites===
* Your administrator must enable and configure the Entra sign-in feature.
* You must have a valid Entra account in the allowed tenant.
* Your staff account must be active and current.

===Linking Your Entra Account===
To use Entra sign-in, you must first link your Entra account to your staff profile:

# Log in to the application using your staff number and password.
# Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
# Click Link Microsoft Account.
# Sign in with your Microsoft Entra credentials when prompted.
# Upon successful linking, your Entra account will be associated with your staff number.

===Signing In with Entra===
Once linked:
# Go to the login page.
# If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
# Click Sign in with Microsoft.
# Sign in with your Entra credentials.
# You will be redirected to the application dashboard.

===Unlinking Your Account===
To stop using Entra sign-in:
1. Log in normally.
2. Go to Account > Manage Microsoft Link.
3. Click Unlink Microsoft Account.
4. Confirm the action. Your Entra account will no longer be linked.
===Troubleshooting===
• Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
• Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
• Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.
==Administrator Guide==
===Setup Requirements===
• Access to your organization's Microsoft Entra admin center.
• Permissions to create app registrations in Entra.
• Database access to configure settings.
===Configuring Entra Sign-In===
1. Create an App Registration:
• Go to the Microsoft Entra admin center.
• Navigate to Applications > App registrations > New registration.
• Set the name (e.g., "Prime16 Staff Sign-In").
• Choose supported account types (typically "Accounts in this organizational directory only").
• Set the redirect URI to: https://your-domain/Account/MicrosoftLinkCallback.aspx (replace with your actual domain).
2. Obtain Credentials:
• From the app registration, note the Application (client) ID and Directory (tenant) ID.
• Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
3. Configure in the Application:
• Log in as an administrator.
• Go to Admin > Staff > SMember Entra Setup.
• Enable the feature.
• Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
• Set the Redirect URI (must match the Entra app registration).
• Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
• Save the settings.
4. Grant Permissions:
• In the Entra app registration, go to API permissions.
• Add delegated permissions for Microsoft Graph: openid, profile, email.
• Grant admin consent if required.
===Managing User Links===
• Go to Admin > Staff > SMember Entra Links.
• Search for staff members by SNUM, name, or linked Entra account.
• View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
• To remove a link: Select the staff member, click Remove Link, and confirm.
===Monitoring and Logs===
• All login attempts (successful and failed) are logged in the system's audit trail.
• Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
• If the client secret expires, update it in the admin setup and test sign-in.
===Security Considerations===
• Client secrets should be rotated regularly (e.g., annually).
• Use Entra's conditional access policies for additional security.
• Disable the feature in the admin setup if not needed.
• Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).
===Troubleshooting===
• Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity.
• Link Errors: Check for duplicate links or invalid Entra accounts.
• Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly.
For further assistance, contact your system administrator or refer to Microsoft Entra documentation.

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:33:14Z

Jspenceratty: /* Linking Your Entra Account */

=Microsoft Entra Sign-In Feature=

==Overview==

The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.

==Key Benefits==
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies.
• Convenience: Users can sign in with their Entra credentials without remembering separate passwords.
• Audit Trail: All successful and failed login attempts are logged for monitoring.
• Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed.
• Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.
==User Guide==
===Prerequisites===
* Your administrator must enable and configure the Entra sign-in feature.
* You must have a valid Entra account in the allowed tenant.
* Your staff account must be active and current.

===Linking Your Entra Account===
To use Entra sign-in, you must first link your Entra account to your staff profile:

# Log in to the application using your staff number and password.
# Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
# Click Link Microsoft Account.
# Sign in with your Microsoft Entra credentials when prompted.
# Upon successful linking, your Entra account will be associated with your staff number.

===Signing In with Entra===
Once linked:
1. Go to the login page.
2. If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
3. Click Sign in with Microsoft.
4. Sign in with your Entra credentials.
5. You will be redirected to the application dashboard.
===Unlinking Your Account===
To stop using Entra sign-in:
1. Log in normally.
2. Go to Account > Manage Microsoft Link.
3. Click Unlink Microsoft Account.
4. Confirm the action. Your Entra account will no longer be linked.
===Troubleshooting===
• Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
• Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
• Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.
==Administrator Guide==
===Setup Requirements===
• Access to your organization's Microsoft Entra admin center.
• Permissions to create app registrations in Entra.
• Database access to configure settings.
===Configuring Entra Sign-In===
1. Create an App Registration:
• Go to the Microsoft Entra admin center.
• Navigate to Applications > App registrations > New registration.
• Set the name (e.g., "Prime16 Staff Sign-In").
• Choose supported account types (typically "Accounts in this organizational directory only").
• Set the redirect URI to: https://your-domain/Account/MicrosoftLinkCallback.aspx (replace with your actual domain).
2. Obtain Credentials:
• From the app registration, note the Application (client) ID and Directory (tenant) ID.
• Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
3. Configure in the Application:
• Log in as an administrator.
• Go to Admin > Staff > SMember Entra Setup.
• Enable the feature.
• Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
• Set the Redirect URI (must match the Entra app registration).
• Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
• Save the settings.
4. Grant Permissions:
• In the Entra app registration, go to API permissions.
• Add delegated permissions for Microsoft Graph: openid, profile, email.
• Grant admin consent if required.
===Managing User Links===
• Go to Admin > Staff > SMember Entra Links.
• Search for staff members by SNUM, name, or linked Entra account.
• View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
• To remove a link: Select the staff member, click Remove Link, and confirm.
===Monitoring and Logs===
• All login attempts (successful and failed) are logged in the system's audit trail.
• Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
• If the client secret expires, update it in the admin setup and test sign-in.
===Security Considerations===
• Client secrets should be rotated regularly (e.g., annually).
• Use Entra's conditional access policies for additional security.
• Disable the feature in the admin setup if not needed.
• Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).
===Troubleshooting===
• Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity.
• Link Errors: Check for duplicate links or invalid Entra accounts.
• Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly.
For further assistance, contact your system administrator or refer to Microsoft Entra documentation.

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:32:36Z

Jspenceratty: /* Prerequisites */

=Microsoft Entra Sign-In Feature=

==Overview==

The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.

==Key Benefits==
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies.
• Convenience: Users can sign in with their Entra credentials without remembering separate passwords.
• Audit Trail: All successful and failed login attempts are logged for monitoring.
• Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed.
• Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.
==User Guide==
===Prerequisites===
* Your administrator must enable and configure the Entra sign-in feature.
* You must have a valid Entra account in the allowed tenant.
* Your staff account must be active and current.

===Linking Your Entra Account===
To use Entra sign-in, you must first link your Entra account to your staff profile:
1. Log in to the application using your staff number and password.
2. Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
3. Click Link Microsoft Account.
4. Sign in with your Microsoft Entra credentials when prompted.
5. Upon successful linking, your Entra account will be associated with your staff number.
===Signing In with Entra===
Once linked:
1. Go to the login page.
2. If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
3. Click Sign in with Microsoft.
4. Sign in with your Entra credentials.
5. You will be redirected to the application dashboard.
===Unlinking Your Account===
To stop using Entra sign-in:
1. Log in normally.
2. Go to Account > Manage Microsoft Link.
3. Click Unlink Microsoft Account.
4. Confirm the action. Your Entra account will no longer be linked.
===Troubleshooting===
• Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
• Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
• Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.
==Administrator Guide==
===Setup Requirements===
• Access to your organization's Microsoft Entra admin center.
• Permissions to create app registrations in Entra.
• Database access to configure settings.
===Configuring Entra Sign-In===
1. Create an App Registration:
• Go to the Microsoft Entra admin center.
• Navigate to Applications > App registrations > New registration.
• Set the name (e.g., "Prime16 Staff Sign-In").
• Choose supported account types (typically "Accounts in this organizational directory only").
• Set the redirect URI to: https://your-domain/Account/MicrosoftLinkCallback.aspx (replace with your actual domain).
2. Obtain Credentials:
• From the app registration, note the Application (client) ID and Directory (tenant) ID.
• Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
3. Configure in the Application:
• Log in as an administrator.
• Go to Admin > Staff > SMember Entra Setup.
• Enable the feature.
• Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
• Set the Redirect URI (must match the Entra app registration).
• Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
• Save the settings.
4. Grant Permissions:
• In the Entra app registration, go to API permissions.
• Add delegated permissions for Microsoft Graph: openid, profile, email.
• Grant admin consent if required.
===Managing User Links===
• Go to Admin > Staff > SMember Entra Links.
• Search for staff members by SNUM, name, or linked Entra account.
• View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
• To remove a link: Select the staff member, click Remove Link, and confirm.
===Monitoring and Logs===
• All login attempts (successful and failed) are logged in the system's audit trail.
• Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
• If the client secret expires, update it in the admin setup and test sign-in.
===Security Considerations===
• Client secrets should be rotated regularly (e.g., annually).
• Use Entra's conditional access policies for additional security.
• Disable the feature in the admin setup if not needed.
• Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).
===Troubleshooting===
• Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity.
• Link Errors: Check for duplicate links or invalid Entra accounts.
• Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly.
For further assistance, contact your system administrator or refer to Microsoft Entra documentation.

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:31:06Z

Jspenceratty: /* Kemp's Case Works Prime 16 Web Microsoft Entra Logon */

=Microsoft Entra Sign-In Feature=

==Overview==

The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.

==Key Benefits==
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies.
• Convenience: Users can sign in with their Entra credentials without remembering separate passwords.
• Audit Trail: All successful and failed login attempts are logged for monitoring.
• Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed.
• Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.
==User Guide==
===Prerequisites===
• Your administrator must enable and configure the Entra sign-in feature.
• You must have a valid Entra account in the allowed tenant.
• Your staff account must be active and current.
===Linking Your Entra Account===
To use Entra sign-in, you must first link your Entra account to your staff profile:
1. Log in to the application using your staff number and password.
2. Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
3. Click Link Microsoft Account.
4. Sign in with your Microsoft Entra credentials when prompted.
5. Upon successful linking, your Entra account will be associated with your staff number.
===Signing In with Entra===
Once linked:
1. Go to the login page.
2. If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
3. Click Sign in with Microsoft.
4. Sign in with your Entra credentials.
5. You will be redirected to the application dashboard.
===Unlinking Your Account===
To stop using Entra sign-in:
1. Log in normally.
2. Go to Account > Manage Microsoft Link.
3. Click Unlink Microsoft Account.
4. Confirm the action. Your Entra account will no longer be linked.
===Troubleshooting===
• Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
• Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
• Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.
==Administrator Guide==
===Setup Requirements===
• Access to your organization's Microsoft Entra admin center.
• Permissions to create app registrations in Entra.
• Database access to configure settings.
===Configuring Entra Sign-In===
1. Create an App Registration:
• Go to the Microsoft Entra admin center.
• Navigate to Applications > App registrations > New registration.
• Set the name (e.g., "Prime16 Staff Sign-In").
• Choose supported account types (typically "Accounts in this organizational directory only").
• Set the redirect URI to: https://your-domain/Account/MicrosoftLinkCallback.aspx (replace with your actual domain).
2. Obtain Credentials:
• From the app registration, note the Application (client) ID and Directory (tenant) ID.
• Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
3. Configure in the Application:
• Log in as an administrator.
• Go to Admin > Staff > SMember Entra Setup.
• Enable the feature.
• Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
• Set the Redirect URI (must match the Entra app registration).
• Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
• Save the settings.
4. Grant Permissions:
• In the Entra app registration, go to API permissions.
• Add delegated permissions for Microsoft Graph: openid, profile, email.
• Grant admin consent if required.
===Managing User Links===
• Go to Admin > Staff > SMember Entra Links.
• Search for staff members by SNUM, name, or linked Entra account.
• View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
• To remove a link: Select the staff member, click Remove Link, and confirm.
===Monitoring and Logs===
• All login attempts (successful and failed) are logged in the system's audit trail.
• Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
• If the client secret expires, update it in the admin setup and test sign-in.
===Security Considerations===
• Client secrets should be rotated regularly (e.g., annually).
• Use Entra's conditional access policies for additional security.
• Disable the feature in the admin setup if not needed.
• Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).
===Troubleshooting===
• Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity.
• Link Errors: Check for duplicate links or invalid Entra accounts.
• Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly.
For further assistance, contact your system administrator or refer to Microsoft Entra documentation.

Web:Advanced Features

2026-04-23T18:24:13Z

Jspenceratty:

Web:Kemp's Microsoft Entry Logon

2026-04-23T18:23:50Z

Jspenceratty: Jspenceratty moved page Web:Kemp's Microsoft Entry Logon to Web:Kemp's Microsoft Entra Logon

#REDIRECT [[Web:Kemp's Microsoft Entra Logon]]

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:23:50Z

Jspenceratty: Jspenceratty moved page Web:Kemp's Microsoft Entry Logon to Web:Kemp's Microsoft Entra Logon

=Kemp's Case Works Prime 16 Web Microsoft Entra Logon=

Web:Kemp's Microsoft Entra Logon

2026-04-23T18:23:27Z

Jspenceratty: Created page with "=Kemp's Case Works Prime 16 Web Microsoft Entra Logon="

=Kemp's Case Works Prime 16 Web Microsoft Entra Logon=

Web:Advanced Features

2026-04-23T18:17:02Z

Jspenceratty:

[[Web:Smart Duplication]]

[[Web:Master Case Use]]

[[Web:Special Programs]]

[[Web:Funding Code Analyzer]]

[[Web:Interview System]]

[[Web:Project Management]]

[[Web:Document Tracking/Management]]

[[Web:Finance]]

[[Web:Email]]

[[Calculated Fields]]

[[Automatic Backup of Deleted Records]]

[[Web:Online Application System]]

[[Texting Using Prime 16]]

[[Web Based Optional Programs]]

[[Web:Office 365 Calendar Sync]]

[[Web:Payroll Leave Use | Payroll Leave Use <5/4/2021>]]

[[Web:USPS Validate Address | USPS Validate Address <5/7/2021>, <6/1/2022>, <2/22/2024>]]

[[Web:Geocodio - Political Districts| Geocodio - Political Districts <5/21/2021>, <3/6/2024>]]

[[Web:Search All Addresses | Search All Addresses <6/1/2021>]]

[[Web:Email HTML | Email HTML Format <6/2/2021>]]

[[Web:Address Mapping | Address Mapping <6/3/2021>]]

[[Web:Comprehensive Reports | Comprehensive Reports <6/4/2021>]]

[[Web:All Fields Search | All Fields Search <6/16/2021> <updated 11/8/2021>]]

[[Web:Organization Email | Organization Email <10/27/2021>]]

[[Web:Default Document Folders | Default Document Folders <11/3/2021>]]

[[Web:Multi-Factor Authentication Expansion | Multi-Factor Authentication Expansion <3/7/2022>]]

[[Web:Google Authenticator Multi-Factor Authentication Expansion | Google Authenticator Multi-Factor Authentication Expansion <3/12/2022>]]

[[Web:Other Service Time Keeping | Other Service Time Keeping <3/24/2022>]]

[[Web:DocuSign | DocuSign <7/15/2022>]]

[[Web:Automated Difficult Person and Conflict Check of Applicant | Automated Difficult Person and Conflict Check of Applicant <3/21/2023>]]

[[Web:Password Change and Compliance Settings | Password Change and Compliance Settings <3/22/2023>]]

[[Web:LSC §1611 Extended Eligibility Documentation | LSC §1611 Extended Eligibility Documentation <1/4/2024>]]

[[Web:USPS API 3.0 | USPS Address Validator using API 3.0 <3/12/2025>]]

[[Web:Kemp's API | Kemp's API <4/6/2025>]]

[[Web:Kemp's Microsoft Entry Logon | Kemp's Microsoft Entry Logon <4/23/2026>]]

File:Accidental 6 hour nap.jpg

2025-12-01T22:42:47Z

Jspenceratty: File uploaded with MsUpload

File uploaded with MsUpload

User talk:Roylee.Brown

2025-10-14T19:49:07Z

Jspenceratty: Welcome!

'''Welcome to ''Prime 16 Online User's Manual''!'''
We hope you will contribute much and well.
You will probably want to read the [https://www.mediawiki.org/wiki/Special:MyLanguage/Help:Contents help pages].
Again, welcome and have fun! [[User:Jspenceratty|Jspenceratty]] ([[User talk:Jspenceratty|talk]]) 13:49, 14 October 2025 (MDT)

User talk:Ktunis

2025-08-21T13:20:36Z

Jspenceratty: Welcome!

2025-05-09T19:31:53Z

Jspenceratty:

Web:Kemp's API

2025-05-09T19:31:07Z

Jspenceratty: /* Administration */

Web:Kemp's API

2025-05-09T19:30:53Z

Jspenceratty: /* Kemp's API Administration */

== Kemp's API Setup ==

Note: The Kemp's API system allows access to your Kemp's Prime database using an API interface. You may set the nature of the user's access to your system.

=== Administration ===

To administer the Kemp's API System, go to Administration → Administration Menu and search for API. Choose Kemp's API Administration.

==== Kemp's API Administration ====<div class="mw-collapsible mw-collapsed">
===== API Settings Tab =====

At installation, the API Registration URL and Validation String should both have been entered for you. The "Days to Keep Log Entries" may have been entered as well. The only item you should change is the "Days to Keep Log Entries". This tells the system how long to keep log entries. Valid entries are between 1 and 365. If you wish to keep logs longer than that, you can always download the logs and save those files.

[[File:Screenshot 2025-05-09 at 1.17.06 PM.png|400px]]

===== Add New User Tab =====

Add a new user by entering the username and password and clicking "Add new user".

[[File:Screenshot 2025-05-09 at 2.12.18 PM.png|400px]]

===== Existing Users Tab =====

See a list of existing users. You can change the password for existing users by entering a new password and clicking "Update". You can delete a user by clicking "Delete". Please note that tokens assigned to users will continue to be honored until they expire (typically 2 hours).

[[File:Screenshot 2025-05-09 at 2.12.25 PM.png|400px]]

===== Assign Roles Tab =====

Choose a user in the dropdown to assign roles to the user. Users must have roles assigned to use version 1 of the Kemp's API System. Available Roles are shown on the left. Assigned Roles are shown on the right. To assign a role, select it by clicking on it, then click "Assign". The role will move from the left, Available Roles, to the right, Assigned Roles. To remove a role, select it by click on it, then click "Remove". The role will move from the right to the left. As with deleting a user, tokens assigned with particular roles will continue to be honored until they expire.

- Note: Generally, users should not be assigned the 'Admin' role. This role has carte blanche to the entire API system.

[[File:Screenshot 2025-05-09 at 2.12.31 PM.png|400px]]

===== Assign Tables/Permissions Tab =====

Version 2 of the Kemp's API System utilizes these permissions. You may choose (almost) any table in the system, and then set permissions for the user on that (those) tables.

[[File:Screenshot 2025-05-09 at 2.12.38 PM.png|400px]]

Choose a user in the dropdown to assign tables and permissions to the user. Available tables are shown on the left. Assigned tables are shown on the right. To assign a table, select it by clicking on it, then click "Assign". The table will move from the left, Available Tables, to the right, Assigned Tables. To remove a table, select it by click on it, then click "Remove". The table will move from the right to the left. As with deleting a user, tokens assigned with particular tables and permissions will continue to be honored until they expire.

Permissions must also be granted to every assigned table. To assign permissions, click on the table in the Assigned Tables box. Once selected, a list of permissions appears to the right. Choose the permissions you wish to grant this user and click "Save Changes". Generally, the following are rights granted by each permission:

# Can View Schema - can see the list of fields, descriptions, etc.
# Can Lookup - can use the primary key to lookup a specific entry.
# Can Insert - can add a new item to the table.
# Can Update - can modify an existing item in the table.
# Can Delete - can delete an item from the table.

===== Review Logs Tab =====

You can review or download the log entries using the "Download Logs" button.

[[File:Screenshot 2025-05-09 at 2.12.46 PM.png|400px]]

</div>

2025-05-09T19:11:41Z

Jspenceratty: File uploaded with MsUpload

File uploaded with MsUpload

Web:Kemp's API

2025-05-09T18:31:41Z

Jspenceratty: Created page with "== Kemp's API Setup == Note: The Kemp's API system allows access to your Kemp's Prime database using an API interface. You may set the nature of the user's access to your system. === Administration === To administer the Kemp's API System, go to Administration → Administration Menu and search for API. Choose Kemp's API Administration. ==== Kemp's API Administration ==== 1) API Settings Tab At installation, the API Registration URL and Validation String should bot..."

Web:Advanced Features

2025-05-09T18:01:20Z

Jspenceratty:

User talk:Lila.sol

2025-04-15T15:54:40Z

Jspenceratty: Welcome!

USPS API Address Checker

2025-03-24T16:12:59Z

Jspenceratty: Created page with "== USPS Setup == 1. Log In/Create USPS Business Account Use the USPS Customer Onboarding Portal (COP) (https://cop.usps.com/cop-navigator?wf=API&showCC=false), sign into your USPS Business Account, or create a new USPS Business Account. The COP will ensure that your USPS Business Account is configured for the USPS APIs. 2. Log In Log in to the USPS Developer Portal (https://developers.usps.com/saml_login) using your USPS Business Account credentials from Step 1. 3...."

== USPS Setup ==

1. Log In/Create USPS Business Account

Use the USPS Customer Onboarding Portal (COP) (https://cop.usps.com/cop-navigator?wf=API&showCC=false), sign into your USPS Business Account, or create a new USPS Business Account. The COP will ensure that your USPS Business Account is configured for the USPS APIs.

2. Log In

Log in to the USPS Developer Portal (https://developers.usps.com/saml_login) using your USPS Business Account credentials from Step 1.

3. Create an App

After logging into the Developer Portal, click the Apps button from the Menu Bar and complete the following steps to create an App:

A.Click "Add App"
B.Enter your App Name (required) (e.g., KempsPrime)
C.Enter your Callback URL (optional)
D.Check the box to accept Terms and Conditions and Privacy Policy (this may not appear)
E.Enter Description (optional)
F.Select API Product (required)
G.Click "Add App"

4. Retrieve your Consumer Key and Secret

Select your App and retrieve your Consumer Key and Consumer Secret from the Credentials section. These credentials are required for Prime Setup (below) and for generating the OAuth Token.

5. Authorize App to Access Protected Information Resources

Enter your Consumer Key here to authorize your App to access your payment accounts, permits, CRIDs, MIDs, and subscriptions, which will be required by several USPS APIs.

== Prime Setup ==

1. Access the "USPS Address Validator - Account Settings" page. This may commonly be found in Admin--> Custom Admin page.

2. Enter the USPS API Key and Secret provided above. If no information is entered in the Username and Password fields, you can enter a simple string, like "Prime16" to make sure those fields have an entry.

3. Use the "Test USPS API Settings" button to test your API Key and Secret, ensuring your system can communicate with and connect to the USPS API system. You should see a "Settings appear to work properly" message if everything worked.

4. You can also test using a case to ensure the settings are being used.

Advanced Features

2025-03-24T16:10:06Z

Jspenceratty:

[[Smart Duplication]]

[[Master Case Use]]

[[Special Programs]]

[[Funding Code Analyzer]]

[[Interview System]]

[[Project Management]]

[[Document Tracking/Management]]

[[Auto Archive to Document Tracking]] <Version 16.4.02 Update>

[[Finance]]

[[Email]]

[[Calculated Fields]]

[[Automatic Backup of Deleted Records]]

[[Online Application System]]

[[Texting Using Prime 16]]

[[Web Based Optional Programs]]

[[Office 365 Calendar Sync]]

[[Office 365 Email Staff Use | Office 365 Email Staff Use <12/9/2022> <5/13/2024>]]

[[USPS API Address Checker | USPS API Address Checker <3/24/2025>]]

Web:Advanced Features

2025-03-18T16:46:58Z

Jspenceratty: