Web:Kemp's Microsoft Entra Logon: Difference between revisions
Jspenceratty (talk | contribs) Created page with "=Kemp's Case Works Prime 16 Web Microsoft Entra Logon=" |
Jspenceratty (talk | contribs) |
||
| (15 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
= | =Microsoft Entra Sign-In Feature= | ||
==Overview== | |||
The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies. | |||
==Key Benefits== | |||
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies. | |||
• Convenience: Users can sign in with their Entra credentials without remembering separate passwords. | |||
• Audit Trail: All successful and failed login attempts are logged for monitoring. | |||
• Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed. | |||
• Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled. | |||
==User Guide== | |||
===Prerequisites=== | |||
* Your administrator must enable and configure the Entra sign-in feature. | |||
* You must have a valid Entra account in the allowed tenant. | |||
* Your staff account must be active and current. | |||
===Linking Your Entra Account=== | |||
To use Entra sign-in, you must first link your Entra account to your staff profile: | |||
# Log in to the application using your staff number and password. | |||
# Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu). | |||
# Click Link Microsoft Account. | |||
# Sign in with your Microsoft Entra credentials when prompted. | |||
# Upon successful linking, your Entra account will be associated with your staff number. | |||
===Signing In with Entra=== | |||
Once linked: | |||
# Go to the login page. | |||
# If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username). | |||
# Click Sign in with Microsoft. | |||
# Sign in with your Entra credentials. | |||
# You will be redirected to the application dashboard. | |||
===Unlinking Your Account=== | |||
To stop using Entra sign-in: | |||
# Log in normally. | |||
# Go to Account > Manage Microsoft Link. | |||
# Click Unlink Microsoft Account. | |||
# Confirm the action. Your Entra account will no longer be linked. | |||
===Troubleshooting=== | |||
* Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account. | |||
* Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator. | |||
* Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled. | |||
==Administrator Guide== | |||
===Setup Requirements=== | |||
* Access to your organization's Microsoft Entra admin center. | |||
* Permissions to create app registrations in Entra. | |||
* Database access to configure settings. | |||
===Configuring Entra Sign-In=== | |||
# Create an App Registration: | |||
#* Go to the Microsoft Entra admin center. | |||
#* Navigate to Applications > App registrations > New registration. | |||
#* Set the name (e.g., "Prime16 Staff Sign-In"). | |||
#* Choose supported account types (typically "Accounts in this organizational directory only"). | |||
#* Set the redirect URI to: <nowiki>https://your-domain/Account/MicrosoftLinkCallback.aspx</nowiki> (replace with your actual domain). Remember you may have more than one for Prime 16. For example, you may have a normal site, and the new kemps.app site. Contact us for assistance with these. | |||
# Obtain Credentials: | |||
#* From the app registration, note the Application (client) ID and Directory (tenant) ID. | |||
#* Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry. | |||
# Configure in the Application: | |||
#* Log in as an administrator. | |||
#* Go to Admin > Staff - SMember Entra Setup. | |||
#* Enable the feature. | |||
#* Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date. | |||
#* Set the Redirect URI (must match the Entra app registration). | |||
#* Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins. | |||
#* Save the settings. | |||
# Grant Permissions: | |||
#* In the Entra app registration, go to API permissions. | |||
#* Add delegated permissions for Microsoft Graph: openid, profile, email. | |||
#* Grant admin consent. | |||
===Managing User Links=== | |||
* Go to Admin > Staff - SMember Entra Links. | |||
* Search for staff members by SNUM, name, or linked Entra account. | |||
* View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps. | |||
* To remove a link: Select the staff member, click Remove Link, and confirm. | |||
===Monitoring and Logs=== | |||
* All login attempts (successful and failed) are logged in the system's audit trail. | |||
* Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets. | |||
* If the client secret expires, update it in the admin setup and test sign-in. | |||
===Security Considerations=== | |||
* Client secrets should be rotated regularly (e.g., annually). | |||
* Use Entra's conditional access policies for additional security. | |||
* Disable the feature in the admin setup if not needed. | |||
* Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup). | |||
===Troubleshooting=== | |||
* Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity. | |||
* Link Errors: Check for duplicate links or invalid Entra accounts. | |||
* Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly. | |||
For further assistance, contact your system administrator or refer to Microsoft Entra documentation. | |||
Latest revision as of 18:42, 23 April 2026
Microsoft Entra Sign-In Feature
Overview
The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.
Key Benefits
• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies. • Convenience: Users can sign in with their Entra credentials without remembering separate passwords. • Audit Trail: All successful and failed login attempts are logged for monitoring. • Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed. • Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.
User Guide
Prerequisites
- Your administrator must enable and configure the Entra sign-in feature.
- You must have a valid Entra account in the allowed tenant.
- Your staff account must be active and current.
Linking Your Entra Account
To use Entra sign-in, you must first link your Entra account to your staff profile:
- Log in to the application using your staff number and password.
- Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
- Click Link Microsoft Account.
- Sign in with your Microsoft Entra credentials when prompted.
- Upon successful linking, your Entra account will be associated with your staff number.
Signing In with Entra
Once linked:
- Go to the login page.
- If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
- Click Sign in with Microsoft.
- Sign in with your Entra credentials.
- You will be redirected to the application dashboard.
Unlinking Your Account
To stop using Entra sign-in:
- Log in normally.
- Go to Account > Manage Microsoft Link.
- Click Unlink Microsoft Account.
- Confirm the action. Your Entra account will no longer be linked.
Troubleshooting
- Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
- Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
- Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.
Administrator Guide
Setup Requirements
- Access to your organization's Microsoft Entra admin center.
- Permissions to create app registrations in Entra.
- Database access to configure settings.
Configuring Entra Sign-In
- Create an App Registration:
- Go to the Microsoft Entra admin center.
- Navigate to Applications > App registrations > New registration.
- Set the name (e.g., "Prime16 Staff Sign-In").
- Choose supported account types (typically "Accounts in this organizational directory only").
- Set the redirect URI to: https://your-domain/Account/MicrosoftLinkCallback.aspx (replace with your actual domain). Remember you may have more than one for Prime 16. For example, you may have a normal site, and the new kemps.app site. Contact us for assistance with these.
- Obtain Credentials:
- From the app registration, note the Application (client) ID and Directory (tenant) ID.
- Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
- Configure in the Application:
- Log in as an administrator.
- Go to Admin > Staff - SMember Entra Setup.
- Enable the feature.
- Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
- Set the Redirect URI (must match the Entra app registration).
- Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
- Save the settings.
- Grant Permissions:
- In the Entra app registration, go to API permissions.
- Add delegated permissions for Microsoft Graph: openid, profile, email.
- Grant admin consent.
Managing User Links
- Go to Admin > Staff - SMember Entra Links.
- Search for staff members by SNUM, name, or linked Entra account.
- View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
- To remove a link: Select the staff member, click Remove Link, and confirm.
Monitoring and Logs
- All login attempts (successful and failed) are logged in the system's audit trail.
- Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
- If the client secret expires, update it in the admin setup and test sign-in.
Security Considerations
- Client secrets should be rotated regularly (e.g., annually).
- Use Entra's conditional access policies for additional security.
- Disable the feature in the admin setup if not needed.
- Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).
Troubleshooting
- Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity.
- Link Errors: Check for duplicate links or invalid Entra accounts.
- Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly.
For further assistance, contact your system administrator or refer to Microsoft Entra documentation.