Microsoft Entra Sign-In Feature

Overview

The Microsoft Entra Sign-In feature allows staff members to authenticate using their Microsoft Entra (Azure Active Directory) accounts, providing an alternative to traditional username/password login. This feature integrates with your organization's Entra tenant, enabling single sign-on (SSO) for users who have linked their Entra accounts to their staff profiles. It supports multi-factor authentication (MFA) as configured in Entra, logs all login attempts for security auditing, and ensures compliance with your existing authentication policies.

Key Benefits

• Secure Authentication: Leverages Entra's built-in security, including MFA, conditional access, and password policies. • Convenience: Users can sign in with their Entra credentials without remembering separate passwords. • Audit Trail: All successful and failed login attempts are logged for monitoring. • Admin Control: Administrators can configure settings, manage account links, and disable the feature if needed. • Integration: Works alongside existing login methods, such as ConvergeOne LDAP if enabled.

User Guide

Prerequisites

• Your administrator must enable and configure the Entra sign-in feature.
• You must have a valid Entra account in the allowed tenant.
• Your staff account must be active and current.

Linking Your Entra Account

To use Entra sign-in, you must first link your Entra account to your staff profile:

1. Log in to the application using your staff number and password.
2. Navigate to Account > Manage Microsoft Link (or the equivalent link in your user menu).
3. Click Link Microsoft Account.
4. Sign in with your Microsoft Entra credentials when prompted.
5. Upon successful linking, your Entra account will be associated with your staff number.

Signing In with Entra

Once linked:

1. Go to the login page.
2. If ConvergeOne authentication is enabled, complete that step first (e.g., enter your ConvergeOne username).
3. Click Sign in with Microsoft.
4. Sign in with your Entra credentials.
5. You will be redirected to the application dashboard.

Unlinking Your Account

To stop using Entra sign-in:

1. Log in normally.
2. Go to Account > Manage Microsoft Link.
3. Click Unlink Microsoft Account.
4. Confirm the action. Your Entra account will no longer be linked.

Troubleshooting

• Link Fails: Ensure your Entra account is in the allowed tenant and not already linked to another staff account.
• Sign-In Fails: Verify your Entra credentials and that the feature is enabled. If issues persist, contact your administrator.
• Not Seeing the Button: The Microsoft sign-in option may appear after completing ConvergeOne authentication if that is enabled.

Administrator Guide

Setup Requirements

• Access to your organization's Microsoft Entra admin center.
• Permissions to create app registrations in Entra.
• Database access to configure settings.

Configuring Entra Sign-In

1. Create an App Registration:
   • Go to the Microsoft Entra admin center.
   • Navigate to Applications > App registrations > New registration.
   • Set the name (e.g., "Prime16 Staff Sign-In").
   • Choose supported account types (typically "Accounts in this organizational directory only").
   • Set the redirect URI to: https://your-domain/Account/MicrosoftLinkCallback.aspx (replace with your actual domain).
2. Obtain Credentials:
   • From the app registration, note the Application (client) ID and Directory (tenant) ID.
   • Go to Certificates & secrets and create a new client secret. Copy the Value (not the ID) immediately, as it will not be shown again. Set an expiration (e.g., 12 months) and plan to rotate it before expiry.
3. Configure in the Application:
   • Log in as an administrator.
   • Go to Admin > Staff > SMember Entra Setup.
   • Enable the feature.
   • Enter the Tenant ID, Client ID, Client Secret, and optional Client Secret Expiration Date.
   • Set the Redirect URI (must match the Entra app registration).
   • Optionally set an Allowed Domain (e.g., yourdomain.com) to restrict sign-ins.
   • Save the settings.
4. Grant Permissions:
   • In the Entra app registration, go to API permissions.
   • Add delegated permissions for Microsoft Graph: openid, profile, email.
   • Grant admin consent if required.

Managing User Links

• Go to Admin > Staff - SMember Entra Links.
• Search for staff members by SNUM, name, or linked Entra account.
• View details of linked accounts, including Entra user name, email, tenant ID, and link timestamps.
• To remove a link: Select the staff member, click Remove Link, and confirm.

Monitoring and Logs

• All login attempts (successful and failed) are logged in the system's audit trail.
• Check logs for issues like tenant mismatches, unmapped accounts, or expired secrets.
• If the client secret expires, update it in the admin setup and test sign-in.

Security Considerations

• Client secrets should be rotated regularly (e.g., annually). • Use Entra's conditional access policies for additional security. • Disable the feature in the admin setup if not needed. • Ensure the web server has appropriate permissions if using certificate-based auth (not recommended for this setup).

Troubleshooting

• Users Can't Sign In: Verify Entra settings, tenant matching, and secret validity. • Link Errors: Check for duplicate links or invalid Entra accounts. • Logs Show Failures: Review error messages (e.g., "Tenant Mismatch" or "Unmapped Account") and adjust settings accordingly. For further assistance, contact your system administrator or refer to Microsoft Entra documentation.