Knowledge: Setting up OAuth Authentication from Office365 / AzureAD to Sysero
Back
    Title*Setting up OAuth Authentication from Office365 / AzureAD to Sysero
    ManualAdministration
    Manual Level TwoIntegrations
    Manual Level ThreeOAuth
    Created07/12/2018
    Detail

    Important!  This article details the setting up of user authentication to Sysero via Office365, please see seperate article for access to AzureAD/Office365 API (Microsoft Graph) and Key Vaults

    Pre-requisite you will need to either be an administrator of your Office365/Azure environment or you will need to pass on the details to an administrator.

    Office365 (Azure Active Directory) Settings

    1. Go to Azure Portal > Azure Active Directory.
    2. Click on App Registrations.
    3. Click on New Application Registration.
    4. Enter the name e.g. Sysero (User Delegated)
    5. Leave Supported Account Types as Single Tenant
    6. Set Redirect URL for Web type http://www.example.com/login2.aspx (whole URL is case sensitive).
    7. Copy the Application (client) ID.
    8. Under Authentication settings in App Registration ID Token needs to be checked.
    9. In API Permissions check that the following is set
      1. Microsoft Graph, User.Read, User Delegated permission, leave this in place and Grant Admin Consent.

    Sysero

    The below details how to set this up for System users of Sysero, see section Multi tenant Office365/AzureAD section below for external client access to client portals.

    1. Go to the Sysero > Admin > System page.
    2. Go to OAuth Settings.
    3. Set OAuth Mode Office365, this can be either two modes:
      1. Enabled Hidden : Allows &OAuth=Office365 on query strings but does not button on logon page.
      2. Enabled Visible : Button appears on Logon page.
    4. Take the Application (client) ID from App Registraton and put it in OAuth ClientID Office365 (User Delegated).
    5. OAuth DirectoryID Office365 and OAuth Secret Office365 (User Delegated) will be covered in another article and are not required for authentication.
    6. Save the Settings.
    7. Go to user accounts (Admin > Users) and edit the ones you want enabled for Office365, tick the Office365 box.

    Logout and go to the login page, you should find a Microsoft Icon, click on the Microsoft Icon and follow instructions.

    Multi tentant Office365/AzureAD

    This is required when external client requires access to a client/site portal using their Office365/AzureAD account, follow these steps to setup:

    1. In Sysero > Admin > Client/Site go to User & Site Logon.
    2. Using Application (client) ID set OAuth ClientID Office365.
    3. This OAuth tenant is selected by Sysero via either:
      1. OAuth Logon AuthSite QueryString Match being set to something unique like ClientA and in login2.aspx query string adding AuthSite=ClientA.
      2. Setup a different domain alias for client e.g. if main site was sysero.example.com the you could have a clienta.example.com as a secondary DNS alias.  So on Settings page of Client/Site in Domain Alias you set clienta.example.com.  Then the site will automatically know which OAuth tenant to use.
    You have three additional options settings:
    1. Login Options : Which methods of logon can be used for this site/client.
    2. Valid Days for Auth Cookie when using OAuth : Recommend setting 1, but for example if set to 14 and account was disabled in Office365, then it will still work for 14 days more.
    3. Auto Enable Office365 OAuth from simple user management : If anyone is added via Simple User Management interface in Sysero, tick the box to Enable Office365 on creation.

    Account Auto Creation and Validation

    Both system level OAuth and site/client level OAuth have option to auto create accounts or validate domain is still acceptable for this method of logon.

    Settings are found in either Sysero > Admin > Client/Site go to User & Site Logon or Sysero > Admin > System > OAuth Settings.

    Following options for adding are:

    • Provider : Should be Office365 for this article.
    • Match Value : Should be in format of @example.com, matching e-mail domain of users being returned from OAuth token.
    • Role : Role user should be set to on creation.
    • Mode : Is this for creating user, or just validating e.g. for validation if no match found, logon will be rejected (but only if their are entries in this table, otherwise all are allowed).

    Troubleshooting

    • Please note when already logged in it may say it cannot find ApplicationID.
    • Sysero server must have internet access to Microsoft Office365 OAuth servers.  This is because it talks directly to validate token.
    ManualManual Level TwoManual Level Three
    AdministrationIntegrationsOffice365
    Privacy Policy
    Cookies help us to improve your user experience. By using this site you consent to cookies being stored on your device. Read more...
    Back to Top
    View or hide all system messages