Overview
When this guide is completed app roles from your Azure AD application will be mapped into Haystack roles when new users are signed in.
Prerequisites
In order to follow this guide you need to have SSO provided by Azure successfully configured.
Create new user
In order to follow the steps from this guide, it is necessary for your organization to have a member user that is created (not invited) in the organization. This user will be used to make changes to roles. If you don’t have one, this is how to create it(after finishing the guide you can delete this user):
Go to Azure portal(login with Global Admin privileges for your organization): Microsoft Azure
Select the Users icon
Select the New user button (not New guest user)
Enter data for the user you are creating(remember the username and the password, you will need it to login in the step two of the guide). The selected role has to be Global administrator. After entering the data click the Create button.
Create admin role for application
Copy the application id
Go to Azure portal(we are still signed in with the same user, not the newly created one): Microsoft Azure
In the left pane, select Azure Active Directory icon
Select Enterprise applications
In the list of applications select the application where you configured SSO with Haystack
On the left side select the Properties button and copy the Object ID of the application:
The copied Object ID will be used in the next chapter
Create admin role
Go to Microsoft Graph Explorer: Graph Explorer - Microsoft Graph
Select the Sign in to Graph Explorer button on the left side of the page, it will open a new tab where you should sign in with the account created in the first part of the guide
When signed in click on three dots next to your account name and click on the Select permissions option:
Click on the Directory option from the Permissions list and check Directory.AccessAsUser.All, Directory.Read.All and Directory.ReadWrite.All, then click Consent (this will sign you in again):
Change the version to beta and fetch the list of service principals by using the following address (objectID is the ID of the application that we got in the previous chapter):
https://graph.microsoft.com/beta/servicePrincipals/<objectID>
If you are using multiple directories use this pattern(add the domain of the user that we created, place it before servicePrincipals):https://graph.microsoft.com/beta/ogiorg.onmicrosoft.com/servicePrincipals/<objectID>
Find “appRoles” in the API response, you can see two default roles: User and msiam_access:
Take the “appRoles” data from the response and copy it to the Request body but it needs to be modified so it looks similar to the example bellow. The Admin role should be added after the msiam_access application role. The API address stays the same but the method is changed from
GET
toPATCH
. To generate the GUID value for the ID of the new role you can use this application(check Hyphens): https://www.guidgenerator.com/
The following JSON is an example of the appRoles object. Create a similar object to add the Admin role to you application:
{ "appRoles": [ { "allowedMemberTypes": [ "User" ], "description": "User", "displayName": "User", "id": "18d14569-c3bd-439b-9a66-3a2aee01d14f", "isEnabled": true, "origin": "Application", "value": null }, { "allowedMemberTypes": [ "User" ], "description": "msiam_access", "displayName": "msiam_access", "id": "b9632174-c057-4f7e-951b-be3adc52bfe6", "isEnabled": true, "origin": "Application", "value": null }, { "allowedMemberTypes": [ "User" ], "description": "Administrators Only", "displayName": "Admin", "id": "5c48908d-bdee-4bf4-b005-48a39b9bce75", "isEnabled": true, "origin": "ServicePrincipal", "value": "Administrator" } ] }
In the end it should look similar to this, when everything is entered click Run query. If the API call is successful the response should be status code
204 No content
. After that if you run aGET
call with the same address, the “appRoles” data should contain the new Admin role.
Add the user with the new role to the application
Go to Azure portal: Microsoft Azure
In the left pane, select Azure Active Directory icon
Select Enterprise applications
In the list of applications select the application where you configured SSO with Haystack
Select Users and Groups tab and then select Add user/group button
Click the None Selected button shown on the picture bellow
Select the user from your organization that you want to add(select a random invited user to your organization not the user that we created earlier in this guide) and click the Select button
Click the None Selected button shown on picture bellow
On the right side there should be options for selecting the role, after selecting the role click the Select button on the bottom right corner and after that in the bottom left corner click Assign
Select the Single sign-on option on the left side of the page and afterwards click on the Edit button in the Attributes & Claims section
Click on the Add new claim button
Enter the data like in the picture bellow(leave the Namespace field empty) and click Save:
Congrats! After completing these steps, the users that are signed up on Haystack via SSO will get the roles from the Azure AD application.