Versions Compared

Version Old Version 1 New Version Current
Changes made by

Alex Xie

Duncan McIntyre

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Follow the these instructions to register OneList: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app.

Parameter

Value

Example

Name

OneList <Environment>

OneList

DEV

TST, OneList Prod

Supported account types

The “Accounts in this organizational directory only – single tenant” option is recommended

Redirect URI

https://

<OneList hostname>/rolemananger

xella-tst.onelistapprovals.com/rolemanager/signin-azure

https://

iqx

xella-tst.onelistapprovals.com/

rolemananger

rolemanager/signin-azure

Create client secret

...

Follow these instructions to configure the API permissions: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-permissions-to-access-web-apis.

...

Microsoft API

Permission type

Permissions

Microsoft Graph

Delegated

Application permissions

  • openid

  • profile

  • Mail.

Read

  • ReadWrite (scroll down and expand the Mail section to select this permission)

  • User.Read (scroll down and expand the User section to select this permission)

Add the “onpremisessamaccountname” claim mapping

This step is only require when the on-premises AD user log in is used for enabling automatic user mapping for source systems, e.g. SAP with SNC. Please refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping and https://devblogs.microsoft.com/premier-developer/adding-user-optional-and-mapped-claims-in-the-azure-ad-authentication-token/ for more detail.

...

Description

...

Instruction

...

Modified the App Registration Manifest JSON

...

"acceptMappedClaims": true,

...

Execute the Command Shell command to create the policy

...

New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema":[{"Source":"user","ID":"onpremisessamaccountname","JwtClaimType":"onpremisessamaccountname"}]}}') -DisplayName "ExtraClaimsSAMAccountName" -Type "ClaimsMappingPolicy"

...

Execute the Command Shell command to get the service principal for the registered OneList Application

...

Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq <the OneList App Id>)"

...

Execute the Command Shell command to assigne the policy to the service principal

...

Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of the Policy>

...