# Azure AD users

#### Contents
* [How does it work?](https://trustelem-doc.wallix.com/books/trustelem-administration/page/active-directory-synchronization#bkmrk-how-does-it-work%3F)  
* [Prerequisites](https://trustelem-doc.wallix.com/books/trustelem-administration/page/active-directory-synchronization#bkmrk-how-does-it-work%3F)  
* [Setup](https://trustelem-doc.wallix.com/books/trustelem-administration/page/active-directory-synchronization#bkmrk-how-does-it-work%3F)  

#### How does it work?
The goal is to use **Azure Active Directory** as an identity provider for Trustelem.  
It requires the creation of an "app" in Azure AD admin console for authorizing Trustelem to request Azure AD data using API.  
**For the synchronization**, Trustelem uses the Microsoft API to list the groups and their members.  
**For the authentication**, Trustelem sends an authentication request using Microsoft API and if it is validated, authenticates the user on Trustelem.

#### Prerequisites
No prerequisite, every steps of the setup are listed in the following chapter.  
**Note:** it is not possible to authenticate users with their AzureAD password if Azure delegates the authentication to an external Identity Provider such as Trustelem.

#### Setup

* Create a directory Azure Active Directory on Trustelem

  * Go on the tab **Directories**  
  *`https://admin-mydomain.trustelem.com/app#/directories`*
  * Click on **Create** and select **Azure Active Directory**.
<br/><br/>
* Define the target Azure subscription
  * In the field **Tenant ID** enter here the tenant ID of your Azure subscription, e.g. contoso.onmicrosoft.com
<br/><br/>
* Authorize Trustelem to connect to Azure
  * Connect to <https://portal.azure.com> with an admin account
  * Go to **Azure Active Directory** then **App registration**
  * Click on button **+Add**
    * Enter a name
    * Select **Accounts in this organizational directory only**
    * Select a platform **Web** in **Redirect URI** and enter the URL: https://mydomain.trustelem.com
  * Click on **Register**
  * In section **Expose an API**, add a permission and choose **Microsoft Graph**
    * Click on **Application permissions**
    * Select permission **Directory.Read.All - Read directory data** in section **Directory**
    * Click on button **Add permission** for applying the selected API.
  * Apply these permissions by clicking on **Grant admin consent for [Your Company]**
  * Go to **Overview**, copy the value given in Application (client) ID and paste it in the field **Client ID** on Trustelem
  * Go to **Certificates and secrets**, click on **New client secret**, give it a name and click on **Add**
  * Then copy the field **Value** and paste it in the field **Client Secret** on Trustelem
  * If needed, in section **Owner**, add an administrator for this app
<br/><br/>
* Use Azure passwords for authenticating users on Trustelem (optional)
  * On the Azure admin page of the app previously created, go to **Authentication**
  * In **Advanced Settings**, in the field **Allow public flows**, check **yes** for the option **Enable the following mobile and desktop flows**
 * On Trustelem, enter the Client ID value again in the field **Client ID** (needed for compatibility with older Azure versions)

**Notes:**

* If you have the application Office 365 in Trustelem, that means you have federated an Azure domain.
* For a federated domain, Azure AD disable user passwords.

* If the passwords are disabled, Trustelem can't get them using API and therefore, can't use Azure passwords for authenticating users on Trustelem.