Azure AD
  • 21 Jul 2023
  • 3 Minutes to read
  • Dark
    Light
  • PDF

Azure AD

  • Dark
    Light
  • PDF

Article Summary

The Azure AD identity source allows you to register an application with Azure Active Directory as a mean to authenticate against Liquit Workspace. This way you will leverage your Azure Active Directory as the single point of entry. See SSO with Azure Active Directory on how to register an app in your Azure Portal.

Overview screen

Here you can configure a few basic options for the identity source.

Name - The name of the identity source. In the case of Active Directory, we recommend you use the same value as the NetBIOS name of the Active Directory.
Type - The type of identity source.
Hidden - When an identity source is hidden, it will not appear on the login screen.

Note that the Name and Type cannot be changed once the identity source is created.

Settings screen

It is required you create Azure app registration before you can configure the settings for you Azure AD Identity Source. Below you find a list of settings configurable for the Azure AD Identity Source.

Application section
Application ID - The Application ID corresponding to your Azure AD app registration.
Client secret - The Azure AD app registration secret.
Use application ID as resource - When selected, the application ID will be used to request access to the Azure directory. Otherwise, the default Azure Active Directory Graph ID will be used.
Use redirect URI - The site to which the authorization server directs the user when the app has been successfully approved and an authorization code or access token has been issued. The redirection URL needs to be encoded to work properly.

OAuth 2 url section
Fetch OAuth 2 url - If you click this button, the system will prefill the authorization, token and logout URI based on a Azure AD tenant ID.
Authorization URI - The authorization URI provided by the Azure AD app registration. For example: https://login.microsoftonline.com/[Tennant ID]/oauth2/authorize
Token URI - The token URI provided by the Azure AD app registration. For example: https://login.microsoftonline.com/[Tennant ID]/oauth2/token
Logout URI - The logout URI provided by the Azure AD app registration. For example: https://login.microsoftonline.com/[Tennant ID]/oauth2/logout?post_logout_redirect_uri=< redirection URL >
Domain hint - You can provide Azure AD login page with a hint to which domain you want to authenticate. If the user has multiple active Azure AD sessions, and one session is matching the domain hint, then Azure AD will use that account and will not ask the user to select an account anymore. For example: liquit.com

Synchronization section
Photos - Select if photos need to be synchronized or not. This option requires settings additional permissions in Azure AD. See SSO with Azure Active Directory for more information.
Use delta synchronization - When selected, delta synchronization of the Azure AD will be enabled. This causes an initial full synchronization to be performed, after which only changes are incrementally synchronized per Liquit Workspace server. This reduces the time it takes to fetch all users and groups from Azure AD after the initial synchronization is completed.
Include groups that are not security enabled - Enable support for groups that are not security enabled within Azure AD. Like Microsoft 365 groups. This feature requires the Access Manager license.
Modifications - What kind of modifications are allowed for Azure AD. Additional permissions are needed for modifying group membership. See SSO with Azure Active Directory for more information.

Authentication screen

Here you can configure the methods available to authenticate.

Token exchange - Allow the token exchange to be used by third party integrators. For more information, see How to setup your exchange token.
Federated - Allow authentication via federation (example: AD FS)
Form Authentication - Allow the user to login via the Liquit Workspace login page (http/https).
Basic Authentication - Allow basic authentication.

Contacts screen

Enable contacts - If enabled, contacts from this identity source will be used.
Require Email - If enabled, all objects without an email address will be hidden.
Group - Only show members of a certain group.

Show attributes

Choose which attributes to be synchronized to Liquit Workspace.

Authenticator screen

Assign an authenticator to the identity source.

Authenticator - You can select one of the existing authenticators defined in Liquit Workspace.
Prefix - Insert a string to add before the username to form the base distinguished name (DN).
Suffix - Insert a string to add after the username to form the base distinguished name (DN).


Was this article helpful?

What's Next