Work in Progress Q1 2022: Azure Active Directory Connector v2 development
- Add support for new "Microsoft Graph" to replace the deprecated "MS Azure AD GRAPH API Endpoint"
- Add support for MFA via "Microsoft Graph".
As a note, these instructions are set up with a basic azure Active Directory configuration. It's possible in addition to these steps there are additional policies, etc you will need to create or modify to allow access.
Create a new application in AzureAD
You will need to create a new app registration within azure and gather the information needed for the connector. Additionally you will need a user group per a farmerswife permission profile and the group name / object id of those groups. Best Practice is to create the app, add api permissions and as the final step add a new client secret key to the app.
Info Needed
- Application ID
- Client Secret Value
- Endpoint - OAuth 2.0 token endpoint (v1)
- Directory (tenant) ID
- Group Name(s)
- Group Object ID(s)
Additionally once the app is created you will need to add the appropriate API permissions
1. Create a new applications under App registrations
2. Make a note of the Application (Client) ID, Directory (tenant) ID as well as the OAuth 2.0 token endpoint (v1) under Endpoints:
3. Add the appropriate API permissions onto the application. As a note, more permissive permissions may be needed depending on your organizations configuration. From the left hand side select API permissions, then at the bottom of the list you will find Azure Active Directory Graph. We need to add 4 permissions each under delegated and application respectfully. Once added then grant admin consent for all of the permissions.
Permissions to add:
Application | Delegated |
Application.Read.All | Group.Read.All |
Directory.Read.All | User.Read |
Domain.ReadWrite.All | User.Read.All |
Policy.Read.All | User.ReadBasic.All |
Correctly Configured Permissions:
4. Create a new Client Secret Key and make a note of the Client Secret Value - you will only be able to access this value on creation so be sure to copy out.
5. Within Active Directory - Access (or create) any relevant groups for farmerswife users (1 per a permission profile) and make note of the Object ID and Group Name:
Configure the farmerswife Server application
With all of the information from the Azure AD application you can configure the connection on the farmerswife server. On the fw Server Application head to Setup > Users > Microsoft Azure Active Directory Connector.
Then input all of your information:
- App client Id: Application ID from AzureAD
- App Secret Key: Client Secret Value form AzureAd
- Oauth 2.0 token Endpoint: OAuth 2.0 token Endpoint (v1) from AzureAD
- MS Azure AD GRAPH API Endpoint: https://graph.windows.net/{Directory_ID} - this is created by adding the Directory (tenant) ID onto the end of https://graph.windows.net
User Groups are added by hitting the green plus. The top two items are the Group name and object ID from Azure AD. The bottom portion is what type of user you want the members of that group to be added to. As a note, A best practice is to create an AD SSO type category to make troubleshooting easier between users.
Once Configured us the Test Now Button to test the connector which should return a successful message - else consult the returned error log.
Then use the Sync Now button to trigger a sync of all users in the added groups.
The created user - Things to note that the username is their AD username with domain (this can be disabled so that it's username only if desired), the Microsoft Active Directory Connector is set to Enabled: Authenticate, Sync Profile and Possible Properties & the permission profile / license type match what was placed in our User Group Set up.
You should now be able to log in with the sync'd user(s) to farmerswife.
Once syncing between Azure AD and farmerswife is active, you can manage sync intervals as well as add or modify User Groups directly from the Desktop Client without touching the server setup.