Follow

Azure Active Directory integration

The Azure Active Directory Integration enables you to automatically import users and administrate user access in Pronestor through Azure Active Directory.

Table of contents

 

Requirements

To fulfill this guide you need:

  • Administration rights to your Azure Active Directory for preparing your Active Directory.
  • Know which users needs which access in Pronestor (though it can be changed later, all imported users will get accesses as part of this guide).
  • The users in Active Directory needs to have:
    • Firstname
    • Lastname
    • Initial  
    • email
  • Administration rights in your Pronestor.

 

Service account

  • Go to https://apps.dev.microsoft.com 
  • login as administrator for the Azure Active Directory
  • Create a new app
  • Copy the "Application ID" [needed for later configuration]
  • Click "Generate New Password" copy the Password [needed for later configuration]
  • Click "Add Platform" and choose “Web”
  • Enable "Allow Implicit Flow"
    • Enter redirect URLs:
      https://yoursite.pronestor.com
      (where yoursite is your Pronestor Site)
    • https://yoursite.pronestor.com/Admin/UserImport.mvc/GrantPermissions
      (Ignore Logout URL)
  • Add the following permissions;
    • Delegated permissions: "User.Read"
    • Application Permissions: "Directory.Read.All", "Group.Read.All", "User.Read.All"
  • ClickSave
  • Go to https://portal.azure.com
  • Click "Azure AD" and then "Properties"
  • Copy the "Directory ID" [need for later configuration]

 

Now we need the permissions to reference the appl created from your Pronestor solution. (for further elaboration see section 3 in https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service)

An URL to be clicked should be constructed - following this format.

{0} - should be the "Directory ID" retrieved from above
{1} - should be the "Application ID" retrieved from above
{2} - should be the redirect URL - ex. https://yoursite.pronestor.com/Admin/UserImport.mvc/GrantPermissions

  • Open that link to confirm 
Note: It is important that you are currently logged in as a Pronestor administrator and that it is an Azure AD administrator who logs into the link. 

 

Setting up Active Directory

Groups

Every access that can be given in Pronestor Planner can also be linked to Active Directory groups. 

It is possible to use whichever Organizational Unit and Active Directory group structure you prefer. This guide describes best practice for setting up your Active Directory. You can add additional departments and VIP groups as needed. There is a simplified setup for those who have one location, and a setup for those with multiple locations. 

Both setups require you to create a Organizational Unit (referred to here in the guide as PronestorOU) in your Active Directory. Please note down the path of your PronestorOU for later reference.

Next step is to create a group per role in Pronestor. The groups should be placed in the PronestorOU. A role represents a permission in Pronestor for each of the following roles:

  • Secretary
  • Facility manager
  • Catering manager
  • Booker 
  • Departments
  • Secretary departments
  • VIP groups.

Groups in Active Directory can be either user or security groups.

The naming of each group is not fixed - we do however recommend a naming convention that makes it easy to read and understand the groups maintained in Active Directory.

 

One location only - if Pronestor is configured to manage resources on one location only:

Create in Active Directory the following groups within the PronestorOU: 

  • Local_secretary
  • Local_facility_manager
  • Local_catering_manager
  • Local_booker
  • Department_A
  • Department_A_secretary
  • Department_B
  • Department_B_secretary
  • VIP_A
  • VIP_B
Important:  Every user has to have the group Local_booker to be imported

The department groups and VIP groups can be given in the combination you prefer, or not at all.

Once your users have been connected to the new groups, your Active Directory is ready to be imported.

 

Multiple locations - if Pronestor is configured to manage resource at multiple locations:

Create in Active Directory a set of groups for each role per location and groups for departments and VIP groups as needed.

Ex. If Pronestor is configured with resources on three locations - London, Stockholm, and Copenhagen - then the following groups must be created within the PronestorOU:

  • Administrator
  • Global_secretary
  • Global_facility_manager
  • Global_catering_manger
  • Global_booker
  • London_secretary
  • London_facility_manager
  • London_catering_manager
  • London_booker
  • Stockholm_secretary
  • Stockholm_facility_manager
  • Stockholm_catering_manager
  • Stockholm_booker
  • Copenhagen_secretary
  • Copenhagen_facility_manager
  • Copenhagen_catering_manager
  • Copenhagen_booker
  • Department_A
  • Department_A_secretary
  • Department_B
  • Department_B_secretary
  • VIP_A
  • VIP_B
Important: Every user has to have one local booker group, and only one.

If a user only needs more than one location, give them one of the local groups and the global group. Fx London_booker and Global_booker

If you have three or more locations and a user needs access to two of them, you have to give the user access to all locations. Pronestor cannot handle it if a user is given both London_booker and Stockholm_booker and Pronestor cannot handle if they don't have a local booker group.

The department groups and VIP groups can be given in the combination you prefer, or not at all.

Once your users have been connected to the new groups, your Active Directory is ready to be imported. 

 

Configuration of Azure Active Directory import tool

Active Directory import in Pronestor

  • Open the "administration module"
  • Click "New import job"

You get the new window you can fill out. In this example I named it Active Directory. Remember to choose Azure Active Directory as the type. If Azure Active Directory isn't available as a type, please contact Helpdesk@pronestor.com for assistance.

Here you will need the information you saved while creating the app in Azure Active Directory. 

  • Pick "Azure Active Directory" as the "DataSourceType"
  • Pick a time for the daily import
  • Enter the "Azure Directory ID"
  • Enter the "Application ID"
  • Enter the "Client Secret" which is the Apps Password.
  • Enter a "Default User Password" - This is the password new users in Pronestor are created with. It can be changed later.
  • "Default User Language - choose the default language for new users
  • "Login format" - pick "WindowsLogin"
  • "Strip domain" - leave unselected
  • Click "Save"

 

First import

This can take some time, depending on the size of your Active Directory.

  • Open your import from before by clicking "Edit"

  • Click the tab called "Sessions"
  • Click "Perform import"

This can take a long time, so just leave it to do it's thing.

Note: The users won't enter Pronestor until after the groups are linked as show in the next chapter.

 

Group linking

After the first import of your Active Directory, you need to link the Active Directory groups to Pronestor rights. This is handled inside Pronestor Planners administration module.

  • Click "Settings"
  • Click "Import users"
  • Find your import job
  • Click "Edit"

  • Click "Linking"

Here you can see all the accesses within Pronestor Planner and you can connect them to a group. Please note that these pictures are from a demo solution with just one location and no departments nor VIP groups, so yours might have a lot more accesses in here.

  • Click "Load AD structure"

Please link your Active Directory groups to the accesses you want them to give, by clicking the drop down menu. I have highlighted it for the global administrator in this picture.

Please note:  The users won't appear in Pronestor until another import has been made (while the groups are linked)

Your Azure integration is complete.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk