Skip to main content

Azure Active Directory integration

Pronestor supports Azure Active Directory integration, so you can import your users directly from Azure Active Directory instead of creating them inside Pronestor. This allows your IT administrators to maintain Pronestor users through Azure Active Directory groups, simplifying their jobs.

 

You can have several user imports in Pronestor. You can have multiple types of user imports. The only limitation is, if you have an Exchange integration all your users have to be from the same Exchange environment.

 

Table of contents

 

Requirements

To fulfill this guide you need:

  • Administration rights to your Azure Active Directory for preparing your Active Directory.
  • Know which users need which access in Pronestor (though it can be changed later, all imported users will get accesses as part of this guide). This guide will tell you what the different access roles in Pronestor does Pronestor Roles
  • An account in your Active Directory with read rights to the entire Active Directory. You can limit what is imported within the import tool.
  • The users in Active Directory needs to have:
    • First name
    • Last name
    • Initial  
    • Email
    • Mobile phone (only if you use SMS notifications with Visitor)
  • Administration rights in your Pronestor.

 

Service account

Microsoft has changed the layout of Azure. We have attached a new guide on how to create the service account to this guide. It is called azure ad user import guide English. It sets the service account up differently than before.

Please go to the bottom of the guide to download a Word document explaining how to create the azure account

Important!!  After completing the guide, make sure to write down the following 3 values which are needed to finalize the setup within Pronestor. These 3 values are necessary for the Pronestor team to finalize the integration.

Directory ID

Application ID

Client secret. 

 

Setting up Active Directory

Groups

Every access that can be given in Pronestor can also be linked to Active Directory groups.

It is possible to use whichever Organizational Unit and Active Directory group structure you prefer. This guide describes best practice for setting up your Active Directory. You can add additional departments and VIP groups as needed. There is a simplified setup for those who have one location, and a setup for those with multiple locations.

 

Both setups require you to create an Organizational Unit (referred to here in the guide as PronestorOU) in your Active Directory. Please note down the path of your PronestorOU for later reference.

 

The next step is to create a group per role in Pronestor. The groups should be placed in the PronestorOU. A role represents a permission in Pronestor for each of the following roles:

  • Secretary
  • Facility manager
  • Catering manager
  • Booker 
  • Departments
  • Secretary departments
  • VIP groups.

Groups in Active Directory can be either user or security groups.

The naming of each group is not fixed – we do however recommend a naming convention that makes it easy to read and understand the groups maintained in Active Directory.

 

One location only – if Pronestor is configured to manage resources on one location only:

Create in Active Directory the following groups within the PronestorOU:

  • Local_secretary
  • Local_facility_manager
  • Local_catering_manager
  • Local_booker
  • Department_A
  • Department_A_secretary
  • Department_B
  • Department_B_secretary
  • VIP_A
  • VIP_B

Your users will need more than one Active Directory group to get the necessary rights. A user is only created when they have a local booker group. The other groups add additional connections to the user. For example, a normal user might need Local_booker, Department_A and VIP_B.

Every user needs a department, since departments grant Billing account and meeting type, which are required to complete a booking.

If you book on behalf of shared calendars, please remember to import them as if they were a regular user.

Once your users have been connected to the new groups, your Active directory is ready to be imported.

 

Multiple locations – if Pronestor is configured to manage resource at multiple locations:

Create in Active Directory a set of groups for each role per location and groups for departments and VIP groups as needed.

Ex. If Pronestor is configured with resources on three locations – London, Stockholm, and Copenhagen – then the following groups must be created within the PronestorOU:

  • Administrator
  • Global_secretary
  • Global_facility_manager
  • Global_catering_manger
  • Global_booker
  • London_secretary
  • London_facility_manager
  • London_catering_manager
  • London_booker
  • Stockholm_secretary
  • Stockholm_facility_manager
  • Stockholm_catering_manager
  • Stockholm_booker
  • Copenhagen_secretary
  • Copenhagen_facility_manager
  • Copenhagen_catering_manager
  • Copenhagen_booker
  • Department_A
  • Department_A_secretary
  • Department_B
  • Department_B_secretary
  • VIP_A
  • VIP_B

Your users will need more than one Active Directory group to get the necessary rights. A user is only created when they have a local booker group. The other groups add additional connections to the user. For example, a user from Copenhagen might need Copenhagen_booker, Department_A and VIP_B. This user will only be allowed to book meetings on the Copenhagen location.

 

Another user needs to book on both Copenhagen and Stockholm. This user could get Stockholm_booker, Global_Booker and Department_A. This user can now book on every location. It is not possible for a user to get Stockholm_booker and Copenhagen_booker. If they need to book on more than one location, they need the Global_Booker group. . 

 

If you have a user with Global_booker, department_B and VIP_A the user won't be created. This is because the user doesn't have a local booker group, such as Copenhagen_booker, Stockholm_booker and London_booker.

 

If you have auser who needs to be catering manager on location London, then they need to have London_booker, London_catering_manager and Department_A.

 

If you give the user Copenhagen_booker, Global_booker, London_catering_manager and Department_A the user won't get the catering manager access. This is because the users "Home" location is Copenhagen, and you can't get a local right on a location that isn't your home location. If you want the user to have Catering manager access on London, then give them London_booker, Global_booker, London_catering_manager and Department_A instead.

 

If you book on behalf of shared calendars, please remember to import them as if they were a regular user.

Once your users have been connected to the new groups, your Active directory is ready to be imported. 

 

 

Configuration of Azure Active Directory import tool

Active Directory import in Pronestor

  • Open “administration”
  • Click “Settings”
  • Click “Import users”
  • Click “New import job”

mceclip0.png

You get the new window you can fill out. In this example I named it Active Directory. Remember to choose Azure Active Directory as the type.

mceclip1.png

Here you will need the information you saved while creating the app in Azure Active Directory.

  • Pick “Azure Active Directory” as the “DataSourceType”
  • Enter the “Azure Directory ID”
  • Enter the “Application ID”
  • Enter the “Client Secret” which is the App's Password.
    • The client secret is referring to the value which you can find under the applications “Certificates & Secrets” Remember – Client secret values cannot be viewed, except for immediately after creation.
  • Leave “Group filter prefix” blank. It can be used to limit the groups Pronestor searches for to optimize performance.
  • Toggle whether to import disabled accounts. Useful if you use shared calendars.
  • “Default location” – choose the default location for new users
  • “Default User Language” – choose the default language for new users
  • “Default company” – choose the default company for new users
  • “Strip domain” – whether to include the domain in the users' login.
  • Click “Save”

 

 

Group linking

You need to link the Active Directory groups to Pronestor rights. This is handled inside Pronestors administration module.

  • Click “Settings”
  • Click “Import users”
  • Find your import job
  • Click “Edit”

mceclip2.png

  • Click “Linking”

Here you can see all the accesses within Pronestor and you can connect them to a group. Please note that these pictures are from a demo solution with just one location and no departments nor VIP groups, so yours might have a lot more accesses in here.

  • Click “Load AD structure”

Please link your Active Directory groups to the accesses you want them to give, by clicking the drop-down menu.

mceclip4.png

Please note:  The users won't appear in Pronestor until the second import has been made (while the groups are linked)

Setup automatic scheduling

The import works, but you want it to run nightly to ensure it stays up to date

  • Click "Settings"
  • Click "Import users"
  • Find your import job
  • Click "Edit"

mceclip2.png

  • Click "General"
  • Click the grey box in front of "Enable automatic scheduling"

mceclip0.png

  • Pick a time and click "Save"

mceclip1.png

If you are in a danish timezone, DON'T choose 2:00 as the scheduled time. The scheduled time follows UTC time, and 2:00 UTC time is the time your site restarts during Danish summer-time.

Your Azure integration is complete.

 

 

Comments

1 comment

Date Votes
  • Louise

    in version 8.3.4 there is an issue with reloading the ad structure. It can only be done in the old admin ui and not in the new admin ui. Jira has been reported

    0

Please sign in to leave a comment.

Powered by Zendesk