Skip to content

Azure AD Setup

Accurids allows the use of Azure Active Directory (AAD) with the Authorization Code Flow for managing user access. By default, Accurids uses it's built-in user management (see Platform Administration), unless AAD environment variables are set when starting the docker container (see below).

First, the new installation of Accurids has to be registered as an application in AAD. Then, the Accurids docker container is started with the tokens provided by AAD.

Register Accurids as Application in AAD

Open the Azure Portal and select "Azure Active Directory" from the sidebar. Then select "App Registrations" from the side menu. Click "New Registration" from the top menu. Give the application name as it will appear within AAD. For "Supported Account Types" select "Single Tennant". Do NOT enter a Redirect URI. Next, click "Register".

Further App Registration Settings

Open "Authentication" in the side menu and click "Add a platfrom". Under Web applications, select the Single-page application tile. Under Redirect URIs, enter a redirect URI where your Accurids installation will be accessible to the user and add /signin at the end, resulting in e.g. https://accurids.mycompany.com/signin. Do NOT select either checkbox under Implicit grant and hybrid flows.

Open "API Permissions" and select "User.Read" under "Microsoft Graph". Then, click "Grant admin consent for ..." to grant the app consent to read the user profile from the active directory upon user login. This process requires admin rights for the whole active directory.

Add Manifest

Click "Manifest" in the side menu and modify the manifest file. Replace the key appRoles with the following:

"appRoles": [
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "contributor access",
            "displayName": "Contributor",
            "id": "xxx",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "CONTRIBUTOR"
        },
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "Normal user access",
            "displayName": "User",
            "id": "xxx",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "USER"
        },
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "Full admin access",
            "displayName": "Admin",
            "id": "xxx",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "ADMIN"
        }
    ],

Replace the key requiredResourceAccess with the following:

"requiredResourceAccess": [
        {
            "resourceAppId": "00000002-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "xxx",
                    "type": "Scope"
                },
                {
                    "id": "xxx",
                    "type": "Scope"
                }
            ]
        },
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "xxx",
                    "type": "Scope"
                }
            ]
        }
    ],

Click Save to apply the changes.

Manage User Roles

To allow users access to the application, users or groups of users have to be added to the application registration and roles have to be assigned.

Go back to the global active directory settings (select "Active Directory" in the top sidebar). Next, select "Enterprise applications" from the side menu and click the newly registered Accurids application in the list. Under "Users and groups" you can add users or whole groups and assign them one of the three roles provided by Accurids: Admin, Contributor, User.

Start Accurids Container with AAD Environment Variables

The following environment variables have to be configured for the container named accurids in the docker file:

- "azuread.client-id=xxx"
- "azuread.tenant-id=xxx"
- "azure.activedirectory.client-id=xxx"

Examplary values are shown. The IDs have to be replaced by the values from your AAD Portal. Both azuread.client-id= and azuread.tenant-id= are to be taken from "Overview" under "App Registration". The variable azure.activedirectory.client-id= has to be set to the same value as azuread.client-id=.