How to set up Microsoft Azure as an IDP

Together with Google Workspace, crystal is also supporting Microsoft Azure as an Identity Provider to allow users to log in to their projects and import their contacts, including groups.

There are a few passages to complete before connecting Azure and enabling it in crystal: let’s see in detail what we need to do.

Step 1 - Add an app registration on the Microsoft Azure Portal

  • First, you need to log in to Microsoft Azure.

  • Then search for App registrations in the upper search bar.

  • Now click on + New registration

  • You will now need to fill in the App registration form through the following passages:

  1. choose a name for registering the crystal app on Azure (for example, you might use;

  2. select the correct account types that you want to support. If you choose Accounts on this organizational directory only, only the accounts registered in the current Azure AD will be able to login to crystal;

  3. provide a redirect URI for OAuth2 (you can configure it later, but the structure should be: https://{your-crystal-tenant-name}

Step 2 - Create a client secret for the App

After following the Step 1 instructions, you will be able to see your new App registration among the App registrations. You will now need to create a client secret, by following these steps:

  • On the left menu, click on Certificates & secrets.

  • On the Client secrets tab, click on + New client secret, then choose a meaningful name and an expiration time that suits your needs.

Remember that when the secret expires, you will have to reconfigure crystal, so we recommend to choose a Custom duration and keep it long enough not to be affected by expirations.

  • Copy the secret value and keep it somewhere safe: you will need it later, when you will configure crystal in Step 4 (it’s the Secret Code in the IDP form).

Step 3 - Give the proper API permissions to the App

  • On the left menu, click on API permissions. You should see the User.Read permission already configured. Click on +Add a permission.

  • Now click on the Microsoft Graph banner.

  • Click on Application permissions and search for Group, then flag the option Group.Read.All permission.

  • If you’re not the directory administrator, you should see an orange sign on the status (instead of a green circle). In this case you should ask your admin to consent to the newly added permissions. If, instead, you’re the admin, you can grant them by clicking on Grant admin consent for.

Step 4 - Configure the Microsoft Azure IDP in the crystal Self-Service Console

  • Log in to the crystal Self-Service Console and go to the Users tab. Click on the Identity Provider label, then click on Add new IDP.

  • Select Azure Active Directory.

  • Now you need to fill in the form with the App registration credentials you configured in the previous steps of this guide.

Here is where you can find the credentials you need:

  1. You will find Client ID and Tenant ID by clicking on Overview from the left menu of your crystal app registration on the Azure portal.

2. You can find the Redirect URI by clicking on Authentication from the left menu of your crystal app registration on the Azure portal. It must be the same and the structure must be https://{your-crystal-tenant-name}

3. The Secret Code can be found by clicking on Certificates & Secrets from the left menu of your crystal app registration on the Azure portal. Mind that, if you didn’t save it before, you will have to create a new one.

  • Once the form is filled with the above mentioned credentials, click on Test and Connect.

You can now import users and groups of users from your Active Directory inside crystal. The imported users can then log in by clicking the Login with Microsoft blue button in the login screen of your Crystal project.

We hope this article helped you! Check out more from our Tutorials for admins section.

Last updated