.png%3Falt%3Dmedia%26token%3Dbd2cf579-dce0-4df3-aa38-f0386b9205f4)
.png%3Falt%3Dmedia%26token%3Dbd2cf579-dce0-4df3-aa38-f0386b9205f4)
How to set up Microsoft Azure as an IDP
Together with Google Workspace, crystal is also supporting Microsoft Azure as an Identity Provider to allow users to log in to their projects and import their contacts, including groups.
There are a few passages to complete before connecting Azure and enabling it in crystal: let’s see in detail what we need to do.
- Then search for App registrations in the upper search bar.
- Now click on + New registration
- You will now need to fill in the App registration form through the following passages:
- 1.
- 2.select the correct account types that you want to support. If you choose Accounts on this organizational directory only, only the accounts registered in the current Azure AD will be able to login to crystal;
- 3.provide a redirect URI for OAuth2 (you can configure it later, but the structure should be: https://{your-crystal-tenant-name}.crystal.ai/login-manager/login/azure/complete).
After following the Step 1 instructions, you will be able to see your new App registration among the App registrations. You will now need to create a client secret, by following these steps:
- On the left menu, click on Certificates & secrets.
- On the Client secrets tab, click on + New client secret, then choose a meaningful name and an expiration time that suits your needs.
Remember that when the secret expires, you will have to reconfigure crystal, so we recommend to choose a Custom duration and keep it long enough not to be affected by expirations.
- Copy the secret value and keep it somewhere safe: you will need it later, when you will configure crystal in Step 4 (it’s the Secret Code in the IDP form).
- On the left menu, click on API permissions. You should see the User.Read permission already configured. Click on +Add a permission.
- Now click on the Microsoft Graph banner.
- Click on Application permissions and search for Group, then flag the option Group.Read.All permission.
- If you’re not the directory administrator, you should see an orange sign on the status (instead of a green circle). In this case you should ask your admin to consent to the newly added permissions. If, instead, you’re the admin, you can grant them by clicking on Grant admin consent for.
- Log in to the crystal Self-Service Console and go to the Users tab. Click on the Identity Provider label, then click on Add new IDP.
- Select Azure Active Directory.
- Now you need to fill in the form with the App registration credentials you configured in the previous steps of this guide.
Here is where you can find the credentials you need:
- 1.You will find Client ID and Tenant ID by clicking on Overview from the left menu of your crystal app registration on the Azure portal.
2. You can find the Redirect URI by clicking on Authentication from the left menu of your crystal app registration on the Azure portal. It must be the same and the structure must be https://{your-crystal-tenant-name}.crystal.ai/login-manager/login/azure/complete.
3. The Secret Code can be found by clicking on Certificates & Secrets from the left menu of your crystal app registration on the Azure portal. Mind that, if you didn’t save it before, you will have to create a new one.
.png?alt=media&token=4df7a1eb-97bd-4fcb-b31e-efa14382f2dc)
- Once the form is filled with the above mentioned credentials, click on Test and Connect.
You can now import users and groups of users from your Active Directory inside crystal. The imported users can then log in by clicking the Login with Microsoft blue button in the login screen of your Crystal project.
If you have any questions about crystal’s features, you have encountered a problem or you would like to share your feedback, contact us using this form.
Last modified 5mo ago