This article covers connecting the Foray ADAMS solution to an Azure Active Directory (AD) domain. This connection allows users to login to the Foray ADAMS solution and also allows Foray ADAMS to perform queries necessary to enforce privileges for both data and features.
...
Open the Azure Portal
Navigate to Azure Active Directory
App registrations
New registration
Name - Foray Adams Web, Foray Adams Admin, or Foray Adams Clients
This name is visible to end users. You may use a different name if you chose. If so you will need to identify that name later in these steps. You can change this name later.Supported account types: Accounts in this organizational directory only
Redirect URI
For Adams Admin and Adams Web - This is the URL provided by Foray for redirect. It will be similar to:
Examples
Code Block language xml Ex1: https://web01.myagency.foray.com/AdamsAdmin/Account/Login Ex2: https://web01.myagency.foray.com/AdamsWeb/Login.aspx
For Adams Clients
Select "Public client/native (mobile & desktop)" from the dropdown
Enter the value: https://login.microsoftonline.com/common/oauth2/nativeclient
Click Register
...
Select the application to be configured
Authentication
Adams Web and Adams Admin only
Inside "Web" section
Front-channel Logout URL
For Adams Admin and Adams Web - This is the URL provided by Foray for logout. It will have the form:
Examples
Code Block language xml Ex1: https://web01.myagency.foray.com/AdamsAdmin/Account/AzureSingleSignOut Ex2: https://web01.myagency.foray.com/AdamsWeb/Logout.aspx
Implicit grant - check ID Tokens
Supported account types: Accounts in this organizational directory only
Allow public client flows - Enable the following mobile and desktop flow
Adams Admin and Adams Web: NO
Adams Clients - YES
Click Save
...
Select the application to be configured
Certificates & secrets
Click New client secret
Description: For MS Graph access
Expires: Never This may no longer be an option. If not choose a time frame and set yourself a reminder to renew. Foray will need a new secret before this secret expires.
Click Add
Copy the secret value (icon to left of trash can on MS Graph access line)
This value must be provided to Foray
...
Select the application to be configured
API permissions
Click Add a permission
Click Microsoft Graph
Select Delegated permissions
Under Permission check "openid" - Required for authentication
Under Permission check "profile" - Enables access to a user's name, userid, and other basic info.
User.Read will already be checked, leave it checked - Required for authentication
Adams Admin and Adams Web only
Select Application permissions
Navigate to and check "Directory.Read.All" - This provides access to groups so that privileges can be applied per group.
Navigate to and check "User.Read.All" - This provides access to user info such as name and email.
Adams Web only (added in 6.2)
Select Application permissions
Navigate to and check GroupMember.ReadWrite.All - This allows adding of external users to the external users group.
Navigate to and check User.Invite.All - This allows external user account to be created.
Foray Adams Clients only
Select Delegated permissions
Navigate to and check "Directory.Read.All" - This provides access to list users in groups
Click Add permissions
Add API for Foray Adams Clients only - This can not be done until the Adams Web application registration is complete (all the way to the bottom of this KB)
Click Add a permission
Click APIs my organization uses (above Microsoft Graph)
Select Foray Adams Web (the name used may be different)
Check BridgeWebApi
Check BridgeSignalR
Click Add permissions
Click Grant admin consent
Select Yes
...