Azure AD/Entra Planning
Azure AD has been rebranded by Microsoft to "Entra ID". This has no effect on the integration. (https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id)
Basic principles
To sign in using Azure AD (AAD) at least two different AAD-groups are required.
- The first group determines the right to login and which site the user belongs to.
- The second group determines the user profile to use.
To be able to login, an AAD user must match the following requirements
- The user must be explicitly linked to at least one site in Smartsign (member of AAD group linked to site)
- The user must be explicitly linked to a single user profile in Smartsign
There is no need to import or sync users to Smartsign. Users will be automatically created at sign in if authenticated by AAD.
Additional groups can be used to differentiate between different sites and different user profiles within Smartsign.
Access to resources such as screens, layers and media folders are controlled using groups within Smartsign.
Optional
If you wish to manage access to resources, such as screens, folders and layers, from the AAD. Additional groups should be created for that purpose.
Example:
Smartsign_Resources_Finance
Smartsign_Resources_Marketing
Suggested Azure AD groups
For clarity and readability, we suggest naming your ad groups similar to the below examples.
One AAD group for each site (minimum one)
Example:
Smartsign_Site_MySiteName
The site group should only be linked to site(s) in Smartsign. It should not be linked to any user profile.
One AAD group for each user profile (minimum one, at least two normally)
Example:
Smartsign_Userprofile_Publisher
Smartsign_Userprofile_SiteAdmin
Smartsign_Userprofile_Admin
Each user profile group must be linked to a single user profile.