Azure AD on Cloud Service

Azure AD (AAD) integration is available on the standard Smartsign Cloud Service and allows you to auto-provision new users in Smartsign. Read on for instructions on how to integrate your company's AAD to your Smartsign site(s) on the cloud service.

1. Create security groups in AAD as follows

   Example name	Purpose	Notes
   Smartsign_Access	Permission to login	One group per site if you have multiple and want to differentiate between them
   Smartsign_Publisher	Provide user permissions	Determines which user profile the user will get
   Smartsign_Admin	Provide user permissions	Determines which user profile the user will get

   User permission groups

   If you wish to use more than just the standard SiteAdmin and Publisher user profiles, you'll need to create a group for each.

2. Prepare and send the following information to support@smartsign.se to setup the integration.

   1. Your Customer ID (you can see it in the bottom left corner when your are signed in on the cloud service).
   2. Your Microsoft 365 Tenant ID.
   3. Name and Group object ID for each of the security groups.

3. Our support will setup the integration and report back so that you can verify the function.

4. To be able to login and use Smartsign, a user must have one ore more access-groups and exactly one (1) permission group.

5. Once verified you can proceed and add your users to the necessary groups in AAD.

6. The first time a user signs in, they will be prompted to approve the Azure AD login integration. If they are not an Azure AD admin themselves, they can usually request approval from an admin immediately in the dialog. 
   For reference, the Application (client) ID is "9ab97371-ac1c-4f52-b1d9-3476e60637ca". In addition to basic login, it requires the following permissions.

   Delegated Permission	Used for	Admin consent required
   User.Read	Read user details	No
   GroupMember.Read.All	Read which groups the user is a member of	Yes

Manage resource access using Azure AD (optional)

Access Groups are used to control access to resources, such as screens, media library folders etc, for all non-admin users.

These can either be managed directly in Smartsign or mapped to Azure AD (AAD) groups to control resource access from AAD.

1. Create or identify the AAD security groups to use for access control in Smartsign.
2. Find and note the AAD Group Object ID for each.
3. Create the corresponding groups in Smartsign and input the AAD Group Object ID to connect it to the AAD group.
4. Assign which resources the group should provide access to.
5. Done! Users will be automatically added/removed from the groups each login, based on the AAD group memberships.

Auto-provisioning only

AAD integration on Smartsign Cloud only provisions (creates) users with the given permissions. To remove access for a user they must manually be removed from the AAD groups as well as from Smartsign Cloud.