diff --git a/content/for-administrators/secure-your-cluster/azure-gco-app.md b/content/for-administrators/secure-your-cluster/azure-gco-app.md new file mode 100644 index 00000000..66af1892 --- /dev/null +++ b/content/for-administrators/secure-your-cluster/azure-gco-app.md @@ -0,0 +1,25 @@ +# Configuring Azure AD Group Sync Application + +1. To enable sync groups from Azure AD (Microsoft's) account to Stakater Cloud you first have to register an application on Azure. Go to the <https://portal.azure.com> +1. Open `Azure Active Directory` service +1. On the tab on the left under Manage section click `App Registrations` +1. Click on `New Registration`. Use `group-sync` under Name and click `Register` +![Azure AD](images/azure-ad.png) +1. The GroupSync job requires permissions on the Azure AD tenant in addition to the default ones. For it to work, add the these entries under the ‘API Permissions’ menu item.: + +- `Group.Read.All` +- `GroupMember.Read.All` +- `User.Read.All` + +![Azure App API Permissions](images/azure-permissions-group-sync.png) + +1. Click on the Newly created app `group-sync`. Click `Certificates & secrets` from the left tab. Click `New Client Secret`. Under `Expires` pick any option. Under `Description` put *saap-group-sync* and click `Add` +![Certificates and Secrets](images/azure-ad-certificates-secrets.png) +1. Copy the value of the newly created client secret and take note of the `Application (client) ID` and `Directory (tenant) ID` of the `group-sync` app registration from the `Overview` tab. **Send this to Stakater Support** +![Client-Tenant-ID](images/azure-ad-clientid-tenantid.png) + +## Items to be provided to Stakater Support + +- `Application (client) ID` +- `Directory (tenant) ID` +- `client Secret` diff --git a/content/for-administrators/secure-your-cluster/azure-idp.md b/content/for-administrators/secure-your-cluster/azure-idp.md index eab732b0..00edfdf1 100644 --- a/content/for-administrators/secure-your-cluster/azure-idp.md +++ b/content/for-administrators/secure-your-cluster/azure-idp.md @@ -5,9 +5,10 @@ 1. On the tab on the left under Manage section click `App Registrations` 1. Click on `New Registration`. Use `saap` under Name. Under Redirect URI section Choose `Web` and enter the Redirect URI (**This will be provided by Stakater Support**) and click `Register` ![Azure AD](images/azure-ad.png) +1. Go to "API permissions" and add the required Microsoft Graph API permissions. Typically, you need `User.Read` and `openid`, `profile`, and `email` permissions. 1. Click on the Newly created app `saap`. Click `Certificates & secrets` from the left tab. Click `New Client Secret`. Under `Expires` pick any option. Under `Description` put *saap oidc* and click `Add` ![Certificates and Secrets](images/azure-ad-certificates-secrets.png) -1. Copy the value of the newly client secret and take note of the `Application (client) ID` and `Directory (tenant) ID` of the `saap` from the Overview section. **Send this to Stakater Support** +1. Copy the value of the newly client secret and take note of the `Application (client) ID` and `Directory (tenant) ID` of the `saap` app registration from the `Overview` tab. **Send this to Stakater Support** ![Client-Tenant-ID](images/azure-ad-clientid-tenantid.png) ## Items provided by Stakater Support diff --git a/content/for-administrators/secure-your-cluster/images/azure-ad-clientid-tenantid.png b/content/for-administrators/secure-your-cluster/images/azure-ad-clientid-tenantid.png index 733000d9..0d4b5ce9 100644 Binary files a/content/for-administrators/secure-your-cluster/images/azure-ad-clientid-tenantid.png and b/content/for-administrators/secure-your-cluster/images/azure-ad-clientid-tenantid.png differ diff --git a/content/for-administrators/secure-your-cluster/images/azure-permissions-group-sync.png b/content/for-administrators/secure-your-cluster/images/azure-permissions-group-sync.png new file mode 100644 index 00000000..2104825c Binary files /dev/null and b/content/for-administrators/secure-your-cluster/images/azure-permissions-group-sync.png differ diff --git a/theme_override/mkdocs.yml b/theme_override/mkdocs.yml index b5b8cf62..f6892585 100644 --- a/theme_override/mkdocs.yml +++ b/theme_override/mkdocs.yml @@ -60,6 +60,7 @@ nav: - for-administrators/secure-your-cluster/secure-routes.md - for-administrators/secure-your-cluster/google-idp.md - for-administrators/secure-your-cluster/azure-idp.md + - for-administrators/secure-your-cluster/azure-gco-app.md - for-administrators/secure-your-cluster/keycloak-idp.md - for-administrators/secure-your-cluster/saml-idp.md - for-administrators/secure-your-cluster/saap-authorization-roles.md