Identity management via Microsoft Entra Active Directory

  • Updated on Dec 10, 2024
  • Published on Oct 1, 2024
  • 3 minute(s) read
Prev Next

Pre-requisites

To set up an identity management application to manage authentication for NewStore apps, ensure that you have access to:

  • Omnichannel Manager

  • Microsoft Entra Admin Center

Important

To enable users from your corporate directory to be able to use the NewStore applications, you have to create users, assign them to a store, and assign relevant roles in NewStore.

Setting up Microsoft Entra ID with NewStore

This process involves working with Microsoft Entra ID and Omnichannel Manager in tandem. Ensure you have access to both before you proceed.

  1. Log into Microsoft Entra Admin Center..

  2. In the navigation menu, in the Identity section, click Applications > App registrations.

  3. Click New registration and enter the following details:

    • Name:

      • For non-production systems such as staging environments, specify newstore-staging.

      • For production systems, specify newstore-production.

    • Select Accounts in these organizational directory only.

    • Leave the Redirect URI empty.

  4. Click Register.

  5. After the application is created, in the left menu, click API permissions.

    A list of default permissions appear.

  6. Click Add a permission > Microsoft Graph > Application permissions.

  7. Add the following permissions. Ensure that you specify the correct Type and Admin privileges.

    API/Permission name

    Type

    Description

    Admin

    Directory.Read.All

    Application

    Read directory data

    Yes

    Group.Read.All

    Application

    Read all groups

    Yes

    Group.Member.Read.All

    Application

    Read all group memberships

    Yes

  8. After you have added these permissions, click Grant admin consent for <retailer name>.

    The status for all permissions is updated to Granted.

  9. In the left menu, click Certificates & secrets > New client secret.

  10. In the screen that appears, enter a description, set the Expired field to one of the provided options, and click Add.

    Important

    Ensure that you get notified and rotate the client secret before it expires. After the secret expires, the login credentials to NewStore will not work anymore. Follow the updating guidelines to rotate a secret.

  11. The new secret is created and added to the list of Client secrets.

    Copy the Value of the new secret securely for later use.

    Note

    The value of the new secret can only be viewed immediately after creation. If you missed copying the Value, create a new secret.

  12. In the left menu, click Overview, and copy the Application (client) ID and Directory (tenant) ID securely for later use.

  13. Open the Omnichannel Manager in a separate tab.

  14. Click Settings > Users & Roles > Single Sign-On.

  15. Click Configure Single Sign-On.

  16. Select Vendor MICROSOFT.

  17. Fill in the saved data from the previous configuration.

    • Secret from step 11

    • Directory (Tenant) ID and Application (Client) ID from step 12

  18. Click Connect.

  19. Switch back to Microsoft Entra ID tab.

  20. In the left menu, click Authentication > Platform configurations > Add a platform.

  21. Select Web.

  22. Paste the Redirect URI and Logout URL from the Omnichannel Manager tab.

  23. Click Configure.

  24. In the left menu, click Token configuration, and click Add groups claim.

  25. In the Edit groups claim screen, specify the following:

    • Select Security groups.

    • In the Access area, select Group ID and Emit groups as role claims.

    • Specify the same settings as described in the previous step for the ID and SAML areas.

    Click Add.

  26. Click Add optional claim.

    In the screen that appears, select Access as the Token type, and select the following:

    • email

    • family_name

    • given_name

    • upn

    Click Add.

  27. Repeat the same steps for ID as the Token type.

  28. (Optional) To remove explicit user assignment in Microsoft Entra ID, see this section.

Single Sign-on is successfully configured with Microsoft Entra ID.

Updating client secrets in Omnichannel Manager

  1. Log into Microsoft Entra Admin Center (formerly Azure AD management portal).

  2. In the navigation menu, in the Identity section, click Applications > App registrations.

  3. Open the application you want to update.

  4. In the left menu, click Certificates & secrets > New client secret.

  5. In the screen that appears, enter a description, set the Expired field to one of the provided options, and click Add.

  6. The new secret is created and added to the list of Client secrets.

    Copy the Value of the new secret securely for later use.

    Note

    The value of the new secret can only be viewed immediately after creation. If you missed copying the Value, create a new secret.

  7. Open Omnichannel Manager.

  8. Click Settings > Users & Roles > Single Sign-On.

  9. Click on the displayed name MICROSOFT.

  10. Paste the new secret value in the Secret form.

    Important

    Ensure that this secret exists and is valid in Microsoft Entra ID. There is no way to revert after updating the secret.

  11. Click Update.

  12. Click Confirm.

You have successfully rotated your secret.

(Optional) Removing explicit user assignment

To remove explicit user assignment in Microsoft Entra ID:

  1. Log into the Microsoft Entra Admin Center.

  2. In the navigation menu, in the Identity section, click Applications > Enterprise applications.

  3. In the list, search for the system environment (such as newstore-staging or newstore-production) and select it.

  4. In the left menu, click Properties.

  5. For the Assignment required? field, select No.

Related topics