This guide goes through the steps of configuring Azure AD User storage for Elements. This configuration allows Elements to query the application users & groups directly from Azure AD. It is suggested to use Azure AD User store together with Azure AD OAuth.

Setting up an Azure App Registration

The first step to enable Azure AD integration is to create an App Registration inside the Azure AD tenant. Elements will access Azure on behalf of this App.

Elements will need 3 pieces of configuration to connect using this app. These are: Client ID, Tenant ID and Client Secret.

NOTE: If you are also setting up an Azure AD OAuth, it is enough to set up a single App registration and configure it for both purposes. Steps 1-5 are the same for both of these setups. 

The steps to create the app:

1. Navigate to the Azure Portal. Search for 'App Registrations' and go to the service

2. Click New registration

3. Provide an application name, such as Elements integration. You can leave the Supported account types and Redirect URI unchanged. Click Register. 

4. After the app is created, note down the Application (client) ID and the Directory (tenant) ID from the Overview page.

5. Next step is to generate the Client Secret (the last remaining piece of configuration required by Elements). Navigate to the Certificates & Secrets page, select the Client secrets tab and create a new client secret. The Description of the secret is optional, and the expiration is up to you. Elements will always need a valid secret, which has to be re-generated after the old one expires. Note down the secret value, which will be used as the Client Secret and it will be provided to Elements.

6. Lastly, the appropriate permissions need to be set for the app. This will allow Elements to query the required resources (users & groups) from Azure AD. Navigate to the API permissions page.

7. Click Add a permission. On the side panel that pops up, select Microsoft Graph. 

8. Select Application permissions, then select the User.Read.All and Group.Read.All permission then click Add permissions. The page should look like this:

9. A tenant admin needs to approve these permissions for the Azure AD tenant. They need to navigate to the API permissions page (the link can be shared), and click Grant admin consent for [orgname] (Grant admin consent for Starschema on the screenshots). After the consent is granted, it should look like the following:

Configuring Elements to use the Azure AD User store

To configure Elements, open the appsettings.json, navigate to the UserSettings section, set the UserStore to AzureAD, and fill out the AzureADSettings section with the TenantID, ClientID and ClientSecret of the Azure application. You will also need to provide the application admin users & groups that are in the Azure AD.