To configure Azure AD OAuth2 authentication for Procore, you'll first need to navigate to the Azure portal and sign in with your Azure AD credentials.
The Azure AD URL is where you'll find the Tenant ID, which is a unique identifier for your Azure AD tenant. It's used to authenticate users and authorize access to your Procore account.
To get started, go to the Azure portal and select Azure Active Directory from the navigation menu. From there, click on Properties to find your Tenant ID.
Your Tenant ID should be listed under the Directory ID field. Make a note of this value, as you'll need it to complete the authentication setup in Procore.
Azure AD Configuration
To configure Azure AD authentication, you can use the Grafana UI or the Grafana configuration file. As a Grafana Admin, navigating to the Administration > Authentication > Azure AD page allows you to fill in the form and save the configuration.
If you need to reset changes made in the UI, you can click Reset to apply the default values or the configuration from the Grafana configuration file.
To configure Azure AD in Grafana, you'll need access to the Grafana configuration file. Ensure you have this access before proceeding.
You can also configure Azure AD in Procore's Company Level Admin Tool by adding the Azure AD settings, which involves copying and pasting information from the Azure AD page into the Procore Single Sign On Configuration page.
Here are the steps to add Azure AD settings in Procore:
Set Up SSO
To set up SSO (Single Sign-On) with Azure AD, you'll need to configure your Identity Provider (IdP). This is the service that verifies the identity of your end users, such as Okta, OneLogin, or Microsoft Azure AD.
The first step is to navigate to the Azure AD page and fill in the form with the required information. If you have a current configuration in the Grafana configuration file, the form will be pre-populated with those values.
You'll need to provide the SAML Entity ID, which is a unique string that identifies the provider issuing a SAML request. You can find this information by copying the URL in the SAML Entity ID field from the Azure AD page.
Next, you'll need to provide the SAML Single Sign-On Service URL, which is the URL that will receive SAML requests from Procore. You can find this information by copying the URL in the SAML Single Sign-On Service URL field from the Azure AD page.
You'll also need to provide the X.509 Certificate, which is an encrypted digital certificate that contains the required values that allow the SSO service to verify the identities of your users. You can find this information by downloading the SAML XML Metadata file from the Azure AD page and copying the certificate data between the HTML start and end tags for the x509 certificate.
Here's a summary of the information you'll need to provide:
Once you've provided all the required information, you'll need to save the changes and configure the email domain(s) you'd like to target for SSO. This may require reaching out to Procore Support or your company's Procore point of contact.
Well-Known Client IDs
Well-Known Client IDs can be a lifesaver when trying to find a specific ID for a Microsoft application or service. They can be used for deep links, making it easier to access certain applications.
The well-known ClientID for the Azure AD Account is : 0000000c-0000-0000-c000-000000000000. This ID can be used for deep linking with Azure AD registered applications.
You can find a list of well-known client ids, but for Microsoft applications and services, their well-known client IDs can be used for deep links too.
Here is a list of some well-known client IDs for Microsoft Office365 Applications:
- Outlook
- Teams
- SharePoint
- Office Portal
Configure Authentication Client via Grafana Config File
To configure an Azure AD authentication client via the Grafana configuration file, you need access to the file. Ensure you have it before proceeding.
You can add the necessary configuration to the file by adding the Azure AD OAuth settings. This is a requirement for enabling Azure AD OAuth in Grafana.
Add the following to the Grafana configuration file:
You can also use environment variables to configure client_id and client_secret. This is available in Grafana v9.3 and later versions.
If you have existing configurations in the file, they will be pre-populated when you access the configuration page. Otherwise, the default values will be displayed.
Microsoft Office 365 Integration
Microsoft Office 365 Integration is a powerful feature that allows you to access various Office 365 applications directly.
You can access Office 365 applications using a customized verified domain or the tenant.onmicrosoft.com address.
One of the benefits of this integration is that you can access Outlook, Teams, SharePoint, and the Office Portal directly.
These applications can be accessed using the following methods: Outlook TeamsSharePointOffice Portal
This integration makes it easy to manage your Office 365 applications and access the tools you need to stay productive.
Procore Integration
To integrate Procore with Azure AD, you'll need to add the Azure AD settings to Procore's Company Level Admin Tool. This involves leaving the Azure AD page open and logging into Procore using your Procore Administrator account.
Navigate to the Company level Admin tool and click Single Sign On Configuration under Company Settings. Leave Procore's 'Single Sign On Configuration' page open and go back to the Azure AD page that you left open.
To complete the integration, you'll need to copy and paste specific information from Azure AD into Procore's Single Sign On Configuration page. This includes the SAML Entity ID, SAML Single Sign-On Service URL, and SAML XML Metadata.
Here are the specific fields you'll need to copy and paste:
Procore as a New Enterprise Application
To add Procore as a new enterprise application in Azure AD, start by logging in to the Azure AD portal as a Global Administrator at http://portal.azure.com. From there, click on Favorites and then Azure Active Directory.
Under Manage, click on Enterprise Applications, and then click the +New Application button. Type "Procore" in the Enter a Name box, and click on the matching application named Procore. This will reveal a new pane where you can customize the application's settings.
In the Name box, type a name for your application, such as "Procore (Demo)" as shown in the example. Click Add, and a message will appear confirming that the application was added successfully.
Procore Company Level Tool Settings
To set up the Company Level Tool Settings in Procore, you'll need to navigate to the Company level Admin tool. Log in using your Procore Administrator account to access this tool.
The Single Sign On Configuration page is where you'll find the settings for Azure AD integration. Click on Company Settings and then Single Sign On Configuration to access this page.
You'll need to copy information from the Azure AD page and paste it into the corresponding fields in Procore's Single Sign On Configuration page. Specifically, you'll need to paste the SAML Entity ID URL into the Single Sign On Issuer URL field and the SAML Single Sign-On Service URL into the Single Sign On Target URL field.
To obtain the SAML XML Metadata, download the file from the Azure AD page and open it in a text editor. Locate the certificate data between the HTML start and end tags for the x509 certificate and copy the data. Do not copy the tags.
Once you've copied all the necessary information, click Save Changes on the Single Sign On Configuration page in Procore.
Frequently Asked Questions
What is my Azure AD domain URL?
To find your Azure AD domain URL, sign in to the Azure portal and navigate to Azure Active Directory > Custom domain names. Your custom domain names will be listed under the "Name" column.
What URL is required for Azure AD join?
For Azure AD join, you'll need to use the login.microsoftonline.com URL. This is the primary authentication URL for Azure Active Directory.
What is the URL for Azure AD admin?
The URL for Azure AD admin is https://aad.portal.azure.com/. This takes you directly to the Azure Active Directory Admin Center.
How do I go to Azure Active Directory?
To access Azure Active Directory, sign in to Office 365 and navigate to the Azure AD section in the Admin Center. From there, you can manage your Azure AD settings and applications.
Sources
- https://docs.helpscout.com/article/906-enabling-sso-with-azure-ad-as-the-identity-provider
- https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/azuread/
- https://support.atlassian.com/opsgenie/docs/configure-azure-active-directory-sso/
- https://blog.darrenjrobinson.com/azure-ad-and-microsoft-office365-deep-links-and-sign-in-urls/
- https://support.procore.com/integrations/azure-ad-sso/tutorials/configure-procore-sp-initiated-sso-for-microsoft-azure-ad
Featured Images: pexels.com