If your organization uses Microsoft Azure AD to manage staff access to apps and services, you can use the Azure AD connector to manage staff access to OpenForms, too.
The Azure AD connector is a premium (paid) connector.
If your organization is already using Azure AD to manage an OpenCities site, the Azure AD connector is included in your account plan.
If not, go to Integrations > Connectors > Azure AD and select Upgrade to access to discuss adding this connector to your OpenForms plan.
Benefits of the connector
Use the Azure AD connector to:
- Speed up onboarding by automatically assigning OpenForms roles to any staff members added to particular Azure AD user groups. They can login immediately with their Microsoft SSO credentials for your organization.
- Take advantage of Microsoft's login processes, including two factor authentication and login auditing.
- As staff move between positions in your organization, simply move them between Azure AD user groups to give them all the permissions they need for their job (and none that they don’t). When they leave, deactivating their Azure AD profile automatically deactivates their OpenForms account.
- Optional: Further streamline onboarding and role changes by assigning Azure AD user groups to workspaces.
Before you begin
Before you install the Azure AD connector, it’s important to discuss an implementation plan with your IT team.
You’ll need your Azure AD administrator’s help to establish a connection to Azure AD, and they’ll need your input to tailor the connection to your organization’s needs.
- Learn how the Azure AD connector works. We've created an article that explains the key terms, concepts and choices involved in setting up the connector in plain language. This will help you work effectively with your Azure AD administrator.
- Direct your Azure AD administrator to our Azure AD setup guide. This article provides a walkthrough of the connection process for Azure AD administrators.
- Discuss the choices outlined in how the Azure AD connector works with your Azure AD administrator.
When you're ready to install the connector:
- Make sure your Azure AD administrator is available, and has our Azure AD setup guide open.
- Go to Integrations > Connectors > Azure AD, and select Connect.
This will open the connection wizard.
- When you're directed to, pass on the tenant URL and secret token to your Azure AD administrator.
- Your Azure AD administrator will complete the connection process.
- When your Azure AD administrator has completed the process, select proceed to role assignment.
This will take you to the Azure AD configuration screen.
Here you can assign OpenForms roles to Azure AD user groups.
Once the Azure AD connector is installed, you can return to the Azure AD configuration screen at any time by going to Integrations > Connectors > Azure AD > Edit Azure AD configuration
For a full guide to assigning OpenForms roles to provisioned Azure AD user groups, see assign OpenForms roles to Azure AD user groups.
Because the number of staff members in an Azure AD user group is managed outside of OpenForms, it is possible to exceed your organization's user quota as staff are added to Azure AD user groups that have already been assigned OpenForms roles.
If this happens, all of your organization's users will have their editing and publishing actions disabled until your organization is back within its user limit.
From time to time, your IT team may require you to regenerate the secret token used to establish a connection between OpenForms and Azure AD. This is typically done if your security policy stipulates a token lifespan, similar to a password update policy.
To do this:
- Go to Integrations > Connectors > Azure AD.
- Select Edit connection.
- Confirm that you understand that regenerating your secret token will pause provisioning until your Azure AD administrator enters the new token, then select Regenerate.
While provisioning is paused, OpenForms won't receive updates from Azure AD, but your existing staff can continue to use their logins and roles as before.
- Pass on your new secret token and, if necessary, your tenant URL, to your Azure AD administrator.
Your tenant URL isn't normally required as this does not change when you regenerate a token.
- Close the edit connection window.
Your Azure AD administrator will let you know when the new token has been entered and Azure AD has resumed sending user group data to OpenForms.
Disconnect from Azure AD
Disconnecting from Azure AD will permanently deactivate any OpenForms users currently managed through the Azure AD connector, and remove any roles and workspaces assigned to Azure AD user groups. This step cannot be undone.To permanently disconnect the Azure AD connector:
- Discuss your plan with your IT team.
- Go to integrations > connectors > Azure AD.
- Select Disconnect from the Edit Connection dropdown menu.
- Type DISCONNECT in the confirmation dialog, and select Disconnect.
Once disconnected, OpenForms will not receive further data from Azure AD unless you establish a new connection.
We recommend you let your Azure AD administrator know when you have completed disconnection so they can remove OpenForms from their application list.