Configure Azure AD

This page describes how to configure and enable Azure AD in your Secure File Sharing organization.

Prerequisites

  • Complete the steps in Prepare the Azure AD configuration.

  • The values for Application (client) ID, Directory (tenant) ID, and the generated secret value have been noted.

  • You are signed in as on Organization Administrator.

Configure and enable Azure AD

  1. Select the Identity tab to open the OpenID Connect dialog.

  2. Select Edit.

  3. Select Custom from the Provider list.

    Note

    You may need to contact the person responsible for your Azure Active Directory for information.

  4. Under Server URL, enter https://login.microsoftonline.com/<TenantID>. Replace the placeholder <TenantID> with the value Directory (tenant) ID from the app registration that you created. Example: https://login.microsoftonline.com/ee5d7802-xxxx-yyyy-94eb-2943c8a423de

  5. Enter the value Application (client) ID from the app registration in the Client ID field.

  6. Enter the secret value that has been generated as part of the app registration in the Client Secret field. Example: 30409ede-xxxx-yyyy-9cb3-f7ba1ed6f64c

  7. Enter https://login.microsoftonline.com/<TenantID>/oauth2/authorize in the Authentication URL. Replace the placeholder <TenantID> with the value Directory (tenant) ID from the app registration you created. Example: https://login.microsoftonline.com/ee5d7802-xxxx-yyyy-94eb-2943c8a423de/oauth2/authorize

  8. Enter https://login.microsoftonline.com/<TenantID>/oauth2/token in the Token URL field. Replace the placeholder <TenantID> with the value Directory (tenant) ID from the app registration you created. Example: https://login.microsoftonline.com/ee5d7802-xxxx-yyyy-94eb-2943c8a423de/oauth2/token

  9. Under Activated domains or users, enter the email addresses or the domain suffixes of the users that should use Azure AD for sign-in.

    Note

    If you define more than one domain or user, separate the entries with a comma.

  10. Leave the Groups field empty.

  11. Enter openid,profile,email in the Scopes field

  12. Leave the ACR field empty.

  13. Select the Prefill email address on sign-in screen of identity provider option. The email address of the user is filled in automatically in the sign-in page of the provider of the original user account.

  14. In the Request parameter supported list, leave the default value AUTO.

  15. In the Content encryption field, leave the default value A128CBC-HS256.

  16. Under CLAIMS MAPPING, map the name of the claim that contains the email addresses of user accounts to the email claim if necessary.

    Note

    By default, Secure File Sharing assumes the email address to be contained in the email claim. If this is the case, no action is needed. Depending on your Azure AD configuration, email addresses can also be contained in another claim (for example, in unique_name). Should this be the case, this other claim needs be mapped to the email claim. Secure File Sharing requires the email claim. If it is missing, sign-in fails with the error Email address is missing.

  17. Select Save.

  18. Check the function is activated. To activate it, move the toggle switch from Deactivated to Activated. The sign-in URL is displayed to the right of the OpenID Connect dialog.

  19. Copy the sign-in URL to a text editor.

    Note

    You need the sign-in URL to complete the Azure AD configuration as well as provisioning users to the organization