azure active directory identity management configuration guide...master_admin cannot be created,...
TRANSCRIPT
Identity Connector Configuration GuideAzure Active Directory
This document guides an Azure Active Directory administrator through the steps necessary to initially link Azure Active Directory to Brivo Onair for the purpose of provisioning users. For information and support using Azure
Active Directory beyond initial Onair provisioning integration, please contact Microsoft.
IntroductionIProvisioning Features ..................................................................... 2Supported User Fields .................................................................... 2Supported Group Fields ................................................................. 2Restrictions ...................................................................................... 2
ConfigurationIIBefore You Begin ............................................................................ 3Integrating with an existing Brivo Onair Account ....................... 3Creating your secret token ............................................................ 3Creating your Azure Enterprise application ................................ 4Configuring Azure with Brivo Onair .............................................. 6
© 2021 Brivo Systems LLC. All rights reserved. P-MAN-PUB-Identity Connector Configuration Guide: Azure Provisioning2
Identity Connector Configuration Guide: Azure Provisioning
IntroductionThe following provisioning features are supported in this integration:
Push New Users: New users created through Azure will also be created in Brivo Onair.
Push Profile Updates: Updates made to the user’s profile through Azure will be pushed to Brivo Onair
Push User Deactivation: Deactivating the user or disabling the user’s access to the application through Azure will deactivate the user in Brivo Onair.
Reactivate Users: User accounts can be reactivated in the application.
Push Groups: Groups and their members can be pushed to Brivo Onair from Azure.
Supported User FieldsIsSoftDeleted facsimileTelephoneNumber
displayName mobile
userPrincipalName telephoneNumber
preferredLanguage department
givenName jobTitle
surname manager
Supported Group FieldsdisplayName
members
RestrictionsMASTER_ADMIN cannot be created, updated, or deleted by Azure.
The MASTER_ADMIN account must be created in Onair prior to Azure integration.
Sync Password is not supported. Onair administrator passwords are maintained in Onair; they are not copied from Azure.
Group cannot have another group as a member.
© 2021 Brivo Systems LLC. All rights reserved. P-MAN-PUB-Identity Connector Configuration Guide: Azure Provisioning3
Identity Connector Configuration Guide: Azure Provisioning
ConfigurationBefore You BeginBefore you begin, ensure you have the following required elements:
An active Azure Active Directory account
An active Brivo Onair account with an Identity Connector subscription
An active Brivo Onair senior administrator account (master administrator if administrators will be managed from Azure)
Integrating to an existing Onair AccountTo prevent Azure from creating duplicate Brivo Onair users in accounts with existing users and groups, perform the following steps before configuring the integration:
Purchase one hour of Brivo Professional Services
Load the user’s Azure Object ID into the IC_AD_ExternalID field of the user spreadsheet provided by Professional Services
Brivo Professional Services will upload this list to Onair
Any Azure users with “block sign in” set to “yes” will have their Onair accounts set to suspended. Their credentials will not unlock doors
Creating your secret token
1. In Brivo Onair, create a Senior Administrator account that will be used by Azure to provision users. If Brivo Onair administrators will be provisioned from Azure Active Directory, configure this account with “Can Create, Edit, and Delete Admins” permissions.
2. Log in to Brivo Onair with the Senior Administrator credentials from Step #1.
3. In the Brivo Onair interface, click on Setup, then Account, then Account Settings. Click on the Azure AD tab (A) and the Azure AD details page displays.
4. In the Onair Password field (B), reenter the password from the Senior Administrator created in Step #1.
5. Click the Submit button (C). The Tenant URL and Secret Token fields will populate.
6. Click the Copy Token button (D).
© 2021 Brivo Systems LLC. All rights reserved. P-MAN-PUB-Identity Connector Configuration Guide: Azure Provisioning4
Identity Connector Configuration Guide: Azure Provisioning
7. The secret token will be used in the next section. when configuring Azure with Brivo Onair.
Creating your Azure Enterprise application1. Click on the Azure Active Directly link (A), then on the Enterprise Applications link (B), and finally click on the + New application link (C).
A
BC
D
A
B
C
© 2021 Brivo Systems LLC. All rights reserved. P-MAN-PUB-Identity Connector Configuration Guide: Azure Provisioning5
Identity Connector Configuration Guide: Azure Provisioning
2. In the Add from the gallery text box, typo Brivo (A). Brivo Onair Identity Connector will appear as an option. Click on the Brivo application (B). Finally, click on the Add button at the right hand bottom of the page (C).
A
B
C
© 2021 Brivo Systems LLC. All rights reserved. P-MAN-PUB-Identity Connector Configuration Guide: Azure Provisioning6
Identity Connector Configuration Guide: Azure Provisioning
Configuring Azure with Brivo Onair1. In Enterprise Applications tab, select the previously created application.
2. Select Provisioning (A) and set the mode to Automatic (B).
3. Use the URL https://scim.brivo.com/ActiveDirectory/v2/ (C) and enter the previously created secret token (D).
4. Click on the Test Connection button (E). If any errors occur, please contact Brivo Technical Support.
5. After a successful test of the connection, destroy any previously stored copies of the secret token to reduce cybersecuirty risks. Should you ever need to reenter a secret token, you may recreate a new one in Brivo Onair.
6. When finished, click Save (F).
7. In the Provisioning section under Mappings, select User mappings (A).
A
BF
E
CD
A
© 2021 Brivo Systems LLC. All rights reserved. P-MAN-PUB-Identity Connector Configuration Guide: Azure Provisioning7
Identity Connector Configuration Guide: Azure Provisioning
8. Confirm all attribute mappings exactly match the attributes shown below (A). If they do not match, edit the attributes to match. Press Save (B) when complete.
9. Under the Manage column, select Users and Groups (A) when adding user(s) or group(s) (B) to be automatically provisioned from Azure Active Directory to Brivo Onair.
A
B
A
B
© 2021 Brivo Systems LLC. All rights reserved. P-MAN-PUB-Identity Connector Configuration Guide: Azure Provisioning8
Identity Connector Configuration Guide: Azure Provisioning
10. Under Add Assignment, click on Users and Groups (A) to select a group. Under Users and Groups, select from the available groups (B) by clicking on the Select button (C). Once selected, click on the Assign button (D).
11. From Provisioning (A), turn on the synchronization (B) and click Save (C).
A B
D C
A
B
C
© 2021 Brivo Systems LLC. All rights reserved. P-MAN-PUB-Identity Connector Configuration Guide: Azure Provisioning9
Identity Connector Configuration Guide: Azure Provisioning
12. New users and groups typically appear in Brivo Onair within 15-30 minutes of configuration. New custom fields will be added to users as shown below upon successful first provisioning.
13. In the event that users or groups are not successfully provisioned into Brivo Onair, please consult the Azure Active Directory Audit Log.
© 2021 Brivo Systems LLC. All rights reserved. P-MAN-PUB-Identity Connector Configuration Guide: Azure Provisioning10
Identity Connector Configuration Guide: Azure Provisioning
14. Assign sites to Brivo Onair groups created by Identity Connector to provide provisioned users with physical access to door(s).
15. Assign credentials to Brivo Onair users created by Identity Connector.
Revision List
Date Version Description
May 21, 2019 1.0 Initial Draft
June 6, 2019 1.1 Added Obtaining Secret Token section
June 24, 2019 1.2 Updated Obtaining Secret Token instructions
July 11, 2019 1.3 Updated Brivo Professional Services information
October 3, 2019 1.4 Content changes and updates
May 11, 2020 1.5 Updated screeshot on Page 7
January 21, 2021 1.6 Removed SSO restriction notice on Page 2