Microsoft Endra ID (f.d Azure AD)
      Back to home
      1. Helpdesk
      2. Users & Profiles
      3. Microsoft Endra ID (f.d Azure AD)

      Integrate AM System with Microsoft Entra ID (formerly Azure AD)

      The integration of Microsoft Entra ID (formerly Azure AD) enables centralized management of user credentials and passwords, while simplifying the creation and maintenance of users in the AM System.

      Please note that this feature is an optional add-on included in certain pricing plans but can also be purchased separately. The cost is 350 SEK/month and will be added to your upcoming invoice. If you have questions about your pricing plan, please contact sales@amsystem.com.

      To order the integration with Microsoft Entra ID,
      please fill out the following order form!

      Once we have received your order, we will contact the purchaser to schedule an initial meeting, which is an important step before the integration can be activated. You can read more about what will be covered during this meeting further down in this article.

      Introduction

      The integration with Microsoft Entra ID, developed by AM System, offers two functions:

      1. Authentication to ensure users are authorized to log in – Single Sign-On (SSO).
      2. User data synchronization.

      The reason the integration is not solely used for user authentication is that AM System requires information about which users are active in the system. This is necessary to allow administrators to configure who can view and perform specific tasks in the AM System.

      The information that must be synchronized from Microsoft Entra ID and stored in AM System includes “givenName,” “surname,” “User Principal Name,” and “Object-ID.” These details cannot be changed in AM System since synchronization is unidirectional and only occurs from Microsoft Entra ID to AM System. Additionally, it is possible to synchronize “mobile” and “mail” attributes for customers whose email addresses are not included in UPN.

      Important Notes❗

      • AM System requires that users in Microsoft Entra ID have data in both the “givenName” and “surname” fields. Otherwise, users will not be synchronized!
      • User passwords are NOT synchronized with AM System, meaning AM System cannot see or change these passwords!

      Matching Existing Users

      After activating the Microsoft Entra ID integration, the system will attempt to match existing local users in AM System with users from Microsoft Entra ID. This matching is typically done using the user’s User Principal Name in Microsoft Entra ID and the Email field in AM System. The purpose is to retain the user’s history and configuration in AM System, such as profile assignments, etc.

      Once a match is made, the local user in AM System will be converted and can no longer log in traditionally. From then on, authentication must occur through Microsoft Entra ID. It is not possible to convert a Microsoft Entra ID user back into a local user.

      Note: The system will only attempt to match a user once. If no match is found, a new user will instead be created in AM System. User data will then be synchronized using the Object-ID.

      Risk of Duplicates

      If a user is not matched with an existing user, it may be due to:

      • Different email addresses in the Email field in AM System versus the User Principal Name in Microsoft Entra ID.
      • Missing email address in the Email field in AM System.
      • Duplicate email addresses (i.e., the same email address exists for multiple users, which prevents the system from determining which user to match).

      If the intention was to match the user, this will result in duplicate users in the system since both the existing local user and the new user will exist in AM System.

      If duplicates occur in your system, unfortunately, there is no way for you to merge these users. Therefore, it is important to review your users’ email addresses before activation. Should duplicates arise, you must contact our support team with a list of users to be merged.

      Tip: To ensure all your existing users have a valid and unique email address, you can export all AM System users. Using the export, you can confirm that all users have the correct email address and that the address is unique. You can also share the export with IT to ensure the users’ email addresses match their User Principal Name in Microsoft Entra ID.

      New Users

      Users who are not matched with an existing user will be created in AM System and assigned the default profile you specified when ordering the Microsoft Entra ID integration, as well as the standard workspace. This profile can later be changed to another profile in AM System by an authorized user.

      Deleting Users

      It is not possible to delete a user in AM System who is linked to Microsoft Entra ID. To delete such a user, the user must be deleted, deactivated, or removed from the group in Microsoft Entra ID that defines access to AM System.

      This also applies to users initially created as local users and later converted to Microsoft Entra ID users. In other words, you do not need to keep track of whether the user was first created as a local user and then converted, or if the user was created directly through Microsoft Entra ID.

      Note: If a user is deleted and reinstated in Microsoft Entra ID within 60 days with the same Object-ID, the user will regain their history in AM System, including the profile and workspace they previously had. If a user is reinstated after 60 days, a completely new user will be created instead, and the user will not regain their history. The user will instead be assigned the default profile and standard workspace you specified during activation.

      As soon as a user is deleted in AM System, any licenses associated with that user are freed up.

      Limitations

      • Users linked to our service AM Account (account.amsystem.com) cannot be matched or linked to Microsoft Entra ID. This service is most commonly used by contract owners. If you intend for these users to also be managed via Microsoft Entra ID, they must first unlink their accounts.
      • Users linked to Microsoft Entra ID do not adhere to the Authentication function in AM System. This means that these users, unlike local users, can, for example, acknowledge documents or publish documents without re-authenticating, even if the function is active.

      Licenses

      Before activation, ensure that you have enough licenses available with a good margin. Just like with local users, licenses are managed separately and the number of licenses is not automatically adjusted when users are added or removed. Adjusting the number of licenses is handled by an administrator in your system under Administrator » Agreement 

      Ordering

      To order the Microsoft Entra ID integration, fill out the form via the link below. We will then contact your designated contact person to schedule an initial meeting before the integration can be activated.

      If you wish to activate this feature in your account, order here.

      Activation

      Information Meeting

      Once we have received your order via the form above, we will contact you to schedule an initial meeting lasting approximately 45 minutes. It is important that at least one responsible administrator for your site participates in this meeting. If you wish, you may also include a suitable IT manager in the meeting, but this is not necessary on our part. During this meeting, we will discuss the following points:

      • Matching existing users and the importance of reviewing users’ email addresses.
      • Microsoft Entra ID users vs. local users (suppliers, guests, etc.).
      • Users to be matched should not be logged in during the matching process.
      • Creating a group to limit users (if you are using MS on-premises, create the group locally before activation).
      • New users (not matched with existing users).
        • Default profile.
        • Default workspace.
        • Complete user information (requires both first and last names).
      • Contract owners with linked AM Account accounts 
      • New login dialogue and login process (for most users, a new password is required).
      • The importance of having enough licenses and how they are managed.
      • Do you use more than one domain/address to access your site?
      • Are you using the Authentication function?
      • Documentation for IT – Configuring the enterprise application, SCIM, and OAuth.
      • Other questions.

      Finally, we will plan the next meeting for configuration and activation and determine who should participate. During this meeting, it is important that at least one suitable IT manager with the authority to configure a new enterprise application participates.

      Activation Meeting

      During the activation meeting (approximately 45 minutes), we will work with you to create an enterprise application and activate the integration. You will receive the Token needed for the integration to work, and you will provide us with the following information:

      Application (client) ID

      Directory (tenant) ID

      Together, we will ensure the integration functions properly.

      Related:

      Last updated:15 November, 2024