Azure Active Directory Account Creation

About Azure Active Directory Account Creation

Microsoft Azure can be configured to authenticate users logging in to Campus Cafe.

Additionally, campus Café can be configured to create accounts (usernames and passwords) for prospects/applicants and students and assign them to the proper group in Azure Active Directory.

Considerations before activating Azure Active Directory Integration

After configuring Azure/Campus Café for Single Sign On and confirming your SSO connection with Campus Café is working, you need to consider the following Campus Café configurations.

Users must have a username in Campus Café that matches their user principal name (upn) in Azure (including the domain name) for SSO to work

  1. Example: xxx@school.edu

  2. For new Campus Café users, use the following Custom Controls to have domain included in the username when the user record is created in Campus Cafe

    • SYUSSTMAIL:1:1 (the domain name; for example, yourschool.edu)

    • SYUSSTMAIL:1:4 (set to Y to have the domain name append to the username; for example, jose.smith@yourschool.edu vs jose.smith)

  3. Existing users will need to have the domain added to their Campus Café username. This change will need to be communicated to users beforehand, as once they are made users will not be able to log into Campus Café using their old usernames.

User accounts created in Azure by Campus Café will need to have a Campus Café password that meets your Azure password complexity rules.

  1. For new Campus Café users, use the following Custom Controls to control Campus Café password creation when the user record is created

    • SYUSPASS:1:1

    • SYUSPASS:1:5

  2. The Campus Café password is used as a temporary password in Azure. You will need to set up a process to notify users of their password as they will be required to use this password on their initial login to Azure.

  3. Existing users in Azure will not need their password in Campus Café changed. These users will already have their Azure credentials.

  4. Existing users in Campus Café that do not have an Azure account will need to have their password changed to meet Azure complexity rules. This change will need to be communicated to users beforehand, as once it is made users will not be able to log into Campus Café using their old password. This does not apply if you have Campus Café configured to use LDAP authentication – users will still have access to Campus Café through existing LDAP credentials if you change the Campus Café password on the user record.

Force User to Log in Using SSO

Users will be able to bypass SSO and log in directly to Campus Cafe unless the system is configured to remove the local password. To force SSO login, set custom control SYUSPASS, Sequence 1, Parameter 6 to Y.

Campus Café ID number in Azure

  1. New Azure accounts created by the Campus Café/Azure integration have the Campus Café id number in the Azure employee id field

  2. Existing Azure Accounts will need Campus Café id number populated into Azure employee id for Campus Café to update Azure existing accounts

  3. Configure Campus Café to use a case insensitive username match. This is especially important if you have accounts already in Azure as the case in Azure may not match the case in Campus Café.

    • Custom Control WEBUSRNAME:1:3

Configuring Azure Active Directory Integration – for creating prospects and student users in Azure Active Directory

Campus Café can be configured to create users in Azure. Accounts in Azure will only be created for the Campus Café prospect/applicant and student groups (see below for details). The integration will also change a users’ group in Azure as they switch from prospect to student. By default, upon account creation, Campus Cafe will place the First Name, Last Name, username, and email address into Azure in the following fields: First name, Last Name, User principal name (which will create the Azure email address), and Employee ID.

image-20240207-144720.png

There is an option to use another field for the Campus Cafe ID number if Azure Employee ID is used elsewhere (see below settings)

Azure Configurations

The following Azure configuration steps were configured in our test environment for purposes of developing this integration. Please consult Azure documentation to determine how best to configure Azure for your needs.

  1. Register an App in Azure for Campus Café Azure Integration

    1. Azure Active Directory>App registrations>New registrations

    2. Update the following Web App Configurations using values from the new registration

      • AZURE_AD_CLIENT_ID : Application(client) ID

      • AZURE_AD_TENANT_ID : Directory(tenant) ID

  2. Grant this new App the following Microsoft Graph API Application permissions (NOT delegated permissions):

    1. API permission>Add a permission>Microsoft Graph

      • Read and write directory data (Directory.ReadWrite.All)

      • Read and write all users’ full profiles (User.readWrite.All)

    2. Grant admin consent for permissions

  3. Create new client secret

    1. Certificates & secrets>New client secret>Add

    2. Update the following Web App Configuration using the value from the new registration secret value

      • AZURE_AD_CLIENT_SECRET : Client secret from App registration:

        ClientSecrets.png

The Client Secret Value will only be visible upon creation. Once you navigate away from the page, you can never retrieve the full value from Azure Active Directory, and will have to create another value.

  1. Create Azure groups for Prospects and Students

    1. Create a group in Azure for your prospects

    2. Update the Web App Configuration AZURE_AD_GROUP_OBJECT_ID_PROSPECT with the Azure object id of your prospect group, followed by 2 pipes ||, followed by the Campus Café permission group for prospects

      • Ex:   6fadd35c-e27b-4634-a60e-56ac820fb202||APPLICANT

    3. Create a group in Azure for your students

    4. Update the Web App Configuration AZURE_AD_GROUP_OBJECT_ID_STUDENT with the Azure object id of your student group, followed by 2 pipes ||, followed by the Campus Café permission group for students

      • Ex:  e0f1ca97-691d-4d95-9139-fac7e22964c8||WEBDEFAULT

    5. If you do not have separate groups in Azure for students and prospects then assign them the same Azure group id

    6. Only Campus Café users assigned to either of these permissions groups in Campus Café will be integrated with Azure

  2. Integration errors

    1. Any errors generated during Campus Café / Azure integration will generate an email.

    2. Update the Web App Configuration AZURE_AD_EMAIL with a comma separated list of email addresses to receive these emails

  3. Campus Cafe Alternate provision fields in Web App Configurations (Admin Menu -> Web App)

    1. By default, Employee ID is the Azure field used to receive the Campus Cafe ID Number upon provisioning. If an institution requires that Employee ID be reserved for an alternate use, AZURE_AD_ID_NUMBER_FIELD can be configured to use the value customSecurityAttributes in Azure.

    2. If using customSecurityAttributes the fields AZURE_AD_ATTRIBUTE and AZURE_AD_ATTRIBUTE_KEY will be utilized. The default setting for AZURE_AD_ATTRIBUTE is CampusCafeData, and the default setting for AZURE_AD_ATTRIBUTE_KEY is IdNumber. These values create a custom security attribute for the account being provisioned:

Provisioning ID Numbers to customSecurityAttributes and EmployeeID

If, at any point, your Azure data requirements change, and you need to use EmployeeID for a purpose other than SSO Account Provisioning from Campus Cafe, but do not need to reverse-apply the data, the Azure SSO integration searches both EmployeeID and the customSecurityAttributes values contained in AZURE_AD_ATTRIBUTE and AZURE_AD_ATTRIBUTE_KEY. Once the values in AZURE_AD_ATTRIBUTE and AZURE_AD_ATTRIBUTE_KEY are defined in Campus Cafe, however, they should not change, or the accounts provisioned with the old value will be orphaned and require a change to their Azure Custom Secuirty Attribute value and key.

Microsoft Entra Configuration (Only for customers using Azure customSecurityAttributes instead of the Azure Employee ID field)

  1. Under Microsoft Entra Admin, the school must add the new security attribute to the catalogue

    1. Add or deactivate custom security attribute definitions in Microsoft Entra ID - Microsoft Entra

    2. In the above link, see section “Add an attribute set” and “Add a custom security attribute definition”

    3. The attribute set must have name CampusCafeData, otherwise they need to update AZURE_AD_ATTRIBUTE to match the name used

    4. Under the set, the new attribute must have name IdNumber and type String, otherwise they need to update AZURE_AD_ATTRIBUTE_KEY to match the name used

  2. The following permissions must also be added to the App following Microsoft Graph API Application permissions (NOT delegated permissions), and then admin consent given:

    1. CustomSecAttributeAssignment.ReadWrite.All

    2. Application.Read.All

Configure automated email to notify student of their username and password upon successful provisioning

  1. Custom Control WEBCRDEML (Admin Menu -> Custom Control)

    1. WEBCRDEML Sequence 1, Parameter 1 controls whether or not the system will send an automated, mergeable email to the student to notify them of their username, password (created in SYUSPASS 1:7-9) and the login URL for the SSO login.  Setting WEBCRDEML 1:1 to Y, in conjunction with Web App value SSO_PROVISIONING_EMAIL_ADDRESS (see below) allows the email to go out. 

    2. WEBCRDEML 1:2 defines a support email contact that can be merged into the body of the notification email for login questions.

  2.  Web App SSO_PROVISIONING_EMAIL_ADDRESS (Admin Menu -> Web App)

    1. SSO_PROVISIONING_EMAIL_ADDRESS is the email address that will send out the automated email. This value must be set for the email to send. The email will not send, even if WEBCRDEML 1:1 = Y.

  3. Adjustable Text SSO_PROVISIONING_EMAIL_BODY (Admin Menu -> Adjustable Text)

    1. SSO_PROVISIONING_EMAIL_BODY is an HTML ready value that defines the body of the email that can be sent out. It accepts mergefields to the body of the email:

      1. [[LOGIN_URL]] - this is hard-coded as https://***-web.scansoftware.com/cafeweb/loginsso (where *** is the 3-character code for your institution's Campus Cafe url)

      2. [[USERNAME]] - this is taken from the database value for the user

      3. [[PASSWORD]] - this defined by SYUSPASS 1:8 and 1:9

      4.  [[CONTACT_EMAIL]] - this is defined by Custom Control WEBCRDEML 1:2