05 February 2024

How to set up groups in Azure Active Directory

Set up groups to set Edge as an application in Azure Active Directory and then create a client secret key in Azure Active Directory. The client secret must be sent securely to Tribal to set up the authentication. Then, you can set up the required groups.

Set up Edge as an application

Set up Edge as an application in Azure Active Directory and then create a client secret key in Azure Active Directory. Before setting up Azure Active Directory, you require the following:

  • An Azure Active Directory account with administrative permissions to manage applications, client secret keys, and users.

  • A copy of the Tribal document Edge Tenant and Core Branding Request.docx, which is available on Tribal Communities. On Tribal Communities, go to Community Knowledge base Tribal Edge platform knowledge base General Information Accessing Tribal Edge Tenants (Environments).

  • The tenant name for the institution. If you do not know the tenant name, contact Tribal support.

Set up Edge as an application in Azure Active Directory

Set up Edge as an application for authenticating with Azure Active Directory user accounts as follows:

  1. On the Azure portal, go to Azure Active Directory Application registrations, and then select New application registration.

    Define the name of the application, such as Edge, select the supported account types, such as Accounts in this organisational directory only, and then select Register to register the application, as shown in the image Register new application.

    Register new application
    On the register application page, define the name of the application, select the supported account types, then select register to register the application

  2. Define the redirect URLs. Select Authentication and define the redirect URLs that return the authentication response to Edge, as detailed in the table Redirect URIs.

    Note that you must replace tenantname with the institutions tenant name, such as caltech, and region with the geographical region of the institution, such as APAC.

    Redirect URIs
    Type URL Description
    Web https://identity.tribaledge.com/region/tenantname/connect/callback Always required.
    Web https://identity.tribaledge.com/region/tenantname/signin-oidc-ThirdParty Always required.
    Web https://identity.tribaledge.com/region/tenantname/signin-oidc-ADFS Required when using ADF (Active Directory Federation Services).

  3. Configure the API permissions for Edge. Go to API permissions and then select Add permissions. Enter Windows Azure Active Directory in the field and then press enter or select Windows Azure Active Directory option from the menu.

  4. Delegate the permissions. Go to Windows Azure Active Directory permission and then select Delegate permissions.

    Select the User.Read and User.ReadBasic.All options and then select Add permission, as shown in the image Delegate permissions.

    Delegate permissions
    Delegate permissions in Azure active directory

  5. Set up the Microsoft Graph API to use the external unique identifier. Go to Add permissionMicrosoft Graph and then select Delegate permissions.

    Select the User.Read and User.RealBasic.All options and select Add permissions, as shown in the image Microsoft Graph permissions.

    Microsoft Graph user permissions
    To use the external unique identifier, select the User.Read and User.RealBasic. All optiond and then select Add permisisons

  6. On the Microsoft Graph API permissions, go to Add permission and then select Application permissions.

    Select the User.Read.All and then select Add permissions, as shown in the image Microsoft Graph application permissions.

    Microsoft Graph application permissions
    To delegate permissions, select User.Read.All and then Add permissions

  7. Grant consent for all users in Azure Active Directory. Go to the API permissions for the Tribal Edge application and then select Grant admin consent for Edge.

Create the client secret key in Azure Active Directory

Create the client secret key for the Edge application. Then, send the client secret key and required identifiers to Tribal using the Edge tenant and core branding request document to enable the creation of the secure connection between Azure Active Directory and Edge.

Create the client secret key as follows:

  1. Download the Edge tenant and core branding request document. On Tribal Communities, go to CommunityKnowledge baseTribal Edge platform knowledge baseGeneral InformationAccessing Tribal Edge Tenants (Environments). Then, download the Edge Tenant and Core Branding Request.docx document.

  2. Copy the application and directory identifiers. On Azure Active Directory, go to Application registrations and then select the Edge application and copy the Application (client) ID and Directory (tenant) ID) identifiers to the Edge tenant and core branding request document.

    The image Unique identifiers shows the Tenant ID (Directory ID) and Client ID (Application ID) that must be copied to the Edge tenant and core branding request document.

    Unique identifiers
    Unique identifiers for application and directory

  3. Create the client secret key. On Application registrations, go to Certificates & secrets and then select New client secret.

    Define the name of the client secret key, such as Edge client secret, and select the expiry duration of the key, such as 24 months.

    A new client secret key must be sent to Tribal before the expiry date to prevent service interruption.

  4. Send the Edge tenant and core branding request document to Tribal. Do not copy the client secret key to the Edge tenant and core branding request document, you can add contact details to the document to arrange secure communication of the client security key to Tribal.

Set up groups

By default, Edge only has the EdgeAdministrator group. Therefore, you must create the EdgeAdministrator group in Azure Active Directory and create the user groups required by your institution. Then, log in to Edge using an account in the EdgeAdministrator group and add your user groups in Edge.

To set up groups in Azure Active Directory, you require the following:

  • An Azure Active Directory account with administrative permissions to manage users.

  • The names of the groups required by your institution. Note that group names must not have spaces.

For full details on adding app roles and assigning users to app roles in Azure Active Directory, go to Add app roles to your application and receive them in the token .

Set up groups as follows:

  1. On Azure Active Directory, go to App registrations and then select the application, such as Edge.

  2. Add an app role for the Edge administrator group. The values required for the group are described in the table App role for the EdgeAdministrator group.

    App role for the EdgeAdministrator group
    Field Description
    Display name Enter the display name for the app role, such as Edge administrators.
    Allow member types Set to Users/Groups so that the app role can be assigned to users.
    Value Enter EdgeAdministrator, without spaces.
    Description Enter a description such as Edge administrator with full permissions in Edge.
    Do you want to enable this app role? Select the checkbox to enable the role.

  3. Add an app role for each user group. The values required for the group are described in the table App roles for the user groups.

    App roles for the user groups
    Field Description
    Display name Enter the display name for the app role, such as Applications supervisors.
    Allow member types Set to Users/Groups so that the app role can be assigned to users.
    Value Enter name of the group, such as ApplicationsSupervisors, without spaces.
    Description Enter a description such as Application supervisors for all desks in Edge.
    Do you want to enable this app role? Select the checkbox to enable the role.

  4. Assign users to the group in Azure Active Directory. Go to Application registrations Edge Users and groups, and then select Add user.