To utilize automatic user provisioning with Microsoft Azure, users must be assigned to customized Azure groups that are associated with Visitor Aware School/Location IDs, and the Visitor Aware roles associated with your client account.
1) Add Required API Permissions
Auto-provisioning requires the "Group.Read.All" API Permission to be granted by an Azure administrator.
Failure to enable this permission to the Azure App Registration Permissions for the Visitor Aware application will fail to log in ANY user from your AD.
2) Creating Azure Groups for Roles and Locations
Within Azure, navigate to the Groups -> All Groups, and create new groups for both locations and roles.
Create a new Group
Assign Users to the Group
Each user in Azure must be assigned one or more of the following, and may have multiple of each:
- VisitorAware_Role[role name here]
- VisitorAware_Location[school or location ID here]
For example, to assign a user:
- Role: Administrator
- Role: Volunteer Coordinator
- Location Access: "School1234"
- Location Access: "School9999"
They would need to be assigned roles in Azure that match the following:
- VisitorAware_Role[administrator]
- VisitorAware_Role[volunteer_coordinator]
- VisitorAware_Location[School1234]
- VisitorAware_Location[School9999]
3) Ensure Users Have Valid Roles and Locations
Important Note: If a user attempts to authenticate and has no valid locations or roles assigned to their account in Azure, they will not be able to log in.
Certain roles are SECONDARY and must be used with primary roles.
Primary Roles | Secondary Roles |
administrator | volunteer_coordinator |
site_administrator | first_responder |
operator | drill_manager |
teacher | drill_coordinator |
4) Authenticate Users
Important note, users who do not currently exist within Visitor Aware must perform initial authentication using the "User Login URL" from the Single Sign On configuration page (https://app.visitor-aware.com/client-settings/sso).
After the initial login, users will be automatically redirected when entering their email address on the login page (https://app.visitor-aware.com/login).
User roles, and locations are retrieved on each login based on the current roles assigned within Azure.
Below is a video walking through the process: