Therefore™ Help

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Send Mail Feedback
Save Permalink URL

Tutorials > Solution Designer > Access > Authentication > External User Directories > Microsoft Entra ID

Configuring the Therefore™ Settings

1.In the Therefore™ Solution Designer navigate to Access > External User Directories. Double-click on 'External User Directories'. Click 'Add' and select 'Microsoft Entra ID'.

sd_t_authmeth_admintasks_aad3_001

2.Edit the Connection Settings for Microsoft Entra ID.

sd_t_authmeth_admintasks_aad3_002

Therefore Client ID

Enter the 'Application (client) ID' for the Therefore™ Client Login application

This setting can be left empty and is only required if SSO is configured. To enable this, the correct login domain must be set here. For example: for testuser@ontherefore.com, the login domain would be ontherefore.com.

Please find more information here:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso

Additional domains

If the Microsoft Entra ID contains users from external domains add these domains here.

For example: The Microsoft Entra ID contains users such as 'john.smith@moyaware.onmicrosoft.com' and also 'taro.yamada@moyaware.com'. Enter 'moyaware.com' as an additional domain.

Use a custom application to access Microsoft Entra ID

Check this box

Azure tenant name

The name of your Azure tenant <company>.onmicrosoft.com

Application client ID

Enter the 'Application (client) ID' for the Therefore™ Server Login application

Application secret

The secret value for the Therefore™ Server Login application

3. A browser window will open. Sign into your Microsoft account. It needs to be an account that has Administrator permissions in order for the Microsoft Entra ID to be integrated.

sd_t_authmeth_admintasks_aad3_003

Info

By default, Therefore™ uses an internal Chromium Browser to open the Azure user sign-in page. In some cases, this may not be sufficient (e.g., Conditional Access is defined in Azure whereby the user must be signed in to the system browser before they are allowed to login with Azure credentials). If you experience issues with the user login you can use the “Use the browser for login” checkbox which will use the default system browser instead of the internal Chromium Browser to open the Azure user sign-in page. This usually solves login issues especially with installed clients such as the Therefore™ Navigator.

4.Two permission screens will be displayed. Click 'Accept' on the first one to allow Therefore™ to access the Microsoft Entra ID tenant. Agree to the second one to allow access to user profile information for Openid login.

sd_t_authmeth_admintasks_aad3_004

5.Once the connection has been established, the new domain can be accessed from user or group selection dialogs to select users and groups and grant the appropriate permissions.

sd_t_authmeth_admintasks_aad3_007

6.When connecting to Therefore™ through an installed client application, the connection settings need to be configured. Under 'Authentication provider' select 'AzureActive Directory'. Click 'Update from Server'. The settings will be populated automatically.

sd_t_authmeth_admintasks_aad3_008

Info

The default client UI for logon is web-based. This is specifically required for MFA (multi-factor authentication). If no MFA is used, a user can also select to use the traditional, non-web login dialog by setting a registry key as shown below. However, this approach is not recommended.

HKEY_CURRENT_USER\Software\Therefore\Client\EnableSSOWebUi = 0

This registry value disables the web-based login dialog. If MFA is enabled, logging in will always fail in this case.