This article will illustrate how to create an Azure App Registration for use with Anaqua’s WiseTime application, to allow single sign-on (SSO) login for the organization’s domain(s), and for WiseTime to read the user’s calendar, to assist with creating the private timeline of the user’s day.
Note: This is WiseTime's preferred Single Sign-on for Teams on Enterprise Plans.
You must have sufficient permissions to register an application with your Microsoft Azure AD tenant and assign to the application a role in your Azure subscription. If you have the User role, you must make sure that non-administrators can register application.
To verify your User settings navigate from the link to your portal: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/UserSettings
Check the App registrations setting - this value can only be set by an administrator.
- If set to Yes, any user in the Azure AD tenant can register an app.
- If set to No, then only users with an administrator role may register these types of application.
- See Azure AD built-in roles to learn about available administrator roles and the specific permissions in Azure AD that are given to each role.
- If your account is assigned the User Role, but the app registration setting is limited to Admin users, ask your organizations administrator to either:
- assign you one of the administrator roles that can create and manage all aspects of app registrations, or
- enable users to register apps.
API Permissions Scope
As only user-level (non-admin) API-level permissions are used, WiseTime benefits from the simplified Multi-Tenant app registration process provided by Microsoft within Azure AD.
The API permissions requested are summarised below:
|User.Read||User-only||Determine the user's userId following sign-in via OpenId (it's possible for user to have more than 1 email address, but they should only have 1 WiseTime Account).|
|User-only (OpenID)||Determine the user's email address following sign-in via OpenId.|
|offline_access||User-only (OpenID)||To continue to validate that the user is an active member of the Azure AD domain.|
|openid||User-only (OpenID)||Allow user to sign-in via Microsoft OpenId sign-in flow.|
|Calendars.Read||User-only||Allow user to overlay their calendar appointments over their daily timeline (useful for the context of when away from computer).|
|Presence.Read||User-only||Allow users to enhance their timeline with the basic information of when user was busy in a meeting, and when they became available again.|
Each user must then inidivudally login (and consent) that the WiseTime app is permitted to access their email address, as part of the usual OpenID login flow.
There two options available to approve the above permissions.
Approve once via URL-based approval flow
Replace the text tenant-id-here with your organization's Tenant Id in the URL below. Open the URL amended with your tenant ID and follow the prompts presented to allow users to sign-in via the WiseTime client (having ID: ba260fe3-e4f1-4191-bd4a-7873b98edf0b)
Granting tenant consent in Enterprise apps
- Sign-in to the Azure Portal with one of the roles listed in the prerequisites section.
- Select Azure Active Directory, and then select Enterprise applications.
- Select the WiseTime Application (client ID: ba260fe3-e4f1-4191-bd4a-7873b98edf0b) to which you want to tenant-wise admin consent, and then select Permissions.
- Depending on your admin-approval flow, you can elect for users to consent to the app permissions during the SSO login flow, or you can pre-approve the requested permission scopes via the admin consent button.
- Review the permissions that the application requires as per API Permissions Scope section of this Guide. If you agree, select Grant admin consent.
You can also refer to the Microsoft documents under manage consent and permissions.