Introduction
Azure Signon requires that users login to PM3 with their Azure credentials via the Azure login dialog. PM3 will guide the user through this. Since Azure remembers your login during your browser session, this can reduce the number of times you need to login.
In PM3, local admins can turn Azure signon both on and off or allow both Azure and PM3login simultaneously. By default it is off.
Before turning Azure signon, there are a few steps of preparation that are required as outlined below.
Map Azure AD users to PM3 Licences
In order to use Azure Single Signon, you need to already have in place, an Azure AD Directory containing among others, the users you want to use PM3. This is a responsibility of your Infrastructure Team. If it is not already in place, you will need to speak to them before proceeding any further.
Users in Azure will have IDs like bill.brown@clientdirectory.com. Users in PM3 will have login names like bill.brown. If the Azure ID matches the Email address of the PM3 user in the PM3 Admin>Licences page, then mapping is already complete.
If not, then your PM3 Admin needs to go into PM3 Admin > Licences and open bill.brown and set his Azure ID to the Azure value i.e. “bill.brown@clientdirectory.com”. This is the responsibility of your local PM3 Admin.
A technical note for Azure administrators: the PM3 Azure users in the tenant must be native users of the tenant – not guest users from other tenants.
Configure Settings
Once you tell us you intend to use Azure signon, we at Bestoutcome will configure a few settings. If you have a Test service, we can safely configure both your Live and Test at the same time. To complete this, we need some information from your Azure Administrator:
- your Azure AD tenant id which is in guid format
Creation of service principal (Enterprise App) in Client Azure Tenant
You need to register our application, PM3 Cloud Service, in your Azure tenant. This is simply done with these steps:
- your local PM3 Admin must turn on Azure Authentication in PM3 > Admin>General.
- Either Azure AD or Mixed
Bestoutcome will have already filled in the fields from the information you provided in step 3.
When Authoriser = Azure AD, users can login only via Azure, so this step is best done either on a test service or when other users are not using the sytem. (You can always switch back again). When Authoriser = Mixed, you can test Azure logins whilst leaving other users to login in the usual way.
You create the Enterprise App during the first attempt to login to PM3 via Azure:
- Your Azure Admin should open a browser, and navigate to your usual PM3 site which takes you to the PM3 login page.
- Click the Azure Login button and provide your Azure Admin credentials to the Microsoft Azure dialogs.
- Initially, you may get a variety of additional dialogs
- To change password
- To accept the PM3 Cloud Service ** this is the key dialog to accept
- This will create the PM3 Cloud Service Enterprise App in your Azure Tenant.
- You can manage that entry via the Microsoft Azure Portal in the usual way. (See the screenshots below).
Your Azure Admin can check your Azure Enterprise Apps to confirm that PM3 Cloud Service has been created, as above.
Your Azure Admin may choose to open the new Enterprise App and give consent to PM3 Cloud Service on behalf of all users. This simply reduces the number of dialogs for each user's initial login.
After the Microsoft dialogs, the AzureAdmin will most likely get a message at the end that you failed you login to PM3. That is not a problem. It means you have completed the SSO component – you are just not registered within PM3.
Conclusion
Once the Enterprise App has been created in your Azure AD Directory, the setup process is complete. At this point, your local PM Admin can choose to switch Azure Signon off and on and mixed as preferred, without any further configuration.
*end*