Azure authentication setup

Microsoft Azure AD, integration with Microsoft Azure IDP and 1E Solutions enables authentication using your existing Microsoft Azure AD/Entra ID credentials, in addition:

  • 1E Solutions users manage endpoints using the platform, based on platform role-based access control (RBAC).

  • Endpoints are not connected in any way to 1E Solutions.

  • When solution relevant events happen, data is sent to the 1E Platform. 1E Solutions subscribes to those events and updates device status in real time.

Setting up authentication

Depending on your environment you can either create a new app or use an existing one to authenticate to 1E Solutions.

For more information about creating and configuring the Azure AD applications required for 1E Platform SaaS instances. Refer to AAD Applications.

Registering a new app

  1. Login to your Microsoft Azure portal, go to App registrations.

    Then click New registration.

  2. Provide a name for the application and set the supported account type as shown, and add the Redirect URI:

    https://solutions.1e.com/MicrosoftLoginConnectorReactive/CallbackPage.

  3. Click on Register to save the app.

  4. Add a client secret to the application by clicking on Certificates & secrets.

  5. Click on New client secret.

  6. Add the Secret and copy the value of the newly created Secret.

  7. Share the following information with 1E for tenant registration:

    • Name.

    • Directory (tenant) ID.

    • Application (client) ID.

    • Client Secret value.

    • Admin Email: Email of the user who is going to be the admin for 1E Solutions and also is a 1E Platform admin. We recommend using a service account instead of an individual email address. This approach ensures that administrative access remains uninterrupted, even in the event of internal personnel changes.

    Only users with the email domain(s) provided can be added as Admin users in Solutions. For Multitenant SaaS, the DEX SOL team can configure additional domains upon request. We recommend that customers share all relevant email domains for users who may require admin access to avoid delays during setup.

Using an existing app

  1. Select an existing registered application.

  2. Click on Redirect URIs and add the solutions url under Web Redirect URIs:

    https://solutions.1e.com/MicrosoftLoginConnectorReactive/CallbackPage.

  3. Share the following information with 1E for tenant registration:

    • Name.

    • Directory (tenant) ID.

    • Application (client) ID.

    • Client Secret value.

    • Admin Email: Email of the user who is going to be the admin for 1E Solutions and also is a 1E admin. We recommend using a service account instead of an individual email address. This approach ensures that administrative access remains uninterrupted, even in the event of internal personnel changes.

    • Identifying Email Domain: <email domain info. eg: @1edemolab.com>

    Only users with the email domain(s) provided can be added as Admin users in Solutions. For Multitenant SaaS, the DEX SOL team can configure additional domains upon request. We recommend that customers share all relevant email domains for users who may require admin access to avoid delays during setup.

API permissions for sending emails from 1E Solutions

Microsoft Graph API Application permission (Mail.Send) will enable your Solution to send notification emails to admins based on your configured metrics.

  1. Navigate to the API permission of the registered App and click on Add a permission.

  2. Select Microsoft Graph > Application permission and add Mail.Send.

    For details about Mail.Send refer to user: sendMail.

  3. Click on Add permissions and Grant admin consent.

    The Mail.Send API has permission to send emails from any mailbox. It is recommended you limit the application to send email from only one mailbox. Refer to Role Based Access Control for Applications in Exchange Online.

Non-interactive JSON Web Token (JWT) Authentication

You must have a 1E integration AAD app before this part of your setup. For details refer to AAD Applications.

  1. You can upload your own certificate to set up the non-interactive JWT authentication and get the KeyID (KID) of your certificate by running the following PowerShell cmdlet. The KID of this certificate must then be mapped to a user (principal).

    Copy 
    Get-1ECertificateThumbprint -StoreName LocalMachine\My | Format-List

  2. The Application (Client) Id of the 1E Integration AAD application must be registered with the Solution.

  3. The Application (Client) Id should be added as a ClientAssertionId in 1E Platform. You will need to contact your 1E representative to complete this process.

Extracting Private Key of the Certificate

  1. Export the certificate with its private key.

  2. Use Powershell or OpenSSL to extract the encrypted private key. For this example we have used Open SSL to extract the key.

    Copy 
    openssl pkcs12 -in file.pfx -out file.pem -nodes -clcerts -passout pass:12345 

  3. Keep the .pem file safe and extract the private key.

JWT Principal Mapping

Once the certificate is added, you will need to use the 1E Toolkit to add a mapping between users in the 1E Platform and the certificate used for non-interactive login.

You can also automatically add and remove JWT mappings for your users in Configuration > Application User Management, refer to Application User Management.

  1. Prepare the PowerShell toolkit by running:

    Copy 
    import-module .\ps1etoolkit.psd1 -force

  2. Add-1EJWTPrincipalMapping passing in the KID for the cert as the Identifier and the user you want to map to as the Principal, for example:

    Copy 
    PS C:\Program Files\1E\PowerShellToolkit> Add-1EJWTPrincipalMapping
    cmdlet Add-1EJwtPrincipalMapping at command pipeline position 1
    Supply values for the following parameters:
    Identifier: <KID of the certificate obtained>
    Principal: <User principal name>  Eg. firstname.lastname@test.com

  3. You can view existing associations by running:

    Copy 
    get-1EJWTPrincipalMapping