# Active Directory & SSO Setup

### Setup Azure Active Directory for Paze.Industries

1. Navigate to your Azure portal (eg. [Microsoft Azure](http://portal.azure.com/) )
2. In the portal, navigate to `App registrations`

<figure><img src="/files/tySa2Q4P8Eh0YXvsNRfm" alt=""><figcaption></figcaption></figure>

3. Click on `New registration`
4. Fill in the input fields as follows:

<figure><img src="/files/JuZqYeWt5c4iIdPkZoCS" alt=""><figcaption></figcaption></figure>

* **Name**: “Paze.Industries IIoT Platform” (you can decide how you want to name it in your organization)
* **Supported account types**: Single-tenant
* **Redirect** URI: Leave empty for now

5. Click “**Register**”
6. In the next screen note down the “`Application (client) ID`" as well as the "`Directory (tenant) ID`" and send this information to your Customer Success contact at Paze.Industries.

<figure><img src="/files/gEx2aIWjaEuWDnYr191d" alt=""><figcaption></figcaption></figure>

7. On the same screen, click on `Add a Redirect URI`
8. In the next screen, click on `Add a platform` and select `Web` as your platform

<figure><img src="/files/KKpKGzcX1k0B8cTuzfA8" alt=""><figcaption></figcaption></figure>

9. In the next screen fill in the form as follows

<figure><img src="/files/o1fj4aJGaleHvjy8e6yH" alt=""><figcaption></figcaption></figure>

* **Redirect URIs**: The URI of your Paze.Industries application + some redirect path. Enter https\://\[yourPazeDomain].paze.industries/signin-oidc/\[yourtenant]
* **Front-channel logout URL**: Leave empty
* **Tick** `Access tokens` and `ID tokens` **(important!)**

10. Click on “**Configure**”.
11. In the next screen, click on “Add URI” and enter your backend-redirect URL. Click on “Save” to finalize.

<figure><img src="/files/y6g0zdS7uxgSeFlNQE4l" alt=""><figcaption></figcaption></figure>

The URI to enter is of the following format: **https\://\[yourbackend].paze.industries/signin-oidc/\[yourtenant]**. You can find the **\[yourbackend]** URL by navigating to your Paze.Industries application’s login screen in the browser. The URL which is shown during login is your **\[yourbackend]**.\
In the example below, \[yourbackend] equals “galaxyapi”.

<figure><img src="/files/2tJhN2R1QIbqHuc8oZf7" alt="" width="375"><figcaption></figcaption></figure>

12. Inform Paze.Industries, that you’ve registered Paze.Industries as an AD application. Please also provide the **ClientId** and **TenantId** as described in some steps earlier.
13. After Paze.Industries activates the integration, one of your Azure AD admins needs to navigate to the Paze.Industries applications and log in. The very first time a tenant logs in to Paze.Industries with an Azure Active Directory user, you need to grant admin consent to the application.
14. Navigate to your Paze.Industries application. Now your login screen provides another login option. Click on the blue external login button:

<figure><img src="/files/6FInqR40GLiZvz89Iyy1" alt="" width="316"><figcaption></figcaption></figure>

15. Log in with one of your Azure Active Directory users and grant the permissions, as shown below. Make sure to “Consent on behalf of your organization”, so that other users are now able to log in without that screen pops up.

<figure><img src="/files/cKC3lGCzbFtjg6smkaXR" alt="" width="375"><figcaption></figcaption></figure>

{% hint style="info" %}
Congratulations, your Azure Active Directory integration is ready to be used by your organization's users.
{% endhint %}

### Assign Paze.Industries groups to external Active Directory users or AD groups <a href="#how-to-assign-senseforce-groups-to-external-active-directory-users-or-a-d-groups" id="how-to-assign-senseforce-groups-to-external-active-directory-users-or-a-d-groups"></a>

Users who log in with Azure Active Directory don’t have any permissions in the Paze.Industries application by default. To add permissions, they need to be assigned to a Paze.Industries group. To ease up the workflow, the assignment between users and groups is done in Azure Active Directory.&#x20;

To set it up you have to follow the steps as described:

1. Create a Paze.Industries group and assign permissions (as with “classic” Paze.Industries user management)
2. Make a note of the group ID - open the group in the Paze.Industries app and look at the URL - the GUID at the end is the group ID (highlighted in red in the screenshot).

<figure><img src="/files/GwudLS42qxy4voj7u2T3" alt=""><figcaption></figcaption></figure>

3. Navigate to your Azure Portal, to “**App registrations**” and open your “**Paze.Industries IIoT Platform**” registered app, and click on “**Create app role**”. In the next Screen fill out the input forms as follows.

<figure><img src="/files/PUKPIrpR8MwFGLtDWPLe" alt=""><figcaption></figcaption></figure>

* **Display name**: Azure Active Directory visible name of this app role - can be defined on your own.
* **Allowed member types**: Users/Groups
* **Value:** Needs to be “<mark style="color:red;">**senseforce.**</mark>**\[Paze.Industries group id]**” (with the group id being found in the step above). Example: <mark style="color:red;">**senseforce.**</mark>**108f08e1-7bdb-4397-854c-093790f52722**
* **Description**: Any description helping you to manage your app roles.

4. Click “Apply”. Your app role is now created.
5. Repeat this step potentially for any of your Paze.Industries groups. Note: This step only needs to be done once per Paze.Industries group.
6. In your Azure portal, navigate to Enterprise Applications.

<figure><img src="/files/fqxlm8lQHHQblJtpKqqh" alt=""><figcaption></figcaption></figure>

7. Open your “Paze.Industries IIoT Platform” (Note: App registrations are automatically added as Enterprise Applications)
8. Click “Assign Users and Groups".

{% hint style="info" %}
**Tipp**: Assigning individual users to app roles might be cumbersome. It is better practice to add a role assignment to an AD group. All users in this AD group will automatically inherit the groups roles, making adding new users very easy
{% endhint %}

9. In the next screen click “Add user/group”.
10. In the next screen select the user or AD group as well as the according to app role created in the steps before.
11. Click “Assign”. As a result, the selected user or group is assigned to this app role.

<figure><img src="/files/DM815KxaCnMVxsheKPjw" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
**Tipp**: You can add multiple app role assignments per user or group. So if you want a user to be assigned to multiple Paze.Industries groups, create multiple app roles and multiple enterprise user assignments
{% endhint %}

### How to add new users after initial setup <a href="#how-to-add-new-users-after-initial-setup" id="how-to-add-new-users-after-initial-setup"></a>

Let’s assume, you added all your Paze.Industries groups as App roles as described above and furthermore, you created AD groups with the according to app roles, then adding new users is as follows:

1. Add a new Azure AD user
2. Add this user to one of your AD groups which have one or several app roles

The user is now able to log in and has permissions as defined with the app roles.

{% hint style="info" %}
**Info:** There are 3 fields for the name in the Active Directory. The "Name", the "Family Name" and the "Given Name". Family Name and Given Name are mapped 1 to 1 into the corresponding Paze.Industries field.\
If only the "Name" is filled in, it will be mapped to the Family Name in Paze.Industries.
{% endhint %}

### Other details <a href="#other-details" id="other-details"></a>

**Forgot password**

If an external user wants to engage in the forgot password flow, an error message is prevented.

**External login button**

If an Azure AD integration is configured, a new, blue, external login button is added.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://manual.senseforce.io/manual/sf-platform/active-directory-and-sso-setup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.