Configuring Azure Active Directory
You can configure your Microsoft Azure Active Directory (Azure AD) as a directory in Crowd. All changes to your users, groups, and memberships will be synced between Azure AD and Crowd periodically, or whenever you request it. You'll be able to view information about your users directly in Crowd by using the User Browser and Group Browser.
Before you configure your Azure AD, you should know about the following restrictions:
- In Azure AD, you can have multiple groups with the same name (displayName), but it's not supported in Crowd and results in a failing synchronization. Make sure you change your Azure AD group names to unique ones.
- Crowd doesn't support multi-factor authentication. You'll need to disable it for your users in Azure AD, or they will not be able to log in to Crowd or any integrated applications.
- If you need to make any changes to your users, make them directly in Azure AD. You can't edit your Azure AD users in Crowd.
Configuring Azure Active Directory
To configure Azure AD, you’ll need to create two applications in your Azure Portal, and then use them to add Azure AD to Crowd.
In Azure web application
1. Create a web application to allow Crowd to communicate with Azure AD:
- Log in to your Azure Portal.
- Go to Azure Active Directory > App registrations.
- Create a new application registration with the following details:
- Application type: Web app / API
- Supported account types: Accounts in this organizational directory only.
Sign-on URL: <Crowd's base URL>Where can I find my Crowd's base URL?In Crowd, go to> General, and check the value of
After the application is created, note down the Application ID assigned to it. You will need it later on to configure the integration in Crowd.
2. Configure permissions for the web application to allow Crowd to read data from Azure AD:
- In your web application, click API permissions.
- In the
API permissionssection, click Add a permission.
- Click Select an API, and select Microsoft Graph.
- Select the Application permissions type.
- Add the following permission from:
- Directory: Directory.Read.All
- Confirm the operation, by clicking Add permissions.
- Click Grant admin consent button and confirm.
3. Create a key for the web application. Crowd will use this key to authenticate to Azure AD:
- Click your web application.
- In the Manage section, click Certificates & secrets.
- In the Client secrets, click New client secret
- Choose a description and an expiry date for your key then save it.
Keep in mind that when the key expires and you don't replace it, Crowd will not be able to communicate with Azure AD.
- Copy and store the key value. You will not be able to view it after navigating away from the key settings.
In Azure native application
4. Create a native application that will be used by Crowd to validate user credentials:
- Go to App registrations, and create a new application registration with the following details:
- Supported account types: Accounts in this organizational directory only
- Type: Public client/native (mobile & desktop)
- Redirect URL: <Crowd's base URL>
Note down the Application ID assigned to it. You will need it later on to configure the integration in Crowd.
5. Configure permissions for the native application to allow Crowd to validate user credentials:
- Click your native application.
- Click API permissions
- Check if there is already a permission for Microsoft Graph: User.Read already added (it should be there by default).
- Click Grant admin consent and confirm.
6. Get the Tenant ID to configure the integration in Crowd:
- Go to the main Azure Active Directory blade.
- Click Properties.
Note down the Directory ID - this is the Tenant ID you will need later on to configure the integration in Crowd.
Steps in Crowd
7. Add Azure AD to Crowd.
- Log in to the Crowd Administration Console.
- In the top navigation bar, click Directories.
- Click Add Directory, and then select Azure Active Directory as type.
- Fill out the required fields.
You will need to specify the Tenant ID, Web application ID, Web application key and Native application ID that you received when you configured Azure Active directory.
- If you are integrating with an Azure Active DIrectory region that uses alternative API URLs (for example Azure Germany), you can pick the region from the Region drop-down.
If your region is not listed, you can pick Custom, and enter the appropriate API URLs manually.
- (optional) In the Group filtering section, instead of adding the whole user directory to Crowd, you can choose specific groups from Azure AD. Only members of these groups will be added to Crowd.
- (optional) Click Test Connection to verify if data you entered is correct.
You've added your Azure AD to Crowd. You should now see a brief summary of your directory, and details about the synchronization.
In some cases, the synchronization might be failing at first because the new permission wasn't yet propagated in Azure AD. Just wait a few minutes, the problem will fix itself.
Crowd will automatically pull data from Azure AD. If that doesn't happen, you can click Synchronise now. Once the synchronization is complete, you can check your users and groups from Azure AD by going to Users/Groups in the top navigation bar.
The following tables show how fields in Azure AD are mapped to those in Crowd. We're comparing Azure AD's API fields with Crowd's UI fields.
|Azure AD field||Crowd field|