# Azure Active Directory

You can sync Azure Active Directory with Infraon to enable synchronization of user/requester accounts. Follow the below steps to configure Azure Active Directory. 

## Pre-requisites  <a href="#toc174553351" id="toc174553351"></a>

* An active Azure account&#x20;

## The Process  <a href="#toc174553352" id="toc174553352"></a>

Follow the below steps on your Azure portal.&#x20;

**Step 1:** **Register your app**&#x20;

1\. Log in to your Azure account and click 'App Registrations.'&#x20;

![](https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2Fg2WHox7YDDejV6D3d87h%2F0.png?alt=media)

2\. Select 'New registration.'&#x20;

![](https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2FOWfrGf2juBBjm7kpt54r%2F1.png?alt=media)

3\. Add a display name for your application, select the account type, and click 'Register.'&#x20;

![](https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2F3gTcr1vym8ouuyfgwro4%2F2.png?alt=media)

4\. The application is created, and the details are displayed per the reference screenshot. Copy the Application and Tenant ID.&#x20;

![](https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2FQITW947ugxbCIuJZM0CA%2F3.png?alt=media)

**Step 2: Enable API Permissions**&#x20;

1\. Navigate to ' API Permissions' and click 'Add a permission.'&#x20;

![](https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2Fy8rIUKjAbDhaGT8qtN6m%2F4.png?alt=media)

2\. A slider appears. Click on the 'APIs my organization uses' tab.&#x20;

![](https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2F1QqlCOap9T48mRDuBgMH%2F5.png?alt=media)

3\. Select 'Microsoft Graph' from the list of APIs displayed.&#x20;

![](https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2FEdd7HaAu6LwulqOWUgjg%2F6.png?alt=media)

4\. Scroll down and look for 'User' related APIs. Expand and select 'User. Read.All' to enable.&#x20;

![](https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2FeNa6LmhhWVvgsu6b5FlY%2F7.png?alt=media)

5\. Once the permissions are added, details are displayed per the reference.&#x20;

![](https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2F2EtESAshr9QyQN82saGS%2F8.png?alt=media)

6\. Click on 'Grand Admin Consent' and confirm your selection.&#x20;

![](https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2FOUjPndlPbpaAQfR2tA26%2F9.png?alt=media)

![](https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2FBmjxlQsDbSACvjRvNuPA%2F10.png?alt=media)

**Step 3: Create a client secret**&#x20;

1\. Navigate to 'Certificates and secrets' -> Client Secrets.&#x20;

![](https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2FSRWG0Ia4DYDJDUqsVWCq%2F11.png?alt=media)

2\. Add a new client secret. Provide a description and an expiration date. The client secret is valid only for the selected period. A new client must be created on the expiry of this. Click 'Add' once done.&#x20;

![etCache\Content.MSO\84ABFF3F.tmp](https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2FDzP2NUoDkBWDCmIfxMIT%2F12.png?alt=media)

3\. The client secret is generated. Copy the value to the clipboard. Please note that this value will be hidden on page refresh.&#x20;

![](https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2FkqE8reLxCE9i7BJHVyz3%2F13.png?alt=media)

**Step 4: Register your app on Infraon.**&#x20;

1\. Navigate to Infraon -> Market Place -> Azure Active Directory (Azure AD). Click 'Install'. Add the 'Talent ID, Client ID, and Secret Key. Click 'Verify.'&#x20;

![](https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2Fmz03AELHgdOugpNd59Ap%2F14.png?alt=media)

2\. Per the reference screenshot, you will be redirected to the field mapping screen upon successful verification. In the tabs below on Infraon, select column names to the respective field names.&#x20;

* &#x20;Requester&#x20;
* &#x20;Work&#x20;
* &#x20;Address&#x20;

![](https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2FOkwq4OP5m4QCfOE8ju76%2F15.png?alt=media)

3\. Click 'Submit' when you are done. Infraon might take a few minutes to complete the synchronization. Once complete, all your Azure users are added as requesters on Infraon.&#x20;

## Requester Login via SSO

Azure AD–synced requesters can log in to the Infraon Self-Service Portal using Microsoft Single Sign-On (SSO). Authentication and access management for requesters occur when a ticket is created under any workflow configured with App Integration.

It includes scenarios such as:

* Successful login via SSO
* Invalid login attempts
* Session management
* Multi-device login
* Error handling
* Audit logging

### **How It Works**

1\.   Navigate to **Infraon Configuration → Infraon Automation →** [**Workflow**.](https://docs.infraon.io/infraon-help/infinity-user-guide/infraon-configuration/infraon-automation/workflow)

2\.   Select the required **Ticket Workflow** and click **Edit**.

3\.   In the **Configure Workflow** section, expand the **left-side panel** using the double arrow icon.

<figure><img src="https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2FqEPd99i3oNL2z3OiUF9K%2Fimage.png?alt=media&#x26;token=1ce7db34-b7fe-4cf6-9b9b-1720d8e83bf3" alt=""><figcaption></figcaption></figure>

4\.   Under the **Actions** category, select **App Integration**.

<figure><img src="https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2Fye4HkozLogm0LrzW8vYF%2Fimage.png?alt=media&#x26;token=fa6a034e-0d4f-4e40-8b7a-e660659afde8" alt=""><figcaption></figcaption></figure>

5\.   Select the Azure AD app (installed from Infraon Marketplace Integration) from the dropdown.

<figure><img src="https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2FGZDEVusQrwQgxFgMSQh1%2Fimage.png?alt=media&#x26;token=0754c2cb-8f8e-4685-bcbd-c936a5463072" alt=""><figcaption></figcaption></figure>

6\.   Once selected, you will see three options to configure Azure AD account actions.

<figure><img src="https://8249392-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE4mkwSP8a1BSD9BFNFav%2Fuploads%2FcDjjyvZY87erpsVJqisJ%2Fimage.png?alt=media&#x26;token=8cc714a9-5816-4c81-976f-eb153f1f656a" alt=""><figcaption></figcaption></figure>

**Azure AD Actions | Details**

<table data-header-hidden><thead><tr><th width="211" valign="top"></th><th valign="top"></th><th valign="top"></th></tr></thead><tbody><tr><td valign="top"><strong>Label</strong></td><td valign="top"><strong>Description</strong></td><td valign="top"><strong>Scenario</strong></td></tr><tr><td valign="top"><strong>Force Password Reset on Next Login</strong></td><td valign="top">Triggers a temporary password reset and forces the requester to set a new password during their next login via SSO. An email with the temporary password is sent.</td><td valign="top">Use when the requester’s credentials may be compromised, or after IT security updates, ensuring the user resets their password before continuing access.</td></tr><tr><td valign="top"><strong>Unlock User Account</strong></td><td valign="top">Unlocks a requester’s locked account due to multiple failed login attempts or admin restrictions. No email notification is sent.</td><td valign="top">Use it when a requester is unable to access the portal due to lockout errors. This ensures quick access restoration without requiring manual IT intervention.</td></tr><tr><td valign="top"><strong>Disable (Lock) User Account</strong></td><td valign="top">Disables a requester’s account, preventing login until re-enabled. No email notification is sent.</td><td valign="top">Use when an account needs to be temporarily restricted—e.g., requester leaves the organization, suspicious activity is detected, or compliance rules require suspension.</td></tr></tbody></table>

This ensures IT admins can automate user account management actions within ticket workflows, integrating **Azure AD SSO policies** directly into **Infraon Infinity Automation**.