Hello,
We deployed Enterprise 10.8.1 and it has Azure AD SSO. I used this URL to configure this and it is working https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/arcgisenterprise-tutorial#configur...
Now We have some groups created in Azure AD and we want to configure them with Portal so, when we create a group for certain users have certain privileges, we just add the azure group to it and we do not have to add users one by one. (we have thousands.) I was wondering if there is some way to manage this?
Can I configure group store configuration for this purpose?
Thanks,
DLL
Solved! Go to Solution.
When you create a group in your enterprise portal and want to use the membership from Azure to manage access configure as follows. Under "Who can join this Group?" select "Members of an Enterprise Group"
and under "Enterprise group name" do not put the name you will want to put the groups Azure Object ID.
for example "e8ad1a30-1d7f-49rf-bd7a-173945c97e70".
Good point, especially when using Azure-only groups as opposed to groups synchronized from an on-premise Active Directory.
Configure group claims for applications with Azure Active Directory | Microsoft Docs
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims
With a SAML-based identity store, you'll want to include group membership as part of the SAML assertion for each user. There is a setting in the Portal settings for enabling enterprise group membership as part of the IDP configuration (under advanced settings), which will then allow you to specify the string that matches the value(s) sent in the user's SAML response from the IDP.
The group store configuration you've displayed is specific to Windows AD/LDAP group membership, so wouldn't apply in this circumstance.
See step 7 here:
When you create a group in your enterprise portal and want to use the membership from Azure to manage access configure as follows. Under "Who can join this Group?" select "Members of an Enterprise Group"
and under "Enterprise group name" do not put the name you will want to put the groups Azure Object ID.
for example "e8ad1a30-1d7f-49rf-bd7a-173945c97e70".
Good point, especially when using Azure-only groups as opposed to groups synchronized from an on-premise Active Directory.
Configure group claims for applications with Azure Active Directory | Microsoft Docs
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims
Thanks, this info was really helpful. My enterprise works fine now, i was able to access and automatically i was assign to groups i created in azure and Portal using Azure object ID.