Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Asset Information Management

Configure AIM to use Microsoft Entra ID for Accessing the Dashboard

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
TABLE OF CONTENTS

Configure AIM to use Microsoft Entra ID for Accessing the Dashboard

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJul 23, 2024
  • 4 minute read

To configure AIM to user Microsoft Entra ID for access to Dashboard website:

  1. Log in to the Azure portal, for example https://portal.azure.com/#home.

  2. Select Microsoft Entra ID from the side menu bar.

    Microsoft Entra Connect highlighted in the Microsoft Azure interface.

  3. Select App registrations from the side menu bar to create an app registration.

    App registration highlighted in the Microsoft Entra Connect section of Azure.

  4. Select New registration to create a new registration.

    New registration option is highlighted in the App registrations section.

  5. Provide a Name, Supported account types and Redirect URI. For example:

    Example details filled in the Register an application window.

  6. When the registration is created, in the Overview section you will see details similar to those below. Make a note of the Application (client) ID and Directory (tenant) ID which will be used for the AIM setup.

    Example details in the overview section, including the Application and Directory ID.

  7. Navigate to Expose an API and set the Application ID URI, scope and client application.

    The Expose an API option highlighted in the navigation rail.

  8. Set the Application ID URI by selecting Set.

    The Application ID URI Set option is highlighted in the Expose an API section.

  9. By default, api://{clientId} will be present, so just add /AIM after {clientId}. Then select Save. For example:

    An example URI in the Application ID URI box.

  10. Select Add a scope. The Add a scope window opens.

  11. Enter the details as shown in the following example.

  12. Select Add scope at the bottom of the window.

  13. Navigate to Overview and copy the Application (client) ID.

    An Application (client) ID highlighted on an Overview page.

  14. Navigate to Expose an API and select Add a client application.

    The Add a client application option is highlighted on the Expose an API page.

  15. Paste the value of the copied Application (client) ID into the Client ID field.

    An example Client ID in the Client ID field.

  16. Select the checkbox under the Authorized scopes section.

  17. Select Add application.

  18. Navigate to Manifest and update the accessTokenAcceptedVersion value to 2 to get the preferred_username claim.

  19. Update the groupMembershipClaims value to SecurityGroup or All to get the groups claim.

    For groupMembershipClaims, a value of null excludes all groups, a value of SecurityGroup includes only Active Directory Security Group memberships, and a value of All includes both Security Groups and Microsoft 365 Distribution Lists.

  20. Select Save.

    Note: Ensure that the user is not in more than 200 groups (for JWT tokens). For more information, see https://learn.microsoft.com/en-us/entra/identity-platform/security-tokens.

    The Manifest page is open with the accessTokenAcceptedVersion and groupMembershipClaims parameters highlighted.

  21. Configure AIM’s web.config to use Microsoft Entra ID Authentication (Identity Provider).

  22. Add or modify the following settings in the Dashboard’s web.config file.

  23. All the settings must be prefixed with avevanet:. For example, <add key="avevanet:*" value="*" />

    Parameter

    Description

    authenticationProvider

    Set as Microsoft Entra ID (case-sensitive).

    applicationRootUri

    The root URI of AIM’s Dashboard application.

    For example: https://sample.example.com/Dashboard

    authorityUri

    The URI of the Microsoft Entra ID authority.

    For example: https://login.microsoftonline.com/

    {tenantId}/v2.0

    dashboardClientId

    Application (client) ID

    resourceScope

    The resource scope to be passed.

    For example: api://

    {clientId}/AIM/AVEVA.NET.Workhub

    For example:

    <add key="avevanet:authenticationProvider" value="AzureAD" />

    <add key="avevanet:applicationRootUri" value="

    https://sample.example.com/Dashboard " />

    <add key="avevanet:authorityUri" value="

    https://login.microsoftonline.com/{tenantId}/v2.0" />

    <add key="avevanet:dashboardClientId" value="{clientId}" />

    <add key="avevanet:resourceScope" value=" api://

    {clientId}/AIM/AVEVA.NET.Workhub " />

  24. To allow communication with Microsoft Entra ID, in the web.config file under <content-Security-Policy enabled="true"> and then under <connect-src self="true"> add: <add source="https://login.microsoftonline.com/" />.

TitleResults for “How to create a CRG?”Also Available in