Azure Active Directory Identity Management Configuration Guide...MASTER_ADMIN cannot be created, updated, or deleted by Azure. The MASTER_ADMIN account must be created in Onair prior

Identity Connector Configuration GuideAzure Active Directory

This document guides an Azure Active Directory administrator through the steps necessary to initially link Azure Active Directory to Brivo Onair for the purpose of provisioning users. For information and support using Azure

Active Directory beyond initial Onair provisioning integration, please contact Microsoft.

IntroductionIProvisioning Features ..................................................................... 2Supported User Fields .................................................................... 2Supported Group Fields ................................................................. 2Restrictions ...................................................................................... 2

ConfigurationIIBefore You Begin ............................................................................ 3Integrating with an existing Brivo Onair Account ....................... 3Creating your secret token ............................................................ 3Creating your Azure Enterprise application ................................ 4Configuring Azure with Brivo Onair .............................................. 6

© 2021 Brivo Systems LLC. All rights reserved. P-MAN-PUB-Identity Connector Configuration Guide: Azure Provisioning2

Identity Connector Configuration Guide: Azure Provisioning

IntroductionThe following provisioning features are supported in this integration:

Push New Users: New users created through Azure will also be created in Brivo Onair.

Push Profile Updates: Updates made to the user’s profile through Azure will be pushed to Brivo Onair

Push User Deactivation: Deactivating the user or disabling the user’s access to the application through Azure will deactivate the user in Brivo Onair.

Reactivate Users: User accounts can be reactivated in the application.

Push Groups: Groups and their members can be pushed to Brivo Onair from Azure.

Supported User FieldsIsSoftDeleted facsimileTelephoneNumber

displayName mobile

userPrincipalName telephoneNumber

preferredLanguage department

givenName jobTitle

surname manager

Supported Group FieldsdisplayName

members

RestrictionsMASTER_ADMIN cannot be created, updated, or deleted by Azure.

The MASTER_ADMIN account must be created in Onair prior to Azure integration.

Sync Password is not supported. Onair administrator passwords are maintained in Onair; they are not copied from Azure.

Group cannot have another group as a member.



ConfigurationBefore You BeginBefore you begin, ensure you have the following required elements:

An active Azure Active Directory account

An active Brivo Onair account with an Identity Connector subscription

An active Brivo Onair senior administrator account (master administrator if administrators will be managed from Azure)

Integrating to an existing Onair AccountTo prevent Azure from creating duplicate Brivo Onair users in accounts with existing users and groups, perform the following steps before configuring the integration:

Purchase one hour of Brivo Professional Services

Load the user’s Azure Object ID into the IC_AD_ExternalID field of the user spreadsheet provided by Professional Services

Brivo Professional Services will upload this list to Onair

Any Azure users with “block sign in” set to “yes” will have their Onair accounts set to suspended. Their credentials will not unlock doors

Creating your secret token

1. In Brivo Onair, create a Senior Administrator account that will be used by Azure to provision users. If Brivo Onair administrators will be provisioned from Azure Active Directory, configure this account with “Can Create, Edit, and Delete Admins” permissions.

2. Log in to Brivo Onair with the Senior Administrator credentials from Step #1.

3. In the Brivo Onair interface, click on Setup, then Account, then Account Settings. Click on the Azure AD tab (A) and the Azure AD details page displays.

4. In the Onair Password field (B), reenter the password from the Senior Administrator created in Step #1.

5. Click the Submit button (C). The Tenant URL and Secret Token fields will populate.

6. Click the Copy Token button (D).



7. The secret token will be used in the next section. when configuring Azure with Brivo Onair.

Creating your Azure Enterprise application1. Click on the Azure Active Directly link (A), then on the Enterprise Applications link (B), and finally click on the + New application link (C).

A

BC

D

A

B

C



2. In the Add from the gallery text box, typo Brivo (A). Brivo Onair Identity Connector will appear as an option. Click on the Brivo application (B). Finally, click on the Add button at the right hand bottom of the page (C).

A

B

C



Configuring Azure with Brivo Onair1. In Enterprise Applications tab, select the previously created application.

2. Select Provisioning (A) and set the mode to Automatic (B).

3. Use the URL https://scim.brivo.com/ActiveDirectory/v2/ (C) and enter the previously created secret token (D).

4. Click on the Test Connection button (E). If any errors occur, please contact Brivo Technical Support.

5. After a successful test of the connection, destroy any previously stored copies of the secret token to reduce cybersecuirty risks. Should you ever need to reenter a secret token, you may recreate a new one in Brivo Onair.

6. When finished, click Save (F).

7. In the Provisioning section under Mappings, select User mappings (A).

A

BF

E

CD

A



8. Confirm all attribute mappings exactly match the attributes shown below (A). If they do not match, edit the attributes to match. Press Save (B) when complete.

9. Under the Manage column, select Users and Groups (A) when adding user(s) or group(s) (B) to be automatically provisioned from Azure Active Directory to Brivo Onair.

A

B

A

B



10. Under Add Assignment, click on Users and Groups (A) to select a group. Under Users and Groups, select from the available groups (B) by clicking on the Select button (C). Once selected, click on the Assign button (D).

11. From Provisioning (A), turn on the synchronization (B) and click Save (C).

A B

D C

A

B

C



12. New users and groups typically appear in Brivo Onair within 15-30 minutes of configuration. New custom fields will be added to users as shown below upon successful first provisioning.

13. In the event that users or groups are not successfully provisioned into Brivo Onair, please consult the Azure Active Directory Audit Log.



14. Assign sites to Brivo Onair groups created by Identity Connector to provide provisioned users with physical access to door(s).

15. Assign credentials to Brivo Onair users created by Identity Connector.

Revision List

Date Version Description

May 21, 2019 1.0 Initial Draft

June 6, 2019 1.1 Added Obtaining Secret Token section

June 24, 2019 1.2 Updated Obtaining Secret Token instructions

July 11, 2019 1.3 Updated Brivo Professional Services information

October 3, 2019 1.4 Content changes and updates

May 11, 2020 1.5 Updated screeshot on Page 7

January 21, 2021 1.6 Removed SSO restriction notice on Page 2

Documents

Azure Active Directory Identity Management Configuration Guide...MASTER_ADMIN cannot be created, updated, or deleted by Azure. The MASTER_ADMIN account must be created in Onair prior