The Azure Active Directory (AAD) integration allows you to provision users to Forecast and enables users to log in through AAD.
- Go to portal.azure.com and sign-in to your company admin account.
- In the search bar at the top, write Enterprise applications.
- Click the New application button in the upper left of the main pane.
- Click Create your own application.
- In the newly opened pane on the right-side, name the app "Forecast" and select the option Integrate any other application you don't find in the gallery (Non-gallery). Click the Create button at the bottom of the pane (Note that it takes a minute to create the app).
- From top to bottom in the menu of the new app:
- Go to Properties and set the image file to the image found here
- Go to Single sign-on and set it to Linked. Set the Sign on URL to https://app.forecast.it/azureAD?iss=YOUR_TENANT, where YOUR_TENANT is visible by clicking your profile in the top-right and clicking Switch directories. The directory of your company should be listed along with a URL: YOUR_TENANT.onmicrosoft.com. The first part of this URL is your tenant. After you have input the Sign on URL, click Save in the top left.
- Go to Provisioning and set the Provisioning Mode to Automatic. Under Admin Credentials, set the Tenant URL to https://api.forecast.it/scim/v2/ and set the Secret Token to the value of the SCIM bearer token field found on your integrations page.
- Click Test Connection and Save the configuration if the connection is successful.
- Expand the Mappings section and disable the Directory Groups by clicking it and clicking the Enabled slider and then the Save button.
- Go back to the Provisioning page (you can click the breadcrumbs in the top left of the pane). Click the Directory Users line and change the attribute mappings according to what you need and what Forecast supports.
- Go back to Provisioning once again. Under the Settings header, click the Provision Status slider, so that it is On, and click Save once again.
- Now click Azure Active Directory in the left hand menu, then App Registrations, All applications and then click on your Forecast app.
- From top to bottom in the menu of your Forecast app:
- On the Overview page, click the copy icon next to the Application (client) ID and paste it in the Application client id field on the app page in Forecast. Write your tenant name in the Azure Tenant field on the same page. Keep this page open.
- Go to Authentication and click on the "Add a platform" button. Select Web on the right hand side and under Redirect URI add the following URI: https://graphql.forecast.it/azuread/oauth/ and click Configure.
- Go to Certificates & Secrets and under Client secrets, click the New client secret button. Under Expires, select 24 months and click Add. The new client secret should now appear with a Value. Click the copy icon next to the value and paste it in the Application client secret field on the app page in Forecast.
- Go to API Permissions and click the Add a permission button. In the newly opened window, click the Microsoft Graph button and then the Delegated permissions button. Tick email, openid & profile at the top of the list, and scroll down and tick the User.Read under User. Click the Add permissions button. Click the Grant admin consent for YOUR_TENANT_NAME and click Yes.
- You are now done with the setup and ready to configure users. You can do this by going to Azure Active Directory -> Enterprise applications -> Forecast and then under Users and groups you can add the needed users. Those users can then access Forecast through their Microsoft access panel or on the AAD tab on the Forecast login page
If you want to provision user types we recommend you use AADs App Roles for this purpose.
You can do this by adding an expression mapping targeting the userType attribute with a source of "SingleAppRoleAssignment([appRoleAssignments])".
You can then create the appropriate app roles under Azure Active Directory -> App Registrations -> Forecast -> App roles, and assign them when configuring the users in step 9. Note that the role assigned is translated to a permission level in Forecast by matching names to user types (or profiles, if enabled). This means that if you assign a person an app role of "Admin" they will have admin rights in your Forecast company.