1. Help Center
  2. Integrations
  3. Security and Single Sign-On (SSO)

Azure Active Directory

The Azure Active Directory (AAD) integration allows you to provision users to Forecast and enables users to log in through AAD.

  1. Go to portal.azure.com and sign-in to your company admin account.
  2. In the left hand menu, click Azure Active Directory and then Enterprise applications.
  3. Click the New application button in the upper left of the main pane.
  4. Click Non-gallery application, name the app "Forecast" and click the Add button at the bottom of the pane (Note that it takes a minute to create the app).
  5. From top to bottom in the menu of the new app:
    1. Go to Properties and set the image file to the image found here
    2. Go to Single sign-on and set it to Linked. Set the Sign on URL to https://app.forecast.it/azureAD?iss=YOUR_TENANT, where YOUR_TENANT is visible by clicking your profile in the top-right and clicking Switch directories. The directory of your company should be listed along with a URL: YOUR_TENANT.onmicrosoft.com. The first part of this URL is your tenant. After you have input the Sign on URL, click Save in the top left.
    3. Go to Provisioning and set the Provisioning Mode to Automatic. Under Admin Credentials, set the Tenant URL to https://api.forecast.it/scim/v2/ and set the Secret Token to the value of the SCIM bearer token field found on your integrations page: https://forecast.it/settings/catalog/azureAD
      1. Click Test Connection and Save the configuration if the connection is successful.
      2. Expand the Mappings section and disable the Directory Groups by clicking it and clicking the Enabled slider and then the Save button.
      3. Go back to the Provisioning page (you can click the breadcrumbs in the top left of the pane). Click the Directory Users line and delete all attributes except for the mappings from Switch, displayName, mail, givenName surname and click the Save button.
      4. Go back to Provisioning once again. Under the Settings header, click the Provision Status slider, so that it is On, and click Save once again.
  6. Now click Azure Active Directory in the left hand menu once again, then App Registrations and then click on your Forecast app.
  7. From top to bottom in the menu of your Forecast app:
    1. On the Overview page, click the copy icon next to the Application (client) ID and paste it in the Application client id field on the app page in Forecast. Write your tenant name in the Azure Tenant field on the same page. Keep this page open.
    2. Go to Authentication and under Redirect URI add the following URI: https://graphql.forecast.it/azuread/oauth/ and un-tick the ID tokens checkbox under Implicit Grant. Click Save.
    3. Go to Certificates & Secrets and under Client secrets, click the New client secret button. Under Expires, select Never and click Add. The new client secret should now appear with a Value. Click the copy icon next to the value and paste it in the Application client secret field on the app page in Forecast.
    4. Go to API Permissions and click the Add a permission button. In the newly opened window, click the Microsoft Graph button and then the Delegated permissions button. Tick email, openid & profile at the top of the list, and scroll down and tick the User.Read under User. Click the Add permissions button. Click the Grant admin consent for YOUR_TENANT_NAME and click Yes.
  8. You are now done with the setup and ready to configure users. You can do this by going to Azure Active Directory -> Enterprise applications -> Forecast and then under Users and groups you can add the needed users.