Enabling Entra ID Security Mode
GENESIS Security can synchronize with Microsoft Entra ID (formerly called Azure Active Directory).
Optionally, you can enable web login for Entra ID, which allows you to use single sign-on (SSO) and features such as multi-factor authentication.
Setting this up requires the following prerequisites:
-
Basic knowledge of GENESIS Security and Workbench.
-
Microsoft Active Directory and Entra ID.
-
A correctly configured public origin. Learn more
To enable the Entra ID mode and configure web login:
-
Set up Entra ID, and then obtain your Application (client) ID, Directory (tenant) ID, client secret, and initial administrator account.
Learn how
These settings may change over time. See Microsoft's documentation if you are having trouble following these steps.
-
Register your application on the Azure portal. More information about the registration process can be found here :
-
Under API permission, add the following permissions:
-
Microsoft Graph > Application Permission > Directory > User.Read.All
-
Microsoft Graph > Application Permission > Directory > GroupMember.Read.All .
-
-
Grant the application at least one Delegated API permission , either User.Read or openid .
-
Select Grant admin consent for directory name. This step is necessary and requires administrative privileges for the Microsoft Entra ID.
-
Go to Authentication and enaWble Treat application as a public client to use the standard GENESIS login dialog.
-
Take note of the following information:
Name
Location
Application (client) ID
App Registration > your app > Active Directory > Overview
Directory (tenant) ID
App Registration > your app > Active Directory > Overview
Client secret
App Registration > your app > Certificates & Secrets > New client secret
Initial administrator account
Owners > Username > Name
The initial administrator account name should be in the format of user@domainname.onmicrosoft.com for internal domain users, and in the format of user_domainname.com#EXT#@domainname.onmicrosoft.com for external users.
-
-
(Optional) Set the security to testing mode to help keep you from getting locked out if something is configured incorrectly later.
Learn how
Do not make this change on a production system.
-
Open Workbench and in Project Explorer, expand your project > Security and double-click Global Settings to open the configuration dialog.
-
On the General tab, set Security active to Testing .
-
Apply the changes.
-
-
Set the GENESIS security mode to Entra ID and enter the information from step 1.
Learn how
-
In Project Explorer in Workbench, go to Security and double-click Global Settings to open the configuration dialog.
-
On the General tab in Security mode , select Entra ID .
-
In the Entra ID Settings section, enter the information obtained in step 1.
-
Select Synchronize now. After a moment, Operation Successful appears next to the button.
-
Apply the changes, and then open a login dialog and try to log into GENESIS with a Microsoft Entra ID user.
-
-
Optional: Enable web login for Entra ID.
Learn how
-
In Project Explorer in Workbench, go to Security > Global Settings, make the following changes, and then click Apply.
Location
Setting Name
Value
Notes
General tab
Allow simultaneous login
Cleared
Web Login tab > General Settings section
Enabled
Selected
Web Login tab > Authentication section
Type
Entra ID
Web Login tab > Authentication section
Prompt
Default
Web Login tab > General Settings section
In-house applications use web login
Selected
(Optional)Select to make applications such as Workbench and GraphWorX use the Microsoft login dialog.
General tab
Automatic login
Cleared
Clear if In-house applications use web login is selected.
-
In the Azure portal, go to Active Directory > App Registration > your app > Authentication and set OIDC URI to https://<GENESIS-server-name>/fwxserverweb/security/signin-oidc .
-
Test logging into Workbench (if In-house applications use web login is enabled) or a WebHMI display.
-
-
If all tests succeeded, set the security back to active mode.
Learn how
-
In Workbench, go to Security > Global Settings > General tab.
-
Set Security active to Active .
-
Apply the changes.
-