Enabling Entra ID Security Mode

GENESIS Security can synchronize with Microsoft Entra ID (formerly called Azure Active Directory).

Optionally, you can enable web login for Entra ID, which allows you to use single sign-on (SSO) and features such as multi-factor authentication.

Setting this up requires the following prerequisites:

• Basic knowledge of GENESIS Security and Workbench.
• Microsoft Active Directory and Entra ID.
• A correctly configured public origin. Learn more

To enable the Entra ID mode and configure web login:

1. Set up Entra ID, and then obtain your Application (client) ID, Directory (tenant) ID , client secret, and initial administrator account. Learn how

   These settings may change over time. See Microsoft's documentation if you are having trouble following these steps.

   1. Register your application on the Azure portal. More information about the registration process can be found here: https://docs.microsoft.com/en-us/graph/auth-v2-service

   2. Under API permission, add the following permissions:

      • Microsoft Graph > Application Permission > Directory > User.Read.All
      • Microsoft Graph > Application Permission > Directory > GroupMember.Read.All.
   3. Grant the application at least one Delegated API permission, either User.Read or openid.
   4. Select Grant admin consent for directory name. This step is necessary and requires administrative privileges for the Microsoft Entra ID.
   5. Go to Authentication and enable Treat application as a public client to use the standard GENESIS login dialog.

   6. Take note of the following information:

      Name	Location
      Application (client) ID	App Registration > your app > Active Directory > Overview
      Directory (tenant) ID	App Registration > your app > Active Directory > Overview
      Client secret	App Registration > your app > Certificates & Secrets > New client secret
      Initial administrator account	Owners > Username > Name The initial administrator account name should be in the format of user@domainname.onmicrosoft.com for internal domain users, and in the format of user_domainname.com#EXT#@domainname.onmicrosoft.com for external users.

2. (Optional) Set the security to testing mode to help keep you from getting locked out if something is configured incorrectly later. Learn how

   Do not make this change on a production system.
   1. Open Workbench and in Project Explorer, expand your project > Security and double-click Global Settings to open the configuration dialog.
   2. On the General tab, set Security active to Testing.
   3. Apply the changes.
3. Set the GENESIS security mode to Entra ID and enter the information from step 1. Learn how
   1. In Project Explorer in Workbench, go to Security and double-click Global Settings to open the configuration dialog.
   2. On the General tab in Security mode, select Entra ID.
   3. In the Entra ID Settings section, enter the information obtained in step 1.

   4. Select Synchronize now. After a moment, Operation Successful appears next to the button. View image

      

   5. Apply the changes, and then open a login dialog and try to log into GENESIS with a Microsoft Entra ID user.
4. Optional: Enable web login for Entra ID. Learn how

   1. In Project Explorer in Workbench, go to Security > Global Settings, make the following changes, and then click Apply.

      Location	Setting Name	Value	Notes
      General tab	Allow simultaneous login	Cleared
      Web Login tab > General Settings section	Enabled	Selected
      Web Login tab > Authentication section	Type	Entra ID
      Web Login tab > Authentication section	Prompt	Default
      Web Login tab > General Settings section	In-house applications use web login	Selected (Optional)	Select to make applications such as Workbench and GraphWorX use the Microsoft login dialog.
      General tab	Automatic login	Cleared	Clear if In-house applications use web login is selected.

   2. In the Azure portal, go to Active Directory > App Registration > your app > Authentication and set OIDC URI to  https://<GENESIS-server-name>/fwxserverweb/security/signin-oidc.
   3. Test logging into Workbench (if In-house applications use web login is enabled) or a WebHMI display.
5. If all tests succeeded, set the security back to active mode. Learn how
   1. In Workbench, go to Security > Global Settings > General tab.
   2. Set Security active to Active.
   3. Apply the changes.