This article outlines our managed integration with Microsoft Azure AD / Entra (Entra is the new name for Azure AD but the process below is the same).
Please note, this is different from using Azure AD as your Single-Sign-On provider. Please see this article for more about using Azure AD for SSO. The ultimate solution would be to use Azure AD for both SSO and as a managed integration, allowing for both SSO authentication and user data sync.
What does the managed integration do?
This integration populates Tribal Habits with new and updated users from a specified Group in Azure AD several times each weekday.
New users are created in Tribal Habits
Updated users are updated in Tribal Habits
User data is populated (e.g. job title, location)
Manager data is populated (including email)
Deactivated users are deactivated in Tribal Habits
THIS FEATURE REQUIRES A BUSINESS 50 PLAN OR LARGER
Please note that our managed integration with Azure AD is only available on Business 50 or larger plans. This integration is not available on smaller plans (such as Lite) or legacy plans (older monthly plans). Please contact our team at [email protected] if you would like access to this integration but it is not activated in your portal.
What are the benefits of this managed integration?
Reduced administrative workload
First, this integration reduces the workload for your Tribal Habits administrators by automating user creation. New users will be automatically populated in Tribal Habits from Azure AD. Users can also be deactivated based on data from Azure AD.
Data consistency
Second, the integration eliminates data inconsistency. Users are updated automatically from Azure AD, ensuring that your Tribal Habits data matches your Azure AD data. This allows your organisation to use Azure AD as a single source of truth for user data.
Improved reporting
With more (and more accurate) user data, your Tribal Habits reporting and administration is also improved.
What’s required to set up the integration?
The integration is managed by Tribal Habits. Our team will set up the integration and manage it on your behalf. Error messaging for a failed user sync can be enabled and sent to a specified email address at your organisation, allowing your Azure AD or Tribal Habits administrators to be immediately notified if user data is incorrect or inconsistent.
The integration requires some setup by your Azure AD administrators. Instructions for this process are outlined below. During the testing of the integration, we will also require a small amount of time from your Azure AD administrators to troubleshoot any issues or confirm user data is correct. Typically, this is a few hours of work in total.
What is the integration process?
Our integration with Azure AD is a ‘managed integration’. This means our our Support team will create and run the integration on your organisation’s behalf. It also means that each integration can be customised to suit your organisation. Here are the major steps and options as we set-up this integration.
1 – Kick-Off Call
We begin with 30 minute kick-off call with your team to discuss your integration.
First, we will determine the appropriate 'username' for your users in Tribal Habits. As most organisations using Azure AD will also use Single-Sign-On, we usually just need to ensure that we select an appropriate username for SSO. This may be work email address, but could also be employee number or Azure ID number.
Second, we will discuss the 'Group' of users you want to sync into Tribal Habits. Our Azure AD sync utilises the Groups feature in Azure. This allows you to specify users to sync in Azure AD. This may be an existing group you have previously created in Azure AD (e.g. 'All Employees') or you may want to create a separate group for this sync (e.g. 'Tribal Habits LMS users').
Third, we will focus on the additional fields of user data you may want to sync from Azure AD into custom fields in Tribal Habits – such as location or job title.
2 – Integration Preparation
Our team then prepares the integration, which typically takes just a few days.
In the meantime, your Azure AD admins will need to prepare a Tribal Habits app and Group in Azure. This is a relatively straight-forward process which your admins may have completed for other apps. The process is as follows.
Preparing your Azure AD app
First, login to your Azure AD portal. Select Azure Active Directory > App registrations > New application.
Then register your new Tribal Habits LMS application.
Name: A unique name for this application. We recommend Tribal Habits LMS.
Supported account types: Select as appropriate. Typically 'Accounts in this organisational directory only'.
Redirect URI: Select Web type and then https://www.workato.com/oauth/callback
Then select register.
Second, now we need to set some permissions. Click on API permissions tab, add a new permission and select Microsoft Graph.
Then select all the following permissions.
Application permissions.
User.Read.All
Directory.Read.All
GroupMember.Read.All
Group.Read.All
Delegated permissions
User.Read
User.ReadBasic.All
User.Read.All
Directory.Read.All
GroupMember.Read.All
Group.Read.All
Third, now we need to grant admin consent for Tribal Habits to allow administrator scopes. Click the ‘Grant admin consent’ link and confirm.
And here's how it looks after granting consents.
Fourth, now we need some IDs and secrets. So lets go to Certificates and secrets. Click New client secret.
Now label the secret (Tribal Habits LMS) and set an expiry date. You will need to manage your expiry and then recreate new secrets and pass them to Tribal Habits, based on your expiry dates. We recommend setting tasks / reminders for your selected expiry period, else the integration will fail when the secret expires.
IMPORTANT! Copy the Value part of the secret immediately and store it securely somewhere. The Value will not be shown again and it is required by our support team later.
Preparing your Azure AD Group
Our integration for Azure utilises the Groups feature in Azure. We will sync all users from a specified Group in Azure. Typically, this means selecting or creating a group which contains all your users to be sync with Tribal Habits. This may be an existing group (All Employees) or you may want to create a separate group for this (Tribal Habits LMS).
Your Azure AD admins should set up a the appropriate Group in Azure AD. Our support team will then require the Group ID later.
3 - Set-up Call
We then organise a second call with your team for the authorisation process. We require one of your Azure AD administrators for approximately 30 minutes to complete and test the integration with our team.
From your Azure AD app, we will require your admin to share three items with us:
The Application (client) ID from the Overview tab of your app.
The Directory (tenant) ID from the Overview tab of your app.
The Value (not the Secret ID) obtained from the Certificates tab of your app. Remember you stored this back in the preparation phase.
4 - Go Live
Once your integration is tested and ready to go, we can activate the integration when your team is ready! We actively monitor your integration for the first few weeks to ensure its all working as intended, or to fine tune any requirements. Your integration is then all set!
FAQ - Can the Azure AD sync also deactivate users in Tribal Habits?
It can, but the process differs slightly from a standard integration. In a standard integration, we are typically notified by the other platform when a user should be deactivated. This is somewhat trickier with Azure AD due to the nature of Microsoft Graph API. In this case, we are syncing all members of a group. When someone is removed from the group, there is notification provided to us.
To deal with this, we utilise a second process in the integration. For each user we sync from your Azure AD group, we record the date of the last sync. When a user has not been synced for 72 hours, we assume they have been removed from your Azure AD group and we therefore deactivate them at that point.