Integration with Azure Active Directory

You integrate MYOB Advanced with Microsoft Azure Active Directory (Azure AD) to manage users and access in one place and to provide single sign-on. You create, delete, and manage user accounts by using Azure AD. During integration, you map Azure AD groups with user roles in MYOB Advanced to determine users' access rights.

Attention: This functionality is available only if the Active Directory and Other External SSO feature is enabled on the Enable/Disable Features form.

Requirements

Before you integrate MYOB Advanced with Azure AD, your company must be signed up for a Microsoft cloud service, such as Azure or Office 365, with the Azure Active Directory instance configured. For more information, see Azure Active Directory on the Microsoft Azure Portal.

Configuration Steps

You can configure integration with Azure AD when you implement MYOB Advanced or at any later time. To integrate an instance of MYOB Advanced with Azure AD, you will perform the following general steps:

  1. You perform the needed configuration actions on the Azure AD instance (that is, you register your MYOB Advanced instance with the Azure AD instance and you obtain the needed credentials, as described in To Configure Microsoft Azure for Integration with Your MYOB Advanced Instance).
  2. You perform the required configuration actions in the web.config file of the application instance, as described in To Configure the Web.Config File for Integration with Azure Active Directory.
    Important: When you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance.
  3. You map the Azure AD groups to MYOB Advanced roles, as described in To Map Azure Active Directory Groups to Roles in MYOB Advanced.
  4. Optional: If required, you override the roles assigned to any user automatically by manually selecting the required roles. For details, see To Set Up Role Assignment for Domain Users.
  5. Optional: If you want to use the Azure AD service as the default identity provider, you enable silent logon with Azure AD, as described in To Enable Silent Logon.

User Accounts of Domain Users in MYOB Advanced

After you have enabled integration with the identity management system, user accounts for domain users are created automatically when the users sign in to your MYOB Advanced instance for the first time.

The accounts of domain users in MYOB Advanced are based on their accounts in the domain. The password of a domain user in MYOB Advanced is the same as the domain account password. The email address and the first and last name of the user are populated from the domain account as well. However, the login, password, email address, and first and last name are managed through the domain and cannot be changed in MYOB Advanced.

Attention: You cannot restore the passwords of domain users by using MYOB Advanced tools. You should restore users' domain credentials by using tools of Active Directory (AD).

To speed up authentication of users, the information about AD groups is automatically cached by MYOB Advanced, if the count of the user groups is greater than or equal to the value of the ADGroupCacheLimit parameter specified in the web.config file. To update the list of the user groups in Acumatica ERP with current information from AD, click Reload AD Groups on the toolbar of the User Roles (201005) form.

The Reload AD Groups button appears only when you integrated MYOB Advanced instance with AD, AD FS or Azure AD and when the number of the user groups in AD, AD FS or Azure AD is greater than or equal to the value of the ADGroupCacheLimit parameter specified in the web.config file. If the number of the users and groups in AD is less than the value of the ADGroupCacheLimit parameter, MYOB Advanced retrieves the lists of users and groups directly from AD.

Domain User Authentication

After the integration of MYOB Advanced with Azure AD has been set up, users use single sign-on (SSO) with the domain to sign in to MYOB Advanced. By default, each user performs the following steps:

  1. On the Welcome page of your MYOB Advanced instance, the user selects the Azure AD icon () to open the Azure AD sign-in page.
  2. On the sign-in page, the user enters the domain credentials in the following format: <User_Name>@<Domain_Name>, where <User_Name> is the user account name in the integrated domain and <Domain_Name> is the UPN suffix, also known as the domain name.

To simplify the procedure, you can configure silent logon with Azure AD server. For more information, see To Enable Silent Logon.

Attention: If you configured a multicompany instance and selected the Secure Tenant on Login option on the Tenant Setup page (see Managing Tenants Locally), then users with access to several companies, who sign in to MYOB Advanced using single sign-on with an external identity provider, will be logged in to the first company with enabled single sign-on.

Domain User Authorization

When a domain user tries to access MYOB Advanced, user authorization occurs as follows:

  1. The application instance sends an authentication request to the AD server to validate the user's credentials.
  2. When validation has completed successfully, the AD server sends MYOB Advanced the list of AD groups to which the user is assigned.
  3. MYOB Advanced compares the list of AD groups with the internal MYOB Advanced roles, based on the mapping rules defined on the User Roles (SM201005) form.
  4. The system finds any MYOB Advanced roles that are associated with AD groups to which the domain user account is assigned. If MYOB Advanced finds at least one role, the user is authenticated to sign in to the MYOB Advanced instance.

    The user access rights within the MYOB Advanced application instance are based on the internal list of roles.

For more information about authentication in MYOB Advanced, see Managing User Access. For details about roles and access rights in MYOB Advanced, see Configuring User Roles.

Access Rights of Domain Users

Domain users inherit access rights from the AD groups that you mapped to MYOB Advanced user roles. In addition, you can assign specific user roles to each domain user if the access rights for this user should differ from the AD group rights.

New domain users automatically get the rights to sign in to MYOB Advanced when they join a domain. The membership of these users in MYOB Advanced roles is then automatically updated to comply with the membership of the users in the domain groups.

Attention: The user type functionality, described in User Access: Linked Entities and User Types, cannot be applied to domain users.