Integration with Microsoft Entra ID
You integrate MYOB Acumatica with Microsoft Entra ID (formerly known as Microsoft Azure Active Directory) to manage users and access in one place and to provide single sign-on. You create, delete, and manage user accounts by using Microsoft Entra ID. During integration, you map Entra ID groups with user roles in MYOB Acumatica to determine users' access rights.
Requirements
Before you integrate MYOB Acumatica with Microsoft Entra ID, your company must be signed up for a Microsoft cloud service, such as Azure or Office 365, with the Entra ID instance configured. For more information, see Microsoft Entra ID on the Microsoft Azure Portal.
Configuration Steps
You can configure integration with Microsoft Entra ID when you implement MYOB Acumatica or at any later time. To integrate an instance of MYOB Acumatica with Microsoft Entra ID, you will perform the following general steps:
- You perform the needed configuration actions on the Microsoft Entra ID instance. That is, you register your MYOB Acumatica instance with the Entra ID instance and you obtain the needed credentials, as described in To Configure Microsoft Entra ID for Integration with Your MYOB Acumatica Instance.
- You perform the required configuration actions on the Security Preferences form (SM.20.10.60), as described in To Enable Microsoft Entra ID in MYOB Acumatica.
- You map the Microsoft Entra ID groups to MYOB Acumatica roles, as described in To Map Microsoft Entra ID Groups to Roles in MYOB Acumatica.
- Optional: If required, you override the roles assigned to any user automatically by manually selecting the required roles. For details, see To Set Up Role Assignment for Domain Users.
User Accounts of Domain Users in MYOB Acumatica
After you have enabled integration with the identity management system, user accounts for domain users are created automatically when the users sign in to your MYOB Acumatica instance for the first time.
The accounts of domain users in MYOB Acumatica are based on their accounts in the domain. The password of a domain user in MYOB Acumatica is the same as the domain account password. The email address and the first and last name of the user are populated from the domain account as well. However, the login, password, email address, and first and last name are managed through the domain and cannot be changed in MYOB Acumatica.
To speed up the authentication of users, the information about AD groups is
automatically cached by MYOB Acumatica if the count of the user groups is greater than or equal to the value of the
ADGroupCacheLimit parameter specified in the
web.config file. To update the list of the user groups in
MYOB Acumatica with current information from AD, click Reload AD Groups
on the toolbar of the User
Roles (SM201005) form.
The Reload AD Groups button appears only when you have
integrated the MYOB Acumatica instance with AD or Microsoft Entra ID and when the number of user groups in AD or Entra ID is greater than or equal to the value of the ADGroupCacheLimit
parameter specified in the web.config file. If the number of
users and groups in AD is less than the value of the
ADGroupCacheLimit parameter, MYOB Acumatica retrieves the lists of users and groups directly from AD.
Domain User Authentication
After the integration of MYOB Acumatica with Microsoft Entra ID has been set up, users use single sign-on (SSO) with the domain to sign in to MYOB Acumatica. By default, each user performs the following steps:
- On the Sign-In page of your MYOB Acumatica instance, the user selects the Microsoft Entra ID
icon (
) to open the Microsoft Entra ID
sign-in page. - On the sign-in page, the user enters the domain credentials in the following format: <User_Name>@<Domain_Name>, where <User_Name> is the user account name in the integrated domain and <Domain_Name> is the UPN suffix, also known as the domain name.
To simplify the procedure, you can configure silent logon with Microsoft Entra ID server. For more information, see US__how_AzureAD_Silent_Logon_Enable.html.
You need to ensure that all users can sign in to that first company. If they cannot, they will not be able to select a different company to sign in to.
Domain User Authorization
When a domain user tries to access MYOB Acumatica, user authorization occurs as follows:
- The application instance sends an authentication request to the AD server to validate the user's credentials.
- When validation has completed successfully, the AD server sends MYOB Acumatica the list of AD groups to which the user is assigned.
- MYOB Acumatica compares the list of AD groups with the internal MYOB Acumatica roles, based on the mapping rules defined on the User Roles (SM201005) form.
- The system finds any MYOB Acumatica roles that are associated with AD groups to which the domain user account is
assigned. If MYOB Acumatica finds at least one role, the user is authenticated to sign in to the MYOB Acumatica instance.
The user access rights within the MYOB Acumatica application instance are based on the internal list of roles.
For more information about authentication in MYOB Acumatica, see Managing User Access. For details about roles and access rights in MYOB Acumatica, see Configuring User Roles.
Access Rights of Domain Users
Domain users inherit access rights from the AD groups that you have mapped to MYOB Acumatica user roles. In addition, you can assign specific user roles to each domain user if the access rights for this user should differ from the AD group rights.
New domain users automatically get the rights to sign in to MYOB Acumatica when they join a domain. The membership of these users in MYOB Acumatica roles is then automatically updated to comply with the membership of the users in the domain groups.