To Configure the Web.Config File for Integration with Azure Active Directory

After you have registered your MYOB Acumatica instance with Microsoft Azure and obtained the necessary credentials, you should enable the integration with Microsoft Azure Active Directory (Azure AD) for your MYOB Acumatica instance.

Before You Begin

Your MYOB Acumatica instance has to be registered on the Microsoft Azure Active Directory portal, as described in To Configure Microsoft Azure for Integration with Your MYOB Acumatica Instance.
You need a plain-text editor for editing the web.config file.

To Enable Azure AD for the MYOB Acumatica Instance

Open the web.config file, which is located in the folder that contains the application instance website.
Important: When you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance.
In the file, find the activeDirectory section within the system.web section and edit it to be similar to the following example.
```
<activeDirectory 
    enabled="true"
    protocol="MicrosoftGraph" 
    path="Azure_Instance_Tenant_ID" 
    dc="Azure_Domain_Name"
    user="ApplicationClientID" 
    password="ClientSecret" />
```
Note the following about the code shown above:
- Azure_Instance_Tenant_ID is the identifier of the Azure ID instance where your application is registered.
- Azure_Domain_Name is the Active Directory primary domain name—for example, ad.domain. This value is configured in Active Directory by an administrator.
- User_NameApplicationClientID is the client ID that you obtained and copied when you registered your MYOB Acumatica application on the Azure instance.
- User_PasswordClientSecret is the client secret that you obtained and copied when you configured your Azure instance for integration with your MYOB Acumatica instance.
The following example shows the code you would use with sample parameter values.
```
<activeDirectory 
enabled="true" 
protocol="MicrosoftGraph" 
path="6b780bc5-ae33-4d54-80c0-8a6c4da1bf86" 
dc="acumqahotmail.onmicrosoft.com" 
user="b3f59ed5-70af-41de-94a7-13fe296a79cb" 
password="AR97Q~tLWmFLUxUjkZe33yEGGWRAnctTOz0uh" />
```
In the audienceUris element within the system.identityModel section, specify the URL of your MYOB Acumatica instance similarly to the way it is specified in the following example.
```
<audienceUris>
    <add value="Full_Acumatica_Instance_URL" />
</audienceUris>
```
In the code shown above, Full_Acumatica_Instance_URL is the full URL of your MYOB Acumatica instance—for example, https://app.site.net/instance_name.
Attention: If during the configuration of the application ID URI, you used the default scheme provided by Azure AD, the value of Full_Acumatica_Instance_URL is api://<Application_Client_ID>.
In the federationConfiguration element within the system.identityModel.services section, edit the wsFederation element similarly to the way it is specified in the following example.
```
<wsFederation passiveRedirectEnabled="false" 
issuer="https://login.windows.net/Path_to_Azure_instance/wsfed" 
realm="Full_Acumatica_Instance_URL" 
requireHttps="false" 
PersistentCookiesOnPassiveRedirects="false"/>
```
Attention: If during the configuration of the application ID URI, you used the default scheme provided by Azure AD, the value of Full_Acumatica_Instance_URL is api://<Application_Client_ID>. In this case, you should add the following line: reply="Acumatica_Redirect_URI" in the federationConfiguration element.
Save the web.config file. The website restarts automatically.

After you have enabled integration with Active Directory, you need to map AD groups to MYOB Acumatica roles, as described in To Map Azure Active Directory Groups to Roles in MYOB Acumatica.