You can integrate Microsoft Azure Active Directory with Avigilon Alta to import and sync users automatically.
Note: To enable this integration, you must have the Application Administrator role on the Microsoft Azure side.
We offer two types of authentication with Microsoft Azure, OAuth2 and OAuth Client (Service Principal)
To set up the Azure side:
1. Log into your Microsoft Azure account and create your app registration.
2. Set up your Client Secret, and remember to copy the Value under the "Value" column next to the Secret ID as you will only see it this one time.
3. Set an expiration date on your secret.
Note: Syncing will break once that expiration date passes and it will be your responsibility to update the secret credential when this happens.
4. Configure your app permissions.
5. Make a note of your Application (client) ID, and your Directory (tenant) ID. You will need these to complete the setup on the Avigilon Alta side.
To set up the Avigilon Alta side:
Note: This assumes you have created an App registration within Azure AD
Go to https://control.openpath.com/login and log in. To access the European Control Center, please go to https://control.eu.openpath.com/login.
Under App Marketplace > Get Apps, select Microsoft Azure AD, then click Get App.
Under App Marketplace > My Apps, and click Microsoft Azure AD.
Microsoft will prompt you to sign in. Sign in with your Azure AD account credentials and allow Avigilon Alta to access your users and groups.
Note: Avigilon Alta can only read data from your Azure account; it cannot write data or make any changes within Azure. The token Avigilon Alta uses only has read permissions for users, groups, and directory data in Azure.
Setting up in the Marketplace Azure app
1. Select the OAuth Client (Service Principal) option.
2. Fill out the required information using the values you set up in the prior steps. You will need your Application (client) ID, Directory (tenant) ID, and Secret ID that we mentioned to create a copy of in the prior section.
3. Now you can enable the following settings:
A. Auto-sync every 1 hour/15 minutes – this will sync Avigilon Alta with Azure AD once every hour or once every 15 minutes. depending on which user management package you're using (see Administration > Account for package details).
B. Auto-create mobile credential – this will create a mobile credential for every user.
C. Auto-create cloud key credential – this will create a cloud key credential for every user.
D. Enable Single Sign-On (SSO) for users with portal access – this will let users log into the Control Center with their Azure credentials.
E. Only import users from groups that have an Avigilon Alta group mapping — if this is enabled, no users will be imported from Azure if they are not assigned to an Avigilon Alta group.
F. Auto-remove users from groups — this will remove users from Avigilon Alta groups if they no longer exist in Azure groups.
G. Mobile Phone - Azure AD has a specific mobilePhone
field to sync the mobile phone of users. You must use the E.164 format and it is recommended it is an actual mobile phone number and not a landline.
Note: E.164 numbers are formatted [+][country code][subscriber number including area code] with a maximum of fifteen digits.
4. To map a specific group from Azure to Avigilon Alta (required if you enabled Only import users from groups that have an Avigilon Alta group mapping), click +Create Group Mapping.
A. Select the group from Azure.
B. Select the group from Avigilon Alta.
C. Click +Create Group Mapping
5. Repeat step 6 until all groups that need to be mapped have been created.
Add Comment