Skip to main content

Identity management at NewStore via Microsoft Azure Active Directory

Pre-requisites

To set up an identity management application to manage authentication for NewStore apps, ensure that you have access to:

  • Omnichannel Manager
  • Microsoft Azure Active Directory
Important

To enable users from your corporate directory to be able to use the NewStore applications, you have to create users, assign them to a store, and assign relevant roles in NewStore.

Setting up Microsoft Azure Active Directory (AD) with NewStore

This process involves working with Microsoft Azure AD and Omnichannel Manager in tandem. Ensure you have access to both before you proceed.

  1. Log into Microsoft Azure AD management portal.

  2. Click All Services > App registrations.

  3. Click New registration and enter the following details:

    • Name:
      • For non-production systems such as staging environments, specify newstore-staging.
      • For production systems, specify newstore-production.
    • Select Accounts in these organizational directory only.
    • Leave the redirect URI empty.

  4. Click Register.

  5. After the application is created, in the left menu, click API permissions.

    A list of default permissions appear.

  6. Click Add a permission > Microsoft Graph.

  7. Add the following permissions. Ensure that you specify the correct Type and Admin privileges.

    API/Permission nameTypeDescriptionAdmin
    Directory.Read.AllApplicationRead directory dataYes
    Group.Read.AllApplicationRead all groupsYes
    Group.Member.Read.AllApplicationRead all group membershipsYes

  8. After you have added these permissions, click Grant admin consent for <retailer name>.

    The status for all permissions is updated to Granted.

  9. In the left menu, click Certificates & secrets > New client secret.

  10. In the screen that appears, enter a description, set the Expired field to one of the provided options, and click Add.

    Important

    Ensure that you get notified and rotate the client secret before it expires. After the secret expires, the login credentials to NewStore will not work anymore. Follow the updating guidelines to rotate a secret.

  11. The new secret is created and added to the list of Client secrets.

    Copy the Value of the new secret securely for later use.

    note

    The value of the new secret can only be viewed immediately after creation. If you missed copying the Value, create a new secret.

  12. In the left menu, click Overview, and copy the Application ID and Directory ID securely for later use.

  13. Open the Omnichannel Manager in a separate tab.

  14. Click Settings > Users & Roles > Single Sign-On.

  15. Click Configure Single Sign-On.

  16. Select Vendor MICROSOFT.

  17. Fill in the saved data from the previous configuration.

    • Secret from step 11
    • Directory (Tenant) ID and Application (Client) ID from step 12

  18. Click Connect.

  19. Switch back to Microsoft Azure AD tab.

  20. In the left menu, click Authentication > Platform configurations > Add a platform.

  21. Select Web.

  22. Paste the Redirect URI and Logout URL from the Omnichannel Manager tab.

  23. Click Configure.

  24. In the left menu, click Token configuration, and click Add groups claim.

  25. In the Edit groups claim screen, specify the following:

    • Select Security groups.
    • In the Access area, select Group ID and Emit groups as role claims.
    • Specify the same settings as described in the previous step for the ID and SAML areas.

    Click Add.

  26. Click Add optional claim.

    In the screen that appears, select Access as the Token type, and select the following:

    • email
    • family_name
    • given_name
    • upn

    Click Add.

  27. Repeat the same steps for ID as the Token type.

  28. (Optional) To remove explicit user assignment in Microsoft Azure AD, see this section .

Single Sign-on is successfully configured with Microsoft Azure AD.

Updating client secrets in Omnichannel Manager

  1. Log into Microsoft Azure AD management portal.

  2. Click All Services > App registrations.

  3. Open the application you want to update.

  4. In the left menu, click Certificates & secrets > New client secret.

  5. In the screen that appears, enter a description, set the Expired field to one of the provided options, and click Add.

  6. The new secret is created and added to the list of Client secrets.

    Copy the Value of the new secret securely for later use.

    note

    The value of the new secret can only be viewed immediately after creation. If you missed copying the Value, create a new secret.

  7. Open Omnichannel Manager.

  8. Click Settings > Users & Roles > Single Sign-On.

  9. Click on the displayed name MICROSOFT.

  10. Paste the new secret value in the Secret form.

    Important

    Ensure that this secret exists and is valid in Microsoft Azure AD. There is no way to revert after updating the secret.

  11. Click Update.

  12. Click Confirm.

You have successfully rotated your secret.

(Optional) Removing explicit user assignment

To remove explicit user assignment in Microsoft Azure AD:

  1. Log into the Microsoft Azure AD management portal and click All services > Enterprise applications.
  2. In the list, search for the system environment (such as newstore-staging or newstore-production) and select it.
  3. In the left menu, click Properties.
  4. For the User assignment required field, select No.

Related topics