When you integrate Atomicwork with Azure Active Directory, you can:
- Empower Atom to provide contextualized answers to your employees based on their department, location, etc.
- Automate actions in Azure AD through workflows and journeys - like creating a new user, adding a user to a group, etc.,
To integrate Azure AD with Atomicwork, you need:
- An Atomicwork admin
- An Azure AD admin.
Permissions and roles
Please make sure you give Atomicwork the right permissions; otherwise, you will not be able to perform all available actions, such as resetting passwords. Learn more.
Instructions
Phase 1: Registering Atomicwork app in Azure AD
To integrate your Azure AD account with an app, you need to register the app first in your Azure tenant so you can retrieve the Client ID and Client Secret.
- Log into the Azure Portal. Please make sure to sign in with admin credentials.
- Go to Microsoft Entra ID (Azure AD is now Entra ID)
- Select App Registration on the left pane.
- Select New Registration
- Enter a meaningful application name for your users and choose who can use this application based on your environment. Click Register.
- Once you've registered the application, click on View API permissions
- Select Add a permission > Microsoft Graph > Application permissions and add the following permissions. Once you've added the permissions, select the Grant admin consent for <Tenant name> button, where <Tenant name> will be the name of your Azure tenant.
- Permissions to be granted are:
- Directory.Read.All
- Directory.ReadWrite.All
- GroupMember.ReadWrite.All
- User.Read
- User.ReadWrite.All
- Directory.Read.All
- Permissions to be granted are:
- To enable the password reset skill, you also have to give Atomicwork the user admin role. Go to Roles and Administrators> Search for User Administrator and give the privilege to the app name.
- Click Certificates and secrets in the left pane
- Select the New Client Secret button. Provide a description for the client secret, the duration for which the client secret will be valid, and click Add.
Copy the string under the column Value once you add a client secret. You won't be able to retrieve it after you perform another operation or leave this page.
- Copy the Client ID from the Overview tab. You can now use the client ID and secret for the duration specified in the expiration field, after which you’ll have to repeat the process.
Phase 2: Connecting Azure AD and Atomicwork
- Log into Atomicwork. Go to Settings>App store>Azure AD
- Enter your Tenant ID. You can find the Tenant ID by logging into the Entra Admin center and accessing Identity > Overview > Properties. Scroll down to the Tenant ID section to find your tenant ID in the box. Read more here.
- Enter your Client ID and Client Secret.
- Click on “Connect”.
Permissions and roles Atomicwork needs from Azure AD
Roles
| User administrator | This role will help Atom reset passwords |
Currently, there are three ways to automate resetting passwords:
- through skills
- by sending a link from Microsoft to your employees to reset their password when they ask for it
- by asking them to verify their date of birth and sharing a new password through Microsoft Teams or Slack, as soon as the verification is complete.
- through workflows, by using the 'Reset password' action.
If you plan to automate resolutions to password resets through 1 (b) or (2), you will need to ensure that the Atomicwork app on Microsoft has the user administrator role assigned.
Permissions
| User. Read/User.ReadWrite.All | It is used to create users through workflows, get details about a user, and update and delete users. |
| GroupMember.ReadWrite.All | For adding people to groups, removing them from groups |
| Audit log | For link-based reset password skill and action |
| Directory.Read.All / Directory.ReadWrite.All | This allows the app to read and write data in the organization's directory, such as users and groups, without a signed-in user. It does not allow user or group deletion. |