Single Sign-On (SSO) - Microsoft Entra ID – CloudSoda

This documentation serves as a comprehensive guide to facilitate the integration of Microsoft Entra ID with the DataIntell application. By following the steps below, you’ll be able to establish a connection between the two applications.

Setting Up the Microsoft Entra ID Application

To set up the application in Microsoft Entra ID, follow these steps:

Register a New Application

Navigate to the Azure Portal and register a new application.

From the Azure portal, click on the Microsoft Entra ID service.

DataManagementDocumentation_Entra_EntraMenuRegisterApp.png — From the Microsoft Entra ID main menu, click on (1) App registrations and (2) New registration.

In the Register an application form, you will need:

Name : Choose a name that clearly identifies this as the DataIntell application within Microsoft Entra ID.
Supported account types : Select the account type that aligns with your use case. In most case, you can use the Accounts in this organizational directory only. If you are not sure, you can click on Help me choose…
Redirect URI : This URL allows the DataIntell application to redirect users after login. Select Single-page application (SPA) from the dropdown and enter {DataIntellURL}/login in the text field, where {DataIntellURL} represents the URL used to access DataIntell in the browser.

DataManagementDocumentation_Entra_RegisterAppCreate.png — Register the DataIntell application, replacing the *http://localhost:3000* in the Redirect URI with your DataIntell URL.

Retrieve Application IDs

After creating the application, note down the Application (client) ID and Directory (tenant) ID. These values are required for the login configurations in DataIntell which will be covered in a later section.

The DataIntell application in Microsoft Entra ID and the two values that will be required in the DataIntell application.

Configure Token Claims and Permissions

Add the groups claim to the token provided by Microsoft Entra ID.

DataManagementDocumentation_Entra_TokenConfiguration.png — From the DataIntell application in Microsoft Entra ID, click on (1) Token configuration, (2) Add groups claim, select (3) Security groups and click (4) Add.

Additionally, grant the Group.Read.All API permission to the application.

DataManagementDocumentation_Entra_APIPermissionFirst.png — From the DataIntell application in Microsoft Entra ID, click on (1) API permissions, (2) Add a permission and (3) Microsoft Graph.

DataManagementDocumentation_Entra_APIPermissionSecond.png — From the new panel, click on (1) Delegated permissions, search (2) group, select (3) Group.Read.All and click (4) Add permissions.

DataManagementDocumentation_Entra_APIPermissionThird.png — As an Administrator, click on Grant admin consent and grant admin consent to Group.Read.All.

Adding Users to the Application

Once the DataIntell application is set up in Microsoft Entra ID, it is possible to limit the usage of the application only to the users that are assigned to the application. This step can be skipped if you want all the users in your organization to have access to the application.

DataManagementDocumentation_Entra_EntraMenuEnterpriseApp.png — From the Microsoft Entra ID main menu, click on Enterprise applications.

DataManagementDocumentation_Entra_EnterpriseAppSelect.png — From the Enterprise applications menu, search for the DataIntell application and click on its name.

From the DataIntell Enterprise Application page, click on (1) Properties and then click on (2) Yes for the Assignment required? field.

DataManagementDocumentation_Entra_AssignmentRequired — From the Enterprise applications menu, search for the DataIntell application and click on its name.

From the DataIntell Enterprise Application page, click on (1) Properties and then click on (2) Yes for the Assignment required? field.

From the DataIntell Enterprise Application page, click on (1) Users and groups and (2) Add user/group.

From the Add Assignment page, click on (1) Users, select (2) the users you want to add, click on (3) Select and (4) Assign.

Setting Up Roles & Groups

In DataIntell, access management is built around two key components:

Roles: Pre-defined permission sets that determine what actions users can perform within the application. Roles are essential and must be properly configured to grant access to various DataIntell features.
Groups: Optional user-created collections that control access permissions to specific storage resources and projects in DataIntell. Groups allow administrators to define which users can view particular storages and projects, creating a granular permission structure tailored to your organization's needs. A user can be assigned to multiple groups.

IMPORTANT CLARIFICATION: You do NOT need to create "roles" in Microsoft Entra ID. Instead, you only need to create standard security groups in Entra ID with specific naming patterns to represent both DataIntell roles and DataIntell groups.

Role Mapping via Microsoft Entra ID Security Groups

DataIntell comes with a set of predefined roles that cannot be modified. Each role grants users specific capabilities within the system:

Admin : The Administrator role grants comprehensive access, enabling users to configure vital aspects of the application.
Project Manager : A role that allows the user to create, update or delete a project.
Report Manager : A role that allows the user to create, update or delete a report.
CloudSoda Transfer : A role that allows the user to transfer files or folders with CloudSoda. Requires the CloudSoda plugin.
Archiware Archive : A role that allows the user to archive files or folders with Archiware P5. Requires the Archiware P5 plugin.
Archiware Restore : A role that allows the user to restore files or folders from Archiware P5. Requires the Archiware P5 plugin.

To assign DataIntell roles to users, create security groups in Microsoft Entra ID with these exact naming patterns:

DataIntell Role	Required Entra ID Security Group Name
Administrator	dataintell_role_admin
Project Manager	dataintell_role_project_manager
Report Manager	dataintell_role_report_manager
CloudSoda Transfer	dataintell_role_soda_transfer
Archiware Archive	dataintell_role_archiware_archive
Archiware Restore	dataintell_role_archiware_restore

Important: These are regular security groups in Entra ID (not Entra ID roles). The security group names must match exactly as shown above, including lowercase formatting.

Group Mapping via Microsoft Entra ID Security Groups (Optional)

Similarly, to create custom groups in DataIntell, simply create corresponding security groups in Microsoft Entra ID using this naming pattern:

DataIntell Group Name	Required Entra ID Security Group Name
YourGroupName	dataintell_group_YourGroupName
OnlyCloud	dataintell_group_OnlyCloud

Example of Setting up Groups

Group name in DataIntell : OnlyCloud
Group name in Microsoft Entra ID : dataintell_group_OnlyCloud

An example of how the group should look like in Microsoft Entra ID (left) and in DataIntell (right).

By establishing these roles and, optionally, configuring groups, administrators can effectively manage access control within DataIntell while integrating seamlessly with Microsoft Entra ID.

Example: Creating a Security Group in Microsoft Entra ID

From the Azure portal, navigate to Microsoft Entra ID
Select Groups from the menu
Click New group
Set Group type to "Security"
Enter the proper name following the formats above (e.g., dataintell_role_admin or dataintell_group_Finance)
Add the appropriate members to the group
Complete the group creation

From the Microsoft Entra ID main menu, click on Groups.

From the Groups menu, click on New group.

Fill in the form to create the group, making sure that the Group name follows the previously mentioned rules.

You can add users to the group by clicking on (1) No members selected, then (2) select the members that you want to add and then (3) click on Select.

When users log in through Microsoft Entra ID, DataIntell will automatically recognize their roles and groups based on their Entra ID security group memberships, granting the appropriate permissions.

Setting up DataIntell to Use Microsoft Entra ID

Configure DataIntell to use Microsoft Entra ID for login

Provide Required Values

Enter the following values in DataIntell’s login configuration:

Client ID: Application (client) ID from DataIntell’s application in Microsoft Entra ID.
Tenant ID: Directory (tenant) ID from DataIntell’s application in Microsoft Entra ID.
Redirect URI: {DataIntellURL}/login, where {DataIntellURL} is the URL to access DataIntell.

Test Configuration

Click on Update Configurations to test the provided values. Allow any pop-ups that may appear during the testing process.

Save Changes and Sign Out

After successful testing, the new settings will be saved. Sign out to apply the changes and proceed to log in using Microsoft Entra ID credentials.

From the DataIntell application, click on (1) -> General, enable (2) the Microsoft Entra ID login, fill in (3, 4, 5) the required information and update (6) the configurations.

DataManagementDocumentation_Entra_DataIntellEntraLogin.png — From the DataIntell login portal, you can now click on Sign in with Microsoft to sign in using Microsoft Entra ID.