M365 User Groups for SSO
This document will guide you on how to restrict SSO access in Humly using M365 user groups. Set up Azure AD (Microsoft Entra) groups, configure API permissions, and manage users access.
Below are key steps needed to configure single sign on for Microsoft 365 groups and for members of the groups to enroll their RFID cards for room/desk booking.
- Introduction
- Configure Api Permissions
- RFID Card Enrollment for members of Microsoft Single Sign On Group
Introduction
Humly Control Panel administrators can restrict the users from accessing Humly Reservation, Humly Deskbooking, and Humly Floor Plan using the single sign-on function based on the security group membership.
Note: This feature works on Humly Control Panel v1.15 onward.
To enable this function, five user groups should be created in Azure Active Directory(Microsoft Entra), one group for each user type in Humly Control Panel. You can however decide not to use five user groups if you do not have a need for all five user types.
- HCP Global Admins
- HCP Local Admins
- HCP Statistics Users
- HCP Users
- HCP Guests
Note: The Group type in Azure can be a Mail-enabled security group, Security, or Microsoft 365
Azure Active Directory(Microsoft Entra) Preparation
Follow the below steps to create the groups in Azure AD.
Create Security Groups
- Navigate to Microsoft Entra→ Groups
- Create new groups as needed, one group for each user type
- Take note of the group's names, the names will be used in Humly Control Panel global settings later
- Assign the members to the group as needed.
Configure API Permissions
The following permissions are required to log in using Microsoft's M365 user groups feature.
Permission type | Permissions (both required) |
Application | Group.Read.All && User.Read.All |
To add the required API permission, please follow the steps below:
- Navigate to Azure Active Directory→ App registration → select your HCP application
- Select API Permission and click Add permission → choose Microsoft Graph → Application permissions
- Search for "Group" in the search field, expand the group, and checkmark the Group.Read.All option.
- Do the same for User.Read.All
- Grant Admin Consent for the application if it is not already granted.
Humly Control Panel Configuration
After creating the groups and preparing the application in Azure AD, you are ready to configure Humly Control Panel.
In Global settings, under the M365 user groups section, add the user groups that match the names of groups you have created in Azure and save.
The users belonging to the above groups can log in to Humly Control Panel products using SSO.
SSO for Local Admins:
Local admins should be treated a bit differently. Follow the steps below to configure SSO login for local admins:
- Add the local admin locally into the HCP users page (Before the user logs in with SSO)
- Give the user local admin role on the intended structure
- Fill in the group in HCP settings
- The user should be able to log in using HCP local credentials and SSO.
RFID Card Enrollment for Members of M365 Groups
Members of these Microsoft groups have the possibility of enrolling their RFID cards by themselves so that they can making bookings on the devices using these cards. They can enroll their cards using the room display devices. There are 2 enrollment possibilities for this, Automatic RFID Enrollment and Requested RFID Enrollment
a) Automatic Enrollment
Several conditions have to be met for Automatic Enrollment.
1) In the settings > global settings, RFID enrollment should be set to Auto
2) Authentication type should be set to Pin or RFID
3) You must have require authentication enabled in the room settings of the room display device.
Once all these conditions are met, follow the steps below to enroll your RFID card.
Click the Book button on the device
Select Time slot and click book
Scan your RFID Card on the highlighted area of the Humly Room Display
Enter Your User Pin which you receive in your email the first time you login to the Humly Control panel
Congratulations, your RFID card has been enrolled.
b) Requested RFID Enrollment
With this type of enrollment, the global admin would have to approve the request before the RFID card details become fully enrolled in the user profile. The key difference from Automatic Enrollment is that in the global settings, you should select the RFID enrollment type Requested.
Follow the same steps to enroll your card as in the automatic enrollment above. Once you are done, the admin user can accept the RFID request by going to your user account in the Humly Control Panel> edit user and accept the request as seen below.
For a Global Admin to approve an RFID request from a user, that user must first be added locally in the Humly Control Panel. This is because members of the Single Sign-On group do not appear in the user list within the Control Panel even if they have signed in succesfully to the Humly Control Panel.
Congratulaions your RFID card has been enrolled.