Automation Cloud
latest
false
Banner background image
Automation Cloud Admin Guide
Last updated 2024年3月15日

Setting up the Azure AD integration

This feature is only available if you are on the Enterprise licensing plan.

Overview

If your organization is using Azure Active Directory (Azure AD) or Office 365, you can connect your Automation Cloud organization directly to your Azure AD tenant to see existing user accounts and groups in your UiPath cloud environment.

The Azure AD integration allows you to continue leveraging the invitation-based user management model, if you want, while bootstrapping your organization with the additional benefits of using the Azure AD model.

If your organization has decided to use the Azure AD model, follow the instructions on this page to set up the integration.

Tip: The Azure AD integration is designed such that activating it and rolling it out can happen gradually, with no disruption in production for your existing users.

Prerequisites

To set up the Azure AD integration, you need:

  • an Automation Cloud organization with an Enterprise license
  • Admin permissions in both Automation Cloud and Azure AD (can be different people);
  • the organization administrator needs an Azure AD account that uses the same email address as the Automation Cloud local account; the Azure AD account is only needed for testing the integration, so the Azure AD user does not require admin permissions in Azure;
  • UiPath Studio and UiPath Assistant version 2020.10.3 or later;
  • UiPath Studio and UiPath Assistant to use the recommended deployment.

Configuring Azure for the Integration

Your organization requires an app registration in your Azure AD tenant and some configuration so that it can view your active directory members to establish user identity. The app registration details are also required to later connect your organization to your Azure AD tenant.

Permissions: You must be an administrator in Azure to perform the tasks in this section. The following administrator roles have the required privileges: Global Administrator, Cloud Application Administrator, or Application Administrator.

There are two ways to set up your Azure tenant for the integration:

  • Follow the instructions below to manually configure an app registration for the integration.
  • Use the UiPath Azure AD scripts that we created for this task, which are available on GitHub: The configAzureADconnection.ps1 script performs all the actions described in this section and returns the app registration details. Then you can run the testAzureADappRegistration.ps1 script to make sure the app registration was successful.

To manually configure your Azure tenant, do the following in Azure Portal:

  1. Create an app registration for your organization.
    During registration, select Accounts in this organizational directory only and set the Redirect URI to https://cloud.uipath.com/identity_/signin-oidc.
    Note: If you already have a registered application for your organization, there is no need to create a new one, but make sure that it is set up as described above.
  2. Open the application's Overview page, copy the Application (client) ID and Directory (tenant) ID, and save them for later use:


  3. Go to the Authentication page of your app:
    1. Under Redirect URIs, click Add URI to add a new entry.
    2. Add https://cloud.uipath.com/portal_/testconnection to the Redirect URIs list.
    3. At the bottom, select the ID tokens check box.
    4. Click Save.


  4. Go to the Token configuration page.
  5. Select Add Optional Claim.
  6. Under Token type, select ID.
  7. Select the check boxes for family_name,given_name, and upn to add them as optional claims:


  8. Go to the API permissions page.
  9. Click Add permission and add the following delegated permissions from the Microsoft Graph category:
    • OpenId permissions - email, openid, offline_access, profile;
    • Group member permissions - GroupMember.Read.All;
    • User permissions - User.Read, User.ReadBasic.All, User.Read.All (requires administrative consent).


    Permission

    What it allows you to do

    What we do with it

    email, openid, profile, offline_access, User.ReadAllows AAD to issue a user token to the system applicationAllow users to log into the system using an AAD login. This permits us to keep our user object updated, ensuring consistency of these attributes.
    User.ReadBasic.AllReads basic properties of all users in the directory that the logged in user is allowed to seeWhen a user assigns permissions to other users in the directory to their resources, they are able to search these users. The functionality for access management/authorization are in the system user experience.
    User.Read.All (requires admin consent) Reads all user properties in the directory that the logged in user is allowed to seeYour administrator may want to import these additional user properties to configure permissions or display custom information inside the system services. For Automation Hub, customers looking to obtain the full set of attributes from AAD, it is necessary to grant the User.Read.All permission to the app.
    GroupMember.Read.AllReads the group memberships of all the users that the signed in user has access toIf your organization is using groups to manage permissions in the system, then the platform needs to be able to list all the groups and discover the members of a group; that allows both management and enforcement of group assigned permissions.

    To learn more about UiPath's access with these permissions, see our Encryption documentation.

  10. Select the Grant admin consent checkbox.
    Note: The administrator consents on behalf of all users in the tenant active directory. This allows the application to access the data of all users, without users being prompted to consent.
    For more information about permissions and consent, see the Azure AD documentation.
  11. Go to the Certificates & secrets page.
  12. Create a new client secret.
  13. Copy the client secret Value and save it for later use


  14. Share the Directory (tenant) ID, Application (client) ID, and Client Secret values with the organization administrator so that they can proceed with the configuration.

Deploying the integration to Automation Cloud

After Azure setup is complete, you can prepare for the integration, activate it, and then clean up old accounts.

The process is broken down in stages so that there is no disruption for your users.

Note:

You must be an organization administrator to perform the tasks in this section.

Clean up inactive users

Note: If inactive email addresses are not reused in your organization, also known as email address recycling, you can skip this step.

When you connect Automation Cloud to Azure AD by activating the integration, accounts with matching email addresses are linked so that the Azure AD account benefits from the same permissions as the matching Automation Cloud account (local account).

If your organization practices email recycling, meaning that an email address that was used in the past could be assigned to a new user in the future, this could lead to a risk of elevated access.

Example

Let's say you once had and employee whose email address was john.doe@example.com and this employee had a local account where he was an organization administrator, but has since left the company and the email address was deactivated, but the user was not removed from Automation Cloud.
When a new employee who is also named John Doe joins your company, he receives the same john.doe@example.com email address. In such a case, when accounts are linked for the Automation Cloud integration with Azure AD, John Doe inherits organization administrator privileges.

To prevent such situations, make sure you remove all users who are no longer active from Automation Cloud before proceeding to the next step.

Activate the Azure AD integration

Before you begin

  • Make sure that Azure configuration is complete.
  • Obtain the Directory (tenant) ID, Application (client) ID, and Client Secret values for the app registration in Azure from your Azure administrator.
To activate the Azure AD integration, follow these steps:
  1. Go to Admin and, if not already selected, select the organization at the top of the left pane.
  2. Select Security.
  3. On the Authentication Settings tab, click Configure SSO.


  4. Select Azure Active Directory from the SSO configuration panel.

  5. Fill in the fields with the information received from you Azure administrator.

  6. Select the checkbox.
    This is required because after you save your changes, matching accounts are automatically linked.
  7. Click Test Connection.
  8. When prompted, sign in with your Azure AD account.A successful sign in indicates that the integration has been configured correctly.
    In case it fails, ask your Azure administrator to check that Azure is correctly configured and then try again.
  9. Click Save, if selection had not already been made.

    The integration is now active for your organization.

  10. Go to Admin > Organization Settings and note the URL for your organization.
  11. Sign out.
  12. Navigate to the organization URL ( https://cloud.uipath.com/orgID/) and sign in using your Azure AD account.

Now you can work with the users and groups in the linked tenant's Azure AD. You can find Azure AD users and groups using search, for example to add a user to a group. Also see the below FAQs for more information about what changes after the integration is active.

Note: Directory accounts and groups are not listed in either the Users or Groups pages under Admin > Accounts & Groups, you can only find them through search.

Frequently asked questions

What changes for my users after the integration is active?

Users can immediately sign in using their existing Azure AD account and benefit from the same permissions they had on their local account.

If you have not removed their UiPath user accounts, users can also continue to sign in with their local account, both methods work.

To use their Azure AD account, they must navigate to your organization-specific URL, which is of the formhttps://cloud.uipath.com/orgID/, or select Enterprise SSO on the main login page.

Another change users might notice is that if they are already signed in to their Azure AD accounts from using another application, they are automatically signed in when they navigate to this URL.

What roles does each account have?

Azure AD account: When a user signs in with their Azure AD account, they immediately benefit from all the roles they had on their local account, plus any roles assigned within UiPath to the Azure AD account or to the Azure AD groups to which they belong. These roles can come from the Azure AD user or the Azure AD group being included in groups, or from other services where roles were assigned to the Azure AD user or Azure AD group.

Local account: With the Azure AD integration active, for local accounts, it depends:

  • If the user hasn't signed in at least once with their Azure AD account, they have only the roles of the local account.
  • If users login using their Azure AD account, the local account has all roles that the AAD user has within UiPath, either explicitly assigned, or inherited from group memberships.

Do I need to re-apply permissions for the Azure AD accounts?

No. Because matching accounts are automatically linked, their existing permissions apply when logged in with the Azure AD account as well. However, if you decide to discontinue use of local accounts, make sure the appropriate permissions have been set for users and groups from Azure AD beforehand.

Test the Azure AD integration

To check that the integration is running from Automation Cloud, sign in as an organization administrator with an Azure AD account and try to search for Azure AD users and groups on any related page, such as the Edit Group panel in Automation Cloud (Admin > Accounts and Groups > Groups > Edit).

  • If you can search for users and groups that originate in Azure AD, it means the integration is running. You can tell the type of user or group by its icon.

    Note: Users and groups from Azure AD are not listed in the Users or the Groups pages, they are only available through search.
  • If you encounter an error while trying to search for users, as shown in the example below, this indicates that there is something wrong with the configuration in Azure. Reach out to your Azure administrator and ask them to check that Azure is set up as described in earlier in Configuring Azure for the Integration.

    Tip: Ask your Azure administrator to confirm that they selected the Grant admin consent checkbox during Azure configuration. This is a common cause why the integration fails.

Troubleshooting

Azure administrators can use the UiPath Azure AD test script testAzureADappRegistration.ps1, which is available on GitHub, to find and fix any configuration issues when the cause is not clear, as in the case below:



Completing the transition to Azure AD

After the integration is active, we recommend that you follow the instructions in this section to ensure that user creation and group assignations are handed off to Azure AD. This way you can build on top of your existing identity and access management infrastructure for easier governance and access management control over your Automation Cloud resources.

Configure groups for permissions and robots (optional)

You can do this to ensure that the Azure administrator can also onboard new users with the same permissions and robot configuration for Automation Cloud and other services that you had set up prior to the integration. They can do this by adding any new users to an Azure AD group if the group has the required roles already assigned in Automation Cloud.

You can map your existing user groups from Automation Cloud to new or existing groups in Azure AD. You can do this in several ways, depending on how you use groups in Azure AD:

  • If users with the same roles in Automation Cloud are already in the same groups in Azure AD, the organization administrator can add these Azure AD groups to the Automation Cloud user groups that these users were in. This ensures that users keep the same permissions and robot setup.
  • Otherwise, the Azure administrator can create new groups in Azure AD to match the ones in Automation Cloud and add the same users that are in the Automation Cloud user groups. Then the organization administrator can add the new Azure AD groups to the existing user groups to ensure the same users have the same roles.

In either case, make sure you check for any roles that were explicitly assigned to users. If possible, eliminate the explicit role assignments by adding these users to groups that have the roles that were explicitly assigned.

Example: Let's say the Administrators group in Automation Cloud includes the users Roger, Tom, and Jerry. These same users are also in a group in Azure AD called admins. The organization administrator can add the admins group to the Administrators group in Automation Cloud. This way, Roger, Tom, and Jerry, as members of the admins Azure AD group, all benefit from the roles of the Administrators group.

Because admins is now part of the Administrators group, when you need to onboard a new administrator, the Azure administrator can add the new user to the admins group in Azure, thus granting them administration permissions in Automation Cloud without having to make any changes in Automation Cloud.

Note:

Changes to Azure AD group assignments apply in Automation Cloud when the user logs in with their Azure AD account, or if already logged in, within an hour.

Migrate existing users

Initial sign in: For the permissions assigned to Azure AD users and groups to apply, users must sign in at least one time. We recommend that, after the integration is running, you communicate to all your users to sign out of their local account and sign in again with their Azure AD account. They can sign in with their Azure Ad account by:

  • navigating to the organization-specific URL, in which case the sign in type is already selected;

    Note: The URL must include the organization ID and end in a forward slash, such as https://cloud.uipath.com/orgID/.
  • by selecting Enterprise SSO on the main login page.

    Note: Make sure you provide your organization-specific URL for Automation Cloud to all your users. Only organization administrators can see this information in Automation Cloud.

Migrated users benefit from the union of the permissions that were directly assigned to them and the ones from their Azure AD groups.

Configuring Studio and Assistant for users: To set up these products to connect with Azure AD accounts:

  1. In Assistant, open Preferences and select the Orchestrator Connection tab.
  2. Click Sign Out.
  3. For the connection type, select Service URL.
  4. In the Service URL field, add the organization-specific URL

    Note: The URL must include the organization ID and end in a forward slash, such as https://cloud.uipath.com/orgID/. Otherwise the connection fails saying that the user does not belong to any organization.
  5. Sign back in with the Azure AD account.
Important: Permissions from Azure AD groups don't influence the automations from classic folders or the robots that are connected using the machine key. To operate under group-based permissions, configure the automations in modern folders and use the Service URL option to connect to UiPath Assistant or Studio.

Discontinue use of UiPath local accounts (optional)

Although optional, we recommend that you remove the use of local accounts to maximize the core compliance and efficiency benefits of the complete integration between Automation Cloud and Azure AD.

Important: Only remove non-administrator accounts. You need to retain at least one organization administrator local account to be able to change authentication settings in the future.

After all users have been migrated, you can remove the non-admin users from the Users tab, so that your users won't be able to sign in using their local account anymore. You can find these accounts based on their user account icons.

You can also clean up individual permissions in the UiPath cloud services, such as the Orchestrator service, and remove individual users from Automation Cloud groups so that permissions rely exclusively on Azure AD group membership.

Exceptions

If you decide to discontinue use of local accounts, keep the following in mind:

  • Managing authentication settings in Automation Cloud: To switch to a different authentication setting or to update the Azure AD application secret, a UiPath user account with the organization administrator role is required. The Authentication Settings options are not active otherwise.
  • API Access: If you have processes in place that rely on the information obtained by clicking API Access (Admin > Tenants page) to make API calls to a service, you need a local account because the button is not available when logged in with an Azure AD account.

    Alternatively, you can switch to using OAuth for authorization, in which case the information from API Access is no longer required.

Best practices

Here are a few useful pointers for advanced features you can leverage now that you have the Azure AD integration set up.

Restrict access to Automation Cloud

Because the integration with Azure AD is performed at the level of the Azure tenant, by default all Azure AD users can access Automation Cloud. The first time an Azure AD user signs in to Automation Cloud, they are automatically included in the Automation Cloud group Everyone, which grants them the User organization-level role.

If you want to only allow certain users to access Automation Cloud, you can activate user assignment for the Automation Cloud app registration in Azure. This way, users need to be explicitly assigned to the app (Automation Cloud) to be able to access it. For instructions, see this article in the Azure AD documentation.

Restrict access to trusted networks or devices

If you want to only allow your users to access Automation Cloud from a trusted network or a trusted device, you can use the Azure AD Conditional Access feature.

Governance for Automation Cloud groups in Azure AD

If you have created groups in Azure AD for easy Automation Cloud onboarding directly from Azure AD, as described in Configure Groups for Permissions and Robots, you can use the advanced security options of Privileged Identity Management (PIM) for these groups to govern access requests for Automation Cloud groups.

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.