# SSO via Office 365 ## Register Enginsight in Azure AD First, register Enginsight as a new APP in your Azure Active Directory. To do this, you can simply follow the step by step instructions from Microsoft. {% embed url="" %} {% hint style="warning" %} As shown in the screenshot, add a redirect URL and complete it with your API domain. {% endhint %}
After you have successfully registered Enginsight, you only need to add your `clientId`, `clientSecret` or `clientCertificate` to the Enginsight configuration. ## Customizing the Enginsight configuration {% hint style="warning" %} If you modify a **configuration file** on the application server, **setup.sh** must always be executed subsequently. Only then will the settings take effect. {% endhint %} 1. Open the configuration file in an editor of your choice, for example nano. ``` sudo nano /opt/enginsight/enterprise/conf/services/config.json ``` 2. In the "microsoftAuthenticationLibrary" section, enter the data from your Azure AD. ``` "microsoftAuthenticationLibrary": [{ "scope": "\\@.*", "clientId": "", "clientSecret": "", "clientCertificate": { "thumbprint": "", "privateKey": "" }, "authority": "https://login.microsoftonline.com/" }], ``` The `scope` allows you to restrict the configuration to a specific AD domain. In most cases, no restriction will be necessary and you will not need to adjust the value. You get the `clientId` from your Azure AD, also called applicationId there. The same applies to `clientSecret`. As an alternative to `clientSecret`, you can also work with a `clientCertificate`. Please follow the Microsoft documentation to issue a certificate. The TENANT\_ID is your Azure AD directoryId **Example of a correct configuration:** ``` "microsoftAuthenticationLibrary": [{ "scope": "\\@.*", "clientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx", "clientSecret": "xxxxx~xxxxxxxxx.xxxxxxxxx", "authority": "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx" }], ``` 3. Save the new configuration file (Ctrl+o) and confirm the saving process. Close nano (Ctrl+x). 4. Open /opt/enginsight/enterprise/conf/ui-m1/environment.js 5. Enter the following line in the "var ENV = {" section: ``` loginVia: ['ssoOffice365', 'usernamePassword'], The entire script should now look like this: module.exports = function (environment) { var ENV = { loginVia: ['ssoOffice365', 'usernamePassword'], hinting: true, modulePrefix: 'ngs-ui-m1', environment: environment, rootURL: '/', locationType: 'auto', recaptchaKey: '', EmberENV: { FEATURES: {} }, APP: {} }; ENV.apiDomain = '%%API_URL%%'; ENV.onpremise = { version: 1 }; return ENV; }; ``` 6. Navigate to /opt/enginsight/enterprise ``` sudo ./setup.sh ``` ## Login via Microsoft Office 365 {% hint style="info" %} Please note that all users for whom the SSO is to take effect must first be created in the Enginsight app under Settings // Team members. {% endhint %} After successful setup, simply select the appropriate authentication method and log in with your mail address. ## Disabling the default login After successfully testing authentication via SSO, you can disable the standard login for your on-premises instance. To do this, proceed as follows: 1. Open the configuration file in an editor of your choice, for example nano. ``` sudo nano /opt/enginsight/enterprise/conf/ui-m1/environment.js ``` 2. Change the third line to: ``` loginVia: ['ssoOffice365'], ``` 3. Save the new configuration file (Ctrl+o) and confirm the save process. Close nano (Ctrl+x). 4. Navigate to /opt/enginsight/enterprise ``` sudo ./setup.sh ```