Planet eStream Support

Azure and Office 365 Installation

Azure and Office 365 Installation – Portal Interface
Summary

Azure and Office 365 integration allows a user to login to Planet eStream using their Azure Active Directory account details or Office 365 details. Support for Digital Signage and Apple mobile devices was added in version 6.51 of the Planet eStream service.

Azure/Office 365 Portal

To start with, navigate to the Azure Portal and login using your Azure or Office 365 administrator login details.

Once logged in, select "Azure Active Directory" from the menu panel on the left and in the new window select "App Registrations".

Select the "New Registration" option and enter a recognisable name e.g. "Planet eStream". Supported account types can be left as default "Accounts in this organisational directory only".

For the Redirect URL please enter in your eStream website URL with '/net4' appended to the end. For example: https://demo.planetestream.com/net4 as below

Select the Register button at the bottom of the page to create the application.

On the newly created app, start by taking a copy of the "Application (client) ID" and "Directory (tenant) ID" for later entry into your Planet eStream website.

Next, select the "Authentication" option under Manage menu and under the Advanced Settings > Implicit Grant section enable the "ID tokens" checkbox and save the changes.

Moving onto the "Certificates & Secrets" section now, we will generate a secure Client Secret that your Planet eStream website will access your Azure AD application using.

Under the "Client Secrets" section select the "New Client Secret" button. For the client secret description enter a description such as "Planet eStream" and then set the Expires radio button to Never.

Upon clicking the Add button you will be presented with the new client secret. Be absolutely certain to copy this secret value down for later entry in your Planet eStream website.

We now move onto the API Permissions section, this will allow the Planet eStream platform to access your Azure AD details.

Select the "Add a Permission" button and scroll to the bottom of the available APIs list and select "Azure Active Directory Graph".

On the window which shows, select the "Delegated Permissions" button first and enable the following permissions:

  • Directory.AccessAsUser.All
  • Directory.Read.All
  • User.Read

Select the "Application Permissions" button next and enable Directory.Read.All permission.

Click on the "Add Permissions" to save these changes, your API permissions page will look like the below:

Under the "Grant Consent" section select the "Grant admin consent" for your organisation button.

We can now move onto updating the Manifest section, and select the "Manifest" option from the menu and on line 11 where it reads:

"groupMembershipClaims": NULL,

Change this line to:

"groupMembershipClaims": "All",

Select the Save button to save these changes.

This ends the Azure AD configuration, you will now have the three keys:

  • Directory (tenant) ID
  • Application (client) ID
  • Client Secret
Planet eStream Website

Login to your Planet eStream website using your Admin account and navigate to Tools > Admin > Integrations & Features > External Services, under the Microsoft Online Services section you’ll see an entry for Azure AD/Office 365 SSO.

  • For Tenant ID enter the Directory (tenant) ID.
  • For the Client ID field, enter your Application (client) ID.
  • For the Application Key, enter the Client Secret.

Once all entries are completed, click on the Update Microsoft Settings button to save these details. The Client Secret will be hidden at this stage.

At this stage, for Planet eStream Cloud platform customers, before continuing please contact the Planet eStream support team to update your site settings.

Return to the Admin area and this time navigate to Users, Permissions, Authentication > Authentication Options. You’ll see an option for "Azure / O365 Login" and select the Enable checkbox. You can customise the text that will show on the login button, e.g. "Login with your Office 365 account". Once changed, select the Save Options button.

It is highly recommended to allow an organisation account to access the Tools > Admin area. To do this, within the same Authentication Options section locate the option for "Domain Users Administration List". In this box enter a comma separated list of email address of users who should be able to access the Admin area.

Select the Save Options button to complete these changes.

Important note: for Planet eStream cloud hosted customers this change may take a little while to be pushed through. Please contact the Planet eStream Support Team to get the change pushed through to your site.

Assigning Permissions

One of the advantages of using the Azure AD authentication option over SAML or ADFS is that you are able to search for users and groups when assigning permissions.

To start, navigate to your Tools > Admin area and then under Users, Permissions, Authentication select Schemas. Underneath one of your schemas select the Members option.

In the Members page you will see two sections, one for Groups and one for Users. Ensure that the dropdown box for each is set to Azure Directory and then search for your group or user.

In the Search Results select the Include option. The page will automatically save so the next time a member of this group or user logs into the Planet eStream website, they will now receive these permissions.

Logout of your Planet eStream site and you will now see a new button for "Login with Microsoft Account", select this button and you will be redirected to your Microsoft login page. You will either be automatically logged into your Planet eStream site or will be asked to login with your organisation account.

Once tested, this option can now be set as the default authentication

To set the default authentication method, navigate to Tools > Admin > Users, Permissions, Authentication > Authentication Options. At the top of this page you will see the options for "Local Authentication Methodology" and "External Authentication Methodology", please set both options to "Microsoft Azure AD/Office 365" and then click on the Save Options button.

Once saved, visitors to your Planet eStream website will now be taken to your organisation website and logged in through single sign-on.

This completes the setup of the Azure AD integration with Planet eStream, if you have an questions or run into any issues please drop Planet eStream Support an email.