Agency-Side Administrator Settings for Microsoft Azure AD Single Sign On
These directions are good as of October 2021. Future updates to Azure AD or Powershell may break elements of these instructions. LegalServer does not monitor Azure AD or Powershell for updates.
Once Microsoft Azure AD Single Sign On has been enabled for your site, there are two major steps to start using SSO. To create the SSO link with LegalServer, you’ll need to 1) set things up in Azure AD, and then 2) enter information into the SSO configuration on your LegalServer site. Below are two different ways to configure Azure Active Directory via Powershell or the User Interface. Powershell is arguably a faster method and allows for a longer secret expiration (currently expiring as late as 2299) instead of just two years.
Azure AD SSO Setup via Powershell
To run this script, you may have to modify your execution policy on your local machine. See Microsoft's article on Execution Policy. It is recommended to run Get-ExecutionPolicy to find out your current Execution Policy, then Set-ExecutionPolicy Unrestricted. This may require Administrator privileges. When the script finishes, be sure to set your Execution Policy back to a more restricted rule. With Administrator privileges, run Install-Module AzureAD to ensure you've got the module to interact with Azure AD. Then run the following script:
This gives you the appropriate values for the LegalServer SSO configuration page.
Azure AD SSO Setup
Add an App in Azure AD
Step 1 - Register the app
Step 2 - Register the app, granting access to "Accounts in this organizational directory only (<AD Tenant Name> only - Single tenant)"
Step 3 - Add redirect URL - "https://aws-auth.legalserver.org/sso"
Step 4 - Click “Add Platform”
Step 5 - Click “Web” (Web applications)
Add a Secret
Step 7 - On the left, click "Certificates & Secrets" and then click "New Client Secret on the blade that shows on the right. You'll have to add a description and set the expiration. Pro Tip: in the Azure User Interface, you can only go 2 years out for the expiration. Powershell or Azure CLI lets you go much further out. Make sure you write down when it expires, because you'll have to update it.
Step 8 - Grab the Secret Value - It will only show once. Grab it while you can.
Step 9 - Grant Consent - On the left click "API Permissions" and on the Right then click "Grant Consent to ..." to prevent your users from having to potentially click that.
Enter your Azure AD Credentials in LegalServer
Note: These settings affect the security of your agency's data, and if your admin staff has any question at all about properly configuring Azure AD securely, we encourage you to get the help of a consultant. Our staff can provide you with contact information for consultants who have worked on Microsoft integrations with LegalServer.
SSO Client ID = the App's "Application (Client) ID" that is displayed right under the "Display Name" after it has been created.
SSO Client Secret = the Value of the secret you created.
Authentication URL Parameter = The Azure AD Tenant ID
Once Single Sign On is enabled for your site, and you have configured Azure AD, configure Azure AD settings in LegalServer on the Admin > Single Sign On page:
Set a test LegalServer user email account to match the email address of a test Azure AD account (e.g., email@example.com). Sign out, click "Single Sign On", supply the test credentials and accept/authorize the app. You should now be logged in to LegalServer as the user.