Microsoft Azure users can login to Cirro once the system is configured and roles created.

This is an end-to-end tutorial to link the Azure AD Directory Service to Cirro.

Setup Azure AD

First, login to Azure AD as the Azure Administrator and perform these tasks:

Step Description
Register a Cirro app in Azure This includes setting up Microsoft Graph and Active Directory permissions
Create an Azure user group Create a group and add users.

Register a Cirro app in Azure

You first need to register Cirro as a Native Application within Azure.

  • Click Azure Active Directory then choose App Registrations.

  • Click New Application Registration.

Field Value
Name CirroConnect
Type Native
Redirect URI urn:ietf:wg:oauth:2.0:oob or https://cirroconnect

Set required permissions

  • Open App registrations then choose CirroConnect.

  • Click Settings then Required Permissions.

  • Click Add new permissions then Microsoft Graph and click Select.

  • Select the following Delegated permissions:

    • Sign in

    • Read User Profile

    • Read all users’ full profiles

  • Click Select then Done.

  • Click Windows Azure Active Directory and select the following Delegated Permissions:

    • Sign In and read user profile

    • Access the directory as the signed-in user

    • Read all users’ basic profiles

  • Click Save.

Here’s the permissions side-by-side:

OAUTH 2.0 Authorization Endpoint

This step is only required for customers running multiple domains.

  • Open App Registrations then Endpoints.

  • Click the copy button and paste into a text file for later use.

Create an Azure User Group

These steps guide you through creating a group for your Cirro users.

  • Go back to the Azure homepage then click Azure Active Directory

  • Choose Groups, All Groups then New Group.

  • Set Group type: Security.

  • Name the group and give it a description.

  • Set Membership type: Assigned.

  • Choose your users.

  • Click Select then Create to save the group.

Add Azure AD to Cirro

Login to Cirro then add AzureAD as an authentication provider, add it to the authentication chain, then grant roles to Azure AD users.

Setup Cirro

Add Azure AD as an authentication provider

  • First, open Authentication Providers.

    • Choose Users & Roles then Authentication Settings.

    • Next, click Create.

  • Second, give the provider a unique name and choose Azure Active Directory from the drop-menu.

This expands the dialog so you’ll see the General and Advanced tabs.

Add Settings

On the General tab, add these settings from your Azure AD account.

Value Description Required Azure path to find this…
Application ID Redirect URI from App Registration settings Yes Azure Active Directory > App Registrations
Authority Oauth Endpoint No Azure Active Directory > App Registrations > Endpoints > OAUTH 2.0 Token Endpoint
Resource ID Microsoft Graph API resource name or ID No Azure Active Directory > App Registrations > Endpoints > Microsoft Azure AD Graph API Endpoint
Authentication Mode Multifactor authentication mode. Choose from Password Authentication Only or MFA via email.    
MFA Provider Available for Password Authentication. Supplemental Authenticator to provide multi-factor authentication.    
Email Domain Available for MFA via Email. An optional email domain to override the username’s domain    
Redirect Service Available for MFA via Email. An optional redirect service used to simplify the MFA email and remove the need to cut and paste the authorization code. Cirro provides a free service at https://cirro.com/secureconnect/relay    
  • Make changes to advanced settings if desired.
Field Description
Cache expiry timeout (seconds) For MFA providers, the time window in which new connection requests will re-use the initial MFA authentication. Every new connection resets the time. This is for client tools that make multiple connections for your single login. Defaults to 900 seconds.
Authentication timeout (seconds) For MFA providers, the number of seconds users have to acknowledge their connection.
Valid username pattern (optional) If set, only usernames that match the regular expression will be validated using this Authentication Provider.
Synchronize users (optional) Synchronize the directory users from this Authentication Provider if supported by the provider.
  • Click Create Provider when finished.

Set Directory Services Authentication Chain

You can set authentication providers to execute services one after another

  • Click the field to view a list of all your authentication providers.

  • Tick your Azure AD provider name then additional providers in order of preference.

  • Click Update to save.

Grant Cirro Roles to Azure AD users

Cirro roles are granted directly to the Azure AD service and are pushed down to the users. This means all users have the same database access.

Only users who have already logged in will be listed.

  • Click Users & Roles then View all roles.

  • Click Active Directory Users

Column Description Possible Values See also
Login Your directory username Determined by your Directory system  
Authentication Provider Third party authentication provider TOTP, Duo, Saaspass Manage authentication providers
First Login Date and time of first login to Cirro YYYY-MM-DD HH:MM  
Last Login Date and time of last login to Cirro YYYY-MM-DD HH:MM  
Session Count Session ID of last login    

View Azure AD Users in Cirro

Only users who have already logged in will be listed.

  • Click Users & Roles then View all roles.

  • Click Active Directory Users

Column Description Possible Values See also
Login Your directory username Determined by your Directory system  
Authentication Provider Third party authentication provider TOTP, Duo, Saaspass Manage authentication providers
First Login Date and time of first login to Cirro YYYY-MM-DD HH:MM  
Last Login Date and time of last login to Cirro YYYY-MM-DD HH:MM  
Session Count Session ID of last login    

See Also