Skip to main content

Azure Active Directory

Snow Atlas supports configuring Azure Active Directory (AD) as a single sign-on (SSO) provider.

Description

The Snow Atlas Azure AD single sign-on application registration is configured as multi-tenant OpenID Connect (OIDC). The configuration options are already set with the permissions and settings required to function with Snow Atlas. You can also configure items such as user and access group assignments, as well as any Conditional Access policies that you want to apply to this registration.

Supported features

  • ServiceProvider (SP) initiated SSO when you attempt to sign in from Snow Atlas

  • User provisioning to create the user on first sign in when enabled in Snow Atlas

Requirements

  • The user is an Azure AD administrator.

  • The user is a Snow Atlas system administrator.

Application permissions

The following permissions are already set in the Snow Atlas Azure AD single sign-on application registration:

Scope permission

Description

profile

Retrieves basic profile information about a user that is mapped to the user's profile in Snow Atlas

email

A user's primary email address that is used to sign in to Snow Atlas and as contact information

GroupMember.Read.All

The Microsoft Graph scope for the user's read group membership that is used to map groups to Snow Atlas permissions.

This is for future group synchronization and will only be queried if the feature is configured.

User.Read

The Microsoft Graph scope for reading user information. This scope is implicitly required by GroupMember.Read.All.

Configuration required

You are required to configure your Azure AD for Snow Atlas.

Note

The user must have the email claim set in Azure AD. It is insufficient to set the User principal name.

You require the relevant Azure AD tenant ID for your organization's Azure portal. For more information, see Find Azure Active Directory tenant ID.

You must also consent to the application permissions required by Snow Atlas for Azure AD SSO. For more information, see Consent to Azure Active Directory SSO permissions.

Claim mappings

The Azure AD given_name and family_name properties are mapped to the equivalent properties in Snow Atlas if they are not already populated.