Microsoft Entra ID

The ONARKEN Entra ID integration syncs users from your Entra ID database into the ONARKEN database. Only users in groups you specify will be synced and you can match your users from your Entra groups into ONARKEN Access Groups.

  • How do I map permissions from Microsoft Entra to ONARKEN?

    ONARKEN synchronises users from Microsoft Entra ID based on configured Role and Access Group mappings. These mappings determine which users are imported into ONARKEN, their permissions, and the Smart Lockers or Asset Types they can access.

     

    Key Concepts

    1. Roles:
      Every user in ONARKEN must be assigned a single Role. Roles define a user’s permissions within the platform.

      • Users without a valid Role mapping in ONARKEN will be considered invalid and not imported.

    2. Access Groups:
      Access Groups define which Smart Lockers and Asset Types a user can access.

      • Users with a valid Role but no Access Group will be imported into ONARKEN but will likely have no functional access to lockers or assets.

    Prerequisites

    Before mapping roles and access groups, ensure your ONARKEN instance is already connected to Microsoft Entra. If not, refer to the How to connect Microsoft Entra ID to ONARKEN? for instructions.


    How to Configure Role and Access Group Mappings

    1. Log in to the ONARKEN Management Platform.
      Use your administrator credentials to access the system.

    2. Access the Integrations Section.

      • Click Integrations from the main navigation menu.

    3. Open Microsoft Entra ID Configuration.

      • Under Microsoft Entra ID, click Configure Integration.

    4. Map Roles and Access Groups:

      • For each Role or Access Group you want to map, click Map.

    5. Search for the Group in Microsoft Entra ID:

      • Use the search box to locate the desired Group Name in Microsoft Entra.

    6. Add the Mapping:

      • Once you find the required group, click Add Mapping.

    7. Repeat as Needed:

      • Continue mapping until all necessary Roles and Access Groups are configured.

     

    Best Practices

    • Ensure every user in Microsoft Entra ID has a valid mapping to a Role in ONARKEN.
    • Configure Access Groups thoughtfully to align with your organisational structure and access requirements.
    • Regularly review mappings to ensure they reflect current operational needs.

     

    What Happens During Synchronisation?

    • Valid Mappings:
      Users with valid Role and Access Group mappings are imported into ONARKEN with the appropriate permissions and access.

    • Missing Role Mapping:
      Users without a valid Role mapping are marked as invalid and will not be imported.

    • Missing Access Group Mapping:
      Users with a Role but no Access Group will be imported but will not have access to lockers or asset types.

     

    By correctly mapping Roles and Access Groups, you ensure that user synchronisation between ONARKEN and Microsoft Entra ID is accurate and effective, supporting secure and efficient locker and asset management.

    See more
  • How does the Microsoft Entra ID sync work?

    ONARKEN provides the ability to synchronise users directly from Microsoft Entra ID, streamlining user management by leveraging group mappings and ensuring that permissions are consistently applied.


    How Synchronisation Works

    1. Role-to-Group Mapping:

      • Within ONARKEN, you can map ONARKEN Roles to corresponding Microsoft Entra ID Groups.
      • This mapping determines which ONARKEN permissions are assigned to users based on their group memberships in Entra ID.

    2. User Import and Synchronisation:

      • All Microsoft Entra ID users with a valid group mapping in ONARKEN will be imported into the system.
      • These users will inherit the permissions configured in the mapped ONARKEN Roles.

    3. Ongoing Updates with Microsoft Graph Delta API:

      • After the initial synchronisation, ONARKEN uses the Microsoft Graph Delta API to monitor changes in Entra ID.
      • Any changes (additions, updates, or deletions) to users in mapped groups will be reflected in ONARKEN during subsequent synchronisations.
    See more
  • What permissions does ONARKEN need to my Microsoft Entra ID account?

    To integrate ONARKEN with Microsoft Entra ID, specific permissions must be granted. These permissions allow ONARKEN to access and synchronise user and group information, ensuring seamless functionality within the system.


    Permissions Required

    1. User.Read

      • Purpose: Allows ONARKEN to read the basic information of the user who is authenticating.
      • Usage: Ensures that ONARKEN can verify and authenticate individual users during login.

    2. User.Read.All

      • Purpose: Allows ONARKEN to read information about all users within the Microsoft Entra ID directory.
      • Usage: Enables ONARKEN to manage and synchronise user accounts for locker management and other functionalities.

    3. Group.Read.All

      • Purpose: Allows ONARKEN to read all group information within the Microsoft Entra ID directory.
      • Usage: Facilitates the integration of group-based permissions, access control, and management within ONARKEN.


    Granting Permissions

    When configuring the integration, these permissions will be requested during the admin consent process in Microsoft Entra ID. As an administrator, you must approve these permissions to enable the integration.

    See more
  • How to connect Microsoft Entra ID to ONARKEN?

    Integrating Microsoft Entra ID with ONARKEN allows for streamlined user authentication and data synchronisation. Before starting the process, ensure you have all the necessary prerequisites in place.

     

    Prerequisites

    Before attempting the connection, confirm the following:

    • You have administrative access to your Microsoft Entra account.
    • You have your Microsoft Entra Tenant ID.

    For more details, refer to What is required to setup Microsoft Entra ID integration?

     

    Steps to Connect Microsoft Entra ID to ONARKEN

    1. Log in to the ONARKEN Management Platform.
      Use your administrator credentials to access the platform.

    2. Access the Integrations Menu.

      • Navigate to Integrations in the main menu.
      • Locate the Microsoft Entra ID section.

    3. Configure the Integration.

      • Click Configure Integration under the Microsoft Entra ID option.

    4. Initiate the Connection.

      • Click Connect to start the integration process.

    5. Enter Your Tenant ID.

      • Provide your Microsoft Entra Tenant ID in the designated field.
      • Click Connect to proceed.

    6. Authenticate with Microsoft Entra ID.

      • You will be redirected to Microsoft’s login page.
      • Log in using your Microsoft Entra administrator credentials.

    7. Grant Admin Consent.

      • After logging in, grant the ONARKEN application admin consent to access your Microsoft Entra directory.
    See more
  • What is required to setup Microsoft Entra ID integration?

    Integrating ONARKEN with Microsoft Entra ID enables seamless user authentication and management. To complete the setup, you’ll need administrative access to your Microsoft Entra account and specific information about your Microsoft Entra configuration.

     

    Prerequisites

    1. Administrative Access:
      You must be an administrator in your Microsoft Entra account. This is required to grant admin consent to the ONARKEN application.

    2. Microsoft Entra Tenant ID:
      The Tenant ID is a unique identifier for your Microsoft Entra directory. This ID is essential for configuring the integration.

     

    Steps to Configure Microsoft Entra ID Integration

    1. Log in to the Microsoft Entra Admin Centre:
      Use your administrator credentials to access the Microsoft Entra portal.

    2. Locate Your Tenant ID:

      • In the Microsoft Entra portal, navigate to the Overview section.
      • Copy the Tenant ID, which you will need to provide to ONARKEN.

    3. Grant Admin Consent to ONARKEN:

      • Follow the ONARKEN setup instructions to connect your Microsoft Entra ID.
      • When prompted, grant admin consent for the ONARKEN application to access your Microsoft Entra directory.

    4. Complete the ONARKEN Configuration:

      • In the ONARKEN Management Platform, navigate to the Microsoft Entra ID integration settings.
      • Enter your Microsoft Entra Tenant ID and confirm the configuration.


    Why is Admin Consent Required?

    Granting admin consent allows the ONARKEN application to integrate with your Microsoft Entra directory securely. This enables features such as:

    • User authentication through Microsoft Entra ID.
    • Synchronisation of user data for seamless usage of lockers.
    See more
  • Using Entra ID vs LDAP

    ONARKEN® supports integration for Active Directory, using either your on-premises LDAP connection or Entra ID. This guide is designed to help you choose which option suits your organisation best.


    Entra ID

    The ONARKEN® Entra ID integration works by configuring the Entra groups you would like synced into ONARKEN®, enabling usage at your Smart Lockers and/or logging into the ONARKEN® Management Platform.

     

    Why pick Entra ID?

    • The Entra ID integration supports Single Sign-On for users on the ONARKEN® management platform and Smart Locker users on the My ONARKEN® application.
    • Users are kept up-to-date through automatic daily synchronisation and optional live check on user scan.
    • Self-registration option if card numbers are not stored in Entra ID.

     

    LDAP Lookup

    The ONARKEN® LDAP Lookup integration works by searching your on-premises Active Directory. When a user scans their card at the Smart Lockers, if a user is found, they are registered to the ONARKEN® system and can proceed with using the Lockers.

     

    Why pick LDAP Lookup

    • Users are authenticated live against your Active Directory when scanning.
    • No time-consuming registration process for the locker user.

     

    Drawbacks of LDAP Lookup

    • Users are only updated during the locker scan process, therefore users that no longer exist will not be removed from ONARKEN® until an automatic purge date.
    • Users will not exist in ONARKEN® until their first locker scan, therefore, cannot use My ONARKEN® or have Drop Off / Collections arranged for them until they use the lockers.
    • Amendments to users' details will not be updated, such as change of email address, card number or name, until they re-scan at the lockers.
    • Card numbers must exist within your Active Directory.

     

    LDAP Self-Registration

    The ONARKEN® LDAP Registration integration works when a card number is scanned for the first time, the user will be asked to enter their Active Directory login credentials, if they are successfully authenticated, and are granted permission to use the Smart Lockers, ONARKEN® will then match the card number with the user. All subsequent reads will check the user against Active Directory via their email address.

     

    Why pick LDAP Self-Registration

    • Users are authenticated live against your Active Directory when scanning.
    • Card numbers are not needed to be stored within your Active Directory
     

    Drawbacks of LDAP Self-Registration

    • Users are only updated during the locker scan process, therefore users that no longer exist will not be removed from ONARKEN® until an automatic purge date.
    • Users will not exist in ONARKEN® until their first locker scan therefore cannot use My ONARKEN® or have Drop Off / Collections arranged for them until they use the lockers.
    • Self-registration for a fresh intake of users can be a time-consuming process.
    • Users can register to use the service with any compatible ID card therefore this may not match your internal card management system.
    See more