home

Mobile Endpoint Security

Mobile Endpoint SecuritySecurity Service Edge
Mobile Endpoint SecuritySecurity Service Edge

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Contents

Mobile Endpoint Security

Setting up Lookout Tenants for Multi-Tenancy

Setting up AAD SSO for a New Tenant

If you wish to use Azure Active Directory as your Identity Provider (IdP), you must configure the integration with Lookout on each tenant:

  1. Log in to the Azure Active Directory admin center as an AAD Global Administrator.
  2. Create a new tenant-specific User Group named Lookout <Tenant > Console Users and copy the Group Object ID.
  3. Add users who should have access to that tenant to the new User Group.

    For example, if you are setting up the MyCompany EU tenant, create a Lookout EU Console Users User Group and add your EU Lookout admins.

  4. Add the Microsoft Azure integration to the Lookout MES Console:
    1. In the Multi-Tenancy Admin Console, click Tenants in the left navigation bar.
    2. Click the tenant to configure.
    3. Click Manage Tenant in the upper-right.

      A banner displays to inform you that you are now viewing the console for that tenant.

    4. In the tenant console, click Integrations in the left navigation bar.
    5. Under Choose a product to set up, click Microsoft Azure.
    6. Enter the AAD Group Object IDs for the permission level group(s) you created in Setting up AAD SSO groups for permission levels, and the tenant access group you created in Step 2.

      For help finding the IDs, see Locating the AAD Tenant ID and Group Object IDs:

      FieldValue
      IDP Settings
      AAD tenant ID (required)Your Azure Active Directory tenant ID.
      Lookout Tenant Access
      Access to this tenant (required)

      The ID for the Lookout <Tenant > Console Users

      group created in Step 2.

      Lookout Role Permissions
      Full access (required)The ID for the Lookout Full Access Admins group created in Setting up AAD SSO groups for permission levels.
      Restricted accessThe ID for the Lookout Restricted Access Admins group created in Setting up AAD SSO groups for permission levels.
      Read onlyThe ID for the Lookout Read Only Admins group created in Setting up AAD SSO groups for permission levels.
      Invites onlyThe ID for the Lookout Invite Only Admins group created in Setting up AAD SSO groups for permission levels.

      AAD Users must belong to both the Tenant Access group and exactly one of the configured Lookout Role Permissions groups. If they do not belong to both, they cannot log into the console.

  5. Click Create Integration.
  6. From AAD, grant the Lookout permissions request to grant access.
    You must be logged into AAD as a Global Administrator.

Last updated: September 30, 2024

lookout-footer

Legal Privacy Policy Cookie Policy Transparency Report Compliance Info Compliance Info (Gov)

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.