Setting up AAD SSO for a New Tenant
If you wish to use Azure Active Directory as your Identity Provider (IdP), you must configure the integration with Lookout on each tenant:
- Log in to the Azure Active Directory admin center as an AAD Global Administrator.
- Create a new tenant-specific User Group named Lookout <Tenant > Console Users and copy the Group Object ID.
- Add users who should have access to that tenant to the new User Group.
For example, if you are setting up the MyCompany EU tenant, create a Lookout EU Console Users User Group and add your EU Lookout admins.
- Add the Microsoft Azure integration to the Lookout MES Console:
- In the Multi-Tenancy Admin Console, click Tenants in the left navigation bar.
- Click the tenant to configure.
- Click Manage Tenant in the upper-right.
A banner displays to inform you that you are now viewing the console for that tenant.
- In the tenant console, click Integrations in the left navigation bar.
- Under Choose a product to set up, click Microsoft Azure.
- Enter the AAD Group Object IDs for the permission level group(s) you created in Setting up AAD SSO groups for permission levels, and the tenant access group you created in Step 2.
For help finding the IDs, see Locating the AAD Tenant ID and Group Object IDs:
Field Value IDP Settings AAD tenant ID (required) Your Azure Active Directory tenant ID. Lookout Tenant Access Access to this tenant (required) The ID for the Lookout <Tenant > Console Users
group created in Step 2.
Lookout Role Permissions Full access (required) The ID for the Lookout Full Access Admins group created in Setting up AAD SSO groups for permission levels. Restricted access The ID for the Lookout Restricted Access Admins group created in Setting up AAD SSO groups for permission levels. Read only The ID for the Lookout Read Only Admins group created in Setting up AAD SSO groups for permission levels. Invites only The ID for the Lookout Invite Only Admins group created in Setting up AAD SSO groups for permission levels. AAD Users must belong to both the Tenant Access group and exactly one of the configured Lookout Role Permissions groups. If they do not belong to both, they cannot log into the console.
- Click Create Integration.
- From AAD, grant the Lookout permissions request to grant access.You must be logged into AAD as a Global Administrator.