home

Mobile Endpoint Security

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Setting up AAD SSO for Multi-Tenancy Administrators

To use Azure Active Directory as your Identity Provider (IdP) for users logging into the Multi-Tenancy Admin Console:

  1. Log in to the Azure Active Directory admin center as an AAD Global Administrator.
  2. Create a Lookout Multi-Tenancy Administrators User Group and copy the Group Object ID.
    This is your "Super Admins" group.
  3. Add users who should have access to the Multi-Tenancy Admin Console permissions to the new User Group.
  4. Add users who should have Full Access Admin level permissions to the Lookout Full Access Admins User Group you created in Setting up AAD User Groups for Permission Levels.

    This group may include exactly the same members as the previous group, or you may wish to restrict Full Access permissions to a subset of those users.

  5. (Optional) If you have Multi-Tenancy Administrators who should have a different access level, add them to the corresponding group you created in Setting up AAD SSO groups for admin permission levels.
  6. Add the Microsoft Azure integration to the Multi-Tenancy Admin Console:
    1. In the Multi-Tenancy Admin Console, click Integrations in the left navigation bar.
    2. Under Choose a product to set up, click Microsoft Azure.
    3. Enter the AAD Group Object IDs you copied from Step 1.

      For help finding the IDs, see Locating the AAD Tenant ID and Group Object IDs:

      FieldValue
      IDP Settings
      AAD tenant ID (required)Your Azure Active Directory tenant ID.
      Lookout Organization Access
      Access to this organization (required)The ID for the Lookout Multi-Tenancy Administrators group created in Step 2. This is the group that contains all Super Admin users.
      Lookout Role Permissions
      Full access (required)

      The ID for the Lookout Full Access Admins

      group.

      Restricted accessThe ID for the Lookout Restricted Access Admins group.
      Read onlyThe ID for the Lookout Read Only Admins group.
      Invites onlyThe ID for the Lookout Invite Only Admins group.

      AAD Users must belong to both the Organization Access group and exactly one of the configured Lookout Role Permissions groups. If they do not belong to both, they cannot log into the console.

  7. Click Create Integration.
  8. From AAD, grant the Lookout permissions request to grant access.
    You must be logged into AAD as a Global Administrator.