Registering Multitenant Support

This procedure describes how to allow access to OVOC for operators from multiple Azure tenants. This procedure describes how to register the Main Tenant which include the OVOC system operators that belong to mapped Azure Groups. After performing this procedure, add operators for external tenants and assign roles to those operators you wish to allow access to OVOC (Add External Tenant Operators and Assign Roles):

●

Registered Service Provider Tenants

●

Registered Channels

●

Registered Customers

➢

To configure OVOC multitenancy:

1.

Login to Azure portal as Global Administrator.

2.

In the Navigation pane, select App registrations and then click New registration.

App Registrations

New Registration

3.

Enter the name of the OVOC registration tenant.

4.

Under Implicit grant and hybrid flows, select Accounts in any organizational directory (Any Azure AD Directory- Multitenant)

5.

Click Register.

The newly registered application is displayed.

New Registered Application

6.

Double-click the new application i.e. OVOCAdmin (in this example) to configure it.

7.

In the navigation pane, select Certificates & secrets.

Certificates & secrets

8.

Click New client secret.

New client secret

9.

Enter a description and from the drop-down list select 24 months.

10.

Click Add.

Client Secret Generated

11.

Copy the secret Value to clipboard as its required in later configuration and cannot be retrieved once you leave this screen.

12.

In the navigation pane, select Authentication.

Authentication

13.

Under Implicit grant and hybrid flows, select “ID tokens”

14.

Click Save.

15.

In the Navigation pane, select Token configuration

Token Configuration-Add

16.

Click Add optional claim, choose ID type then upn optional claim and click Add to confirm.

Turn on Profile Permission

17.

Select the Turn on the Microsoft Graph profile permission check box and then click Add. This adds the Profile permission to the API permissions list.

Optional claims Added

18.

In the Navigation pane, select API permissions.

API Permissions

19.

Click Add a permission and then click the Microsoft Graph link.

Delegated permissions

20.

Click Delegated permissions.

21.

Select permission User.Read.All and then click Add permissons.

Delegated permissions

The configured API permissions are displayed.

Configured API Permissions

22.

Click Grant admin consent for <Tenant_Name> link to grant consent for the requested permissions for all accounts for this tenant, and then click Yes to confirm.

Grant Admin Consent for all Accounts

23.

In the Navigation pane, select App roles and then click Create app role.

App roles

24.

Create an app role with Admin permissions:

a.

In the Display Name field, enter "Administrators" or "Admins"

b.

Select Users/Groups check box.

c.

Enter value "OVOCAdmin"

d.

Select the do you want to enable this app role check box.

e.

Click Apply

Admin Role

25.

Repeat the above steps to create an App role with Operator permissions with value 'OVOCOperator".

Operator Role

26.

Repeat the steps described for adding "Admin" role above to create an app role with Monitor permissions with value "OVOCMonitor".

Operator Role

27.

Repeat the steps described for adding "Admin" role above to create an app role with Monitor permissions with value "OVOCOperatorLite".

OVOC Operator Lite

The new roles are displayed:

App roles

28.

In the Navigation pane, select the Overview page for the application.

Overview Page

29.

Note the following values as they must later be configured in Configuring OVOC Web Azure Settings - Multitenant Setup

●

Application (client) ID

●

Directory (tenant) ID

30.

Add Main Tenant Azure groups and add members as described in Create Azure Groups and Assign Members

31.

Add operators of external tenants and assign them roles as described in Add External Tenant Operators and Assign Roles

32.

Configure Azure settings in OVOC Web as described in Configuring OVOC Web Azure Settings - Multitenant Setup