Azure Active Directory
Snow Atlas supports configuring Azure Active Directory (AD) as a single sign-on (SSO) provider.
"Azure Active Directory" (Azure AD) is the previous name for "Microsoft Entra ID".
The Snow Atlas Azure AD single sign-on application registration is configured as multi-tenant OpenID Connect (OIDC). The configuration options are already set with the permissions and settings required to function with Snow Atlas. You can also configure items such as user and access group assignments, as well as any Conditional Access policies that you want to apply to this registration.
Supported features
-
ServiceProvider (SP) initiated SSO when you attempt to sign in from Snow Atlas
-
User provisioning to create the user on first sign in when enabled in Snow Atlas
Requirements
-
The user is an Azure AD administrator.
-
The user is a Snow Atlas system administrator.
Application permissions
The following permissions are already set in the Snow Atlas Azure AD single sign-on application registration:
| Scope permission | Description |
|---|---|
profile | Retrieves basic profile information about a user that is mapped to the user's profile in Snow Atlas. |
email | A user's primary email address that is used to sign in to Snow Atlas and as contact information. |
GroupMember.Read.All | The Microsoft Graph scope for the user's read group membership that is used to map groups to Snow Atlas permissions. This is for future group synchronization and will only be queried if the feature is configured. |
User.Read | The Microsoft Graph scope for reading user information. This scope is implicitly required by GroupMember.Read.All. |
Configuration required
You are required to configure your Azure AD for Snow Atlas.
The user must have the email claim set in Azure AD. It is insufficient to set the User principal name.
You require the relevant Azure AD tenant ID for your organization's Azure portal. For more information, see Find Azure Active Directory tenant ID.
You must also consent to the application permissions required by Snow Atlas for Azure AD SSO. For more information, see Consent to Azure Active Directory SSO permissions.
Claim mappings
The Azure AD given_name and family_name properties are mapped to the equivalent properties in Snow Atlas if they are not already populated.
OIDC authority
When you enable Use tenant OIDC authority, authorization requests are sent directly to your Azure tenant's authority instead of through the Azure AD common authorization endpoint. If you have Azure B2B guest accounts that access Snow Atlas, you must select this option in your Azure AD SSO provider in Snow Atlas. See Manage single sign-on providers.
Snow Software does not own the third party trademarks, software, products, or tools (collectively, the "Third Party Products") referenced herein. Third Party Product updates, including user interface updates, may not be reflected in this content.