- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Storing Robot Credentials in CyberArk
- Storing Unattended Robot Passwords in Azure Key Vault (read only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read only)
- Storing Unattended Robot Credentials in AWS Secrets Manager (read only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- SmartCard Authentication
- Audit
- Settings - Tenant Level
- Resource Catalog Service
- Folders Context
- Automations
- Processes
- Jobs
- Triggers
- Logs
- Monitoring
- Queues
- Assets
- Storage Buckets
- Test Suite - Orchestrator
- Other Configurations
- Integrations
- Classic Robots
- Host administration
- About the host level
- Managing system administrators
- Managing tenants
- Managing your host license
- Configuring system email notifications
- Audit logs for the host portal
- Maintenance Mode
- Organization administration
- Troubleshooting
Setting up the Azure AD integration
If your organization is using Azure Active Directory (Azure AD) or Office 365, you can connect your Orchestrator organization directly to your Azure AD tenant to see existing user accounts in your UiPath® environment.
The Azure AD integration allows you to continue leveraging local user model, if you want, while bootstrapping your organization with the additional benefits of using Azure AD.
If you have decided to use Azure AD for your organization, follow the instructions on this page to set up the integration.
To set up the Azure AD integration, you need:
- admin permissions in both Orchestrator and Azure AD (if you don't have admin permissions in Azure, collaborate with an Azure administrator to complete the setup process);
- an organization administrator UiPath account that uses the same email address as an Azure AD user; the Azure AD user does not require admin permissions in Azure;
- UiPath Studio and Assistant version 2020.10.3 or later;
- UiPath Studio and Assistant to use the recommended deployment.
- if you previously used local user accounts, make sure that all your Azure AD users have the email address in the Mail field; having the email address in the User Principle Name (UPN) field alone is not enough. The Azure AD integration links directory user accounts with the local user accounts if the email addresses match. This allows users to retain permissions when they transition from signing in with their local user account to the Azure AD directory user account.
appid
query parameter in a dedicated URL, as described in Microsoft's access tokens documentation.
Your organization requires an app registration in your Azure AD tenant and some configuration so that it can view your AD members to establish account identity. The app registration details are also required to later connect your organization to your Azure AD tenant.
Permissions: You must be an administrator in Azure to perform the tasks in this section. The following Azure administrator roles have the required privileges: Global Administrator, Cloud Application Administrator, or Application Administrator.
There are two ways to set up your Azure tenant for the integration:
- Follow the instructions below to manually configure an app registration for the integration.
- Use the UiPath Azure AD scripts that we created for this task, which are available on GitHub: The configAzureADconnection.ps1 script performs all the actions described in this section and returns the app registration details. Then you can run the testAzureADappRegistration.ps1 script to make sure the app registration was successful.
To manually configure your Azure tenant, do the following in Azure Portal:
After Azure setup is complete, you can prepare for the integration, activate it, and then clean up old accounts.
The process is broken down in stages so that there is no disruption for your users.
Permissions: You must be an administrator in Orchestrator to perform the tasks in this section.
When you connect Orchestrator to Azure AD by activating the integration, accounts with matching email addresses are linked so that the Azure AD account benefits from the same permissions as the matching UiPath account.
If your organization practices email recycling, meaning that an email address that was used in the past could be assigned to a new user in the future, this could lead to a risk of elevated access.
Example
john.doe@example.com
and this employee had a UiPath account where he was an organization administrator, but has since left the company and the
email address was deactivated, but the user was not removed.
john.doe@example.com
email address. In such a case, John Doe inherits organization administrator privileges.
To prevent such situations, make sure you remove all users who are no longer active from Orchestrator before proceeding to the next step.
Before you begin
- Make sure that Azure configuration is complete.
- Obtain the Directory (tenant) ID, Application (client) ID, and Client Secret values for the app registration in Azure from your Azure administrator.
Now you can work with the users and groups in the linked tenant's Azure AD. You can find Azure AD users and groups using search, for example to add a user to a group. Also see the below FAQs for more information about what changes after the integration is active.
To check that the integration is running from Orchestrator, sign in as an organization administrator with an Azure AD account and try to search for Azure AD users and groups on any related page, such as the Edit Group panel in Orchestrator (Admin > Accounts and Groups > Groups > Edit).
-
If you can search for users and groups that originate in Azure AD, it means the integration is running. You can tell the type of user or group by its icon .
Note: Users and groups from Azure AD are not listed in the Users page or the Groups page, they are only available through search. -
If you encounter an error while trying to search for users, as shown in the example below, this indicates that there is something wrong with the configuration in Azure. Reach out to your Azure administrator and ask them to check that Azure is set up as described in Configuring Azure for the Integration above on this page.
Tip: Ask your Azure administrator to confirm that they selected the Grant admin consent check box during Azure configuration. This is a common cause why the integration fails.
After the integration is active, we recommend that you follow the instructions in this section to ensure that user creation an group assignations are handed off to Azure AD. This way you can build on top of your existing identity and access management infrastructure for easier governance and access management control over the resources of your Orchestrator organization.
You can do this to ensure that the Azure administrator can also onboard new users with the same permissions and robot configuration for Orchestrator and other services that you had set up prior to the integration. They can do this by adding any new users to an Azure AD group if the group has the required roles already assigned in Orchestrator.
You can map your existing user groups from Orchestrator to new or existing groups in Azure AD. You can do this in several ways, depending on how you use groups in Azure AD:
- If users with the same roles in Orchestrator are already in the same groups in Azure AD, the organization administrator can add these Azure AD groups to the Orchestrator user groups that these users were in. This ensures that users keep the same permissions and robot setup.
- Otherwise, the Azure administrator can create new groups in Azure AD to match the ones in Orchestrator and add the same users that are in the Orchestrator user groups. Then the organization administrator can add the new Azure AD groups to the existing user groups to ensure the same users have the same roles.
In either case, make sure you check for any roles that were assigned to accounts. If possible, eliminate the explicit role assignments by adding these users to groups that have the roles that were explicitly assigned.
Example: Let's say the Administrators group in Orchestrator includes the users Roger, Tom, and Jerry. These same users are also in a group in Azure AD called admins. The organization administrator can add the admins group to the Administrators group in Orchestrator. This way, Roger, Tom, and Jerry, as members of the admins Azure AD group, all benefit from the roles of the Administrators group.
Because admins is now part of the Administrators group, when you need to onboard a new administrator, the Azure administrator can add the new user to the admins group in Azure, thus granting them administration permissions in Orchestrator without having to make any changes in Orchestrator.
Changes to Azure AD group assignments apply in Orchestrator when the user logs in with their Azure AD account, or if already logged in, within an hour.
Initial sign in: For the permissions assigned to Azure AD users and groups to apply, users must sign in at least one time. We recommend that, after the integration is running, you communicate to all your users to sign out of their UiPath account and sign in again with their Azure AD account. They can sign in with their Azure Ad account by:
- navigating to the organization-specific URL, in which case the sign in type is already selected;
-
by selecting Enterprise SSO on the main login page.
Note: Make sure you provide your organization-specific URL for Orchestrator to all your users. Only organization administrators can see this information in Orchestrator.
Migrated users benefit from the union of the permissions that were directly assigned to them and the ones from their Azure AD groups.
Configuring Studio and Assistant for users: To set up these products to connect with Azure AD accounts:
- In Assistant, open Preferences and select the Orchestrator Connection tab.
- Click Sign Out.
- For the connection type, select Service URL.
- In the Service URL field, add the organization-specific URL, for example
https://orchestrator.mydomain.local/
. - Sign back in with the Azure AD account.
Although optional, we recommend that you do this to maximize the core compliance and efficiency benefits of the complete integration between Orchestrator and Azure AD.
After all users have been migrated, you can remove the users which are based on personal local accounts from the Users tab, so that your users won't be able to sign in using their UiPath accounts anymore. You can find these accounts based on their user icons .
You can also clean up individual permissions in the UiPath services, such as the Orchestrator service, and remove individual users from Orchestrator groups so that permissions rely exclusively on Azure AD group membership.
Exception
If you decide to discontinue use of local accounts, we recommend that you keep at least one local account with the organization administrator role to use if you need to update the authentication settings for your organization. The Authentication Settings options are not active otherwise.
Here are a few useful pointers for advanced features you can leverage now that you have the Azure AD integration set up.
Because the integration with Azure AD is performed at the level of the Azure tenant, by default all Azure AD users can access the Orchestrator organization. The first time an Azure AD user signs in to Orchestrator, they are automatically included in the Orchestrator group Everyone, which grants them the User organization-level role .
If you want to only allow certain users to access your Orchestrator organization, you can activate user assignment for the Orchestrator app registration in Azure. This way, users need to be explicitly assigned to the app (Orchestrator) to be able to access it. For instructions, see this article in the Azure AD documentation.
If you want to only allow your users to access Orchestrator from a trusted network or a trusted device, you can use the Azure AD Conditional Access feature.
If you have created groups in Azure AD for easy Orchestrator onboarding directly from Azure AD, as described above in the section Configure groups for permissions and robots , you can use the advanced security options of Privileged Identity Management (PIM) for these groups to govern access requests for Orchestrator groups.
- Overview
- Prerequisites
- Configuring Azure for the integration
- Deploying the integration to Orchestrator
- Clean up inactive users
- Activate the Azure AD integration
- Test the Azure AD integration
- Completing the transition to Azure AD
- Configure groups for permissions and robots (optional)
- Migrate Existing Users
- Discontinue use of local accounts (optional)
- Best practices
- Restrict access to Orchestrator
- Restrict access to trusted networks or devices
- Governance for Orchestrator groups in Azure AD