CLASS: Setting up Microsoft Authentication

Updated: 11 October 2021

 

To set up Microsoft Authentication in CLASS for the first time, your Centre will need to follow the steps below.

Depending on whether or not your Centre's CLASS Administrator is also your Azure/Microsoft Administrator will have an impact.

We've put together two guides to help you with this process.

What you will need

  • An existing Microsoft Cloud tenant for your Organisation
  • Access to Azure Active Directory with any of the following roles:
    • Global Administrator
    • Application Administrator
    • Cloud Application Administrator
  • Access to a CLASS user account in your Centre's database with the CLASS Admin - Advanced role

Step 1: Obtain your Azure Tenant ID

You can get your Tenant ID by following the instructions from Microsoft.

Step 2: Enter your Tenant ID into CLASS Authentication Portal

  1. Login to the CLASS Authentication portal with your usual CLASS username and password.
  2. Click on System Settings in the bottom left of your screen.
  3. Click on Centre Profile in the top left of your screen.
  4. Paste the Tenant ID in the AD Tenant ID field in the General Information group.
  5. Click Save & Close.

update azure tenant id

Step 3: Update your Username to match your Microsoft User Principal Name

  1. From System Settings click on User Accounts.
  2. Navigate the user list to locate your account - open it by clicking on the hyperlink in the Username column.
  3. Make sure your Username matches with your Microsoft User Principal Name ('UPN') - this is the same as the Username you use to sign into Microsoft. You can get more information about UPN here.
  4. If it doesn't, click Change Username underneath the Username field in the Login Credential group.
  5. In the window that pops up, enter the UPN into the New Username field.
  6. Click Save & Close.

You only need to do this step for yourself. We have a template you can fill out for all other users as this will be much faster.

A screenshot of CLASS with steps 1 and 2 to check your username annotated. A screenshot of CLASS annotated with step 3 of the written instructions to update your username.

A screenshot of CLASS annotated with step 4 of the written instructions to update your username.

Step 4: Grant Permissions to the CLASS AAD Application

  1. Visit the User Registration portal, click Sign in with Microsoft, and follow the prompts to sign into your Microsoft account.
  2. You will be asked to consent on behalf of your organisation to grant permissions to the CLASS Azure Active Directory Application in your Tenant.
    1. To accept tick Consent on behalf of your organisation; and
    2. Click Accept.
  3. Success! The CLASS AAD Application should now be visible in Azure Active Directory under Enterprise Applications.

A screenshot of the CLASS User Registration Screen annotated with Step 1 of the instructions to grant permissions to the CLASS AAD ApplicationA Screenshot of the CLASS AAD Application Permission screen annotated with step 2 of the instructions to grant permissions to the CLASS AAD Application.

A screenshot of the Azure Enterprise Applications module annotating the CLASS AAD Application as described in step 3 of the granting permissions to the CLASS AAD Application instructions.

This step only needs to be completed once per Azure Tenant.

Warning: Once the live version of CLASS is switched over to Azure Active Directory authentication in November you will be unable to access CLASS without it. If you have concerns about granting permissions at this step please contact us urgently.

Step 5: Claim your Username in the CLASS AAD Application and verify access

  1. Once you click Accept to the Azure AAD application you will be taken to the User Registration page;
    1. Click Save My Claim; and
    2. Sign out.
  2. Wait at least 10 minutes for the AD Object ID field to be populated against your CLASS User record in the CLASS Authentication portal. 
  3. Navigate to the CLASS Login Test site.
  4. Click Single Sign On and follow any Microsoft login prompts. If the Message Board is visible, it has worked! Hover over your name in the top right corner and click Sign out.

Congratulations! Your CLASS User Account is now configured for Microsoft Single Sign on.

A screenshot of the CLASS User Registration screen annotated with step 1 of the instructions to claim your username in CLASS.A screenshot of the CLASS MFA Test Site showing valid login and annotating steps 3 and 4 of the instructions to claim your username in CLASS and verify login.

Tip: You can check to see if your User account has connected to the CLASS Authentication portal by closing and re-opening your user account.

Azure Administrator will need

  • An existing Microsoft Cloud tenant for your Organisation
  • Access to a network with an IP address in our IP whitelist
  • Access to Azure Active Directory with any of the following roles:
    • Global Administrator
    • Application Administrator
    • Cloud Application Administrator

CLASS Administrator will need

  • A CLASS user account in your Centre's database with the CLASS Admin - Advanced role
  • A Microsoft account in the same tenant being administered by the Azure Administrator (this user does not need elevated permissions in Azure)

Step 1: Obtain your Azure Tenant ID - Azure Admin

You can get your Tenant ID by following the instructions from Microsoft.

Step 2: Enter your Tenant ID into CLASS Authentication Portal - CLASS Admin

  1. Login to the CLASS Authentication portal with your usual CLASS username and password.
  2. Click on System Settings in the bottom left of your screen.
  3. Click on Centre Profile in the top left of your screen.
  4. Paste the Tenant ID in the AD Tenant ID field in the General Information group.
  5. Click Save & Close.

update azure tenant id

Step 3: Update your Username to match your Microsoft User Principal Name - CLASS Admin

  1. From System Settings click on User Accounts.
  2. Navigate the user list to locate your account - open it by clicking on the hyperlink in the Username column.
  3. Make sure your Username matches with your Microsoft User Principal Name ('UPN') - this is the same as the Username you use to sign into Microsoft. You can get more information about UPN here.
  4. If it doesn't, click Change Username underneath the Username field in the Login Credential group.
  5. In the window that pops up, enter the UPN into the New Username field.
  6. Click Save & Close.

You only need to do this step for yourself. We have a template you can fill out for all other users as this will be much faster.

A screenshot of CLASS with steps 1 and 2 to check your username annotated. A screenshot of CLASS annotated with step 3 of the written instructions to update your username.

A screenshot of CLASS annotated with step 4 of the written instructions to update your username.

Step 4: Grant Permissions to the CLASS AAD Application - Azure Admin

  1. Visit the User Registration portal, click Sign in with Microsoft, and follow the prompts to sign into your Microsoft account.
  2. You will be asked to consent on behalf of your organisation to grant permissions to the CLASS Azure Active Directory Application in your Tenant.
    1. To accept tick Consent on behalf of your organisation; and
    2. Click Accept.
  3. Success! The CLASS AAD Application should now be visible in Azure Active Directory under Enterprise Applications.

A screenshot of the CLASS User Registration Screen annotated with Step 1 of the instructions to grant permissions to the CLASS AAD ApplicationA Screenshot of the CLASS AAD Application Permission screen annotated with step 2 of the instructions to grant permissions to the CLASS AAD Application.

A screenshot of the Azure Enterprise Applications module annotating the CLASS AAD Application as described in step 3 of the granting permissions to the CLASS AAD Application instructions.

This step only needs to be completed once per Azure Tenant.

Note: To access any of the sites in this document you need to be on our CLASS IP whitelist - if you get a timeout please contact us to get you added temporarily in order to complete the setup.

Warning: Once the live version of CLASS is switched over to Azure Active Directory authentication in November you will be unable to access CLASS without it. If you have concerns about granting permissions at this step please contact us urgently.

Step 5: Claim your Username in the CLASS AAD Application and verify access - CLASS Admin

  1. Once your Azure Admin has completed step 4, you will also need to sign into the User Registration page. From there, simply;
    1. Click Save My Claim; and
    2. Sign out.
  2. Wait at least 10 minutes for the AD Object ID field to be populated against your CLASS User record in the CLASS Authentication portal. What if the ID doesn't sync?
  3. Navigate to the CLASS Login Test site.
  4. Click Single Sign On and follow any Microsoft login prompts. If the Message Board is visible, it has worked! Hover over your name in the top right corner and click Sign out.

Congratulations! Your CLASS User Account is now configured for Microsoft Single Sign on.

A screenshot of the CLASS User Registration screen annotated with step 1 of the instructions to claim your username in CLASS.A screenshot of the CLASS MFA Test Site showing valid login and annotating steps 3 and 4 of the instructions to claim your username in CLASS and verify login.

Tip: You can check to see if your User account has connected to the CLASS Authentication portal by closing and re-opening your user account.

 

Troubleshooting

We have found some Azure environments have been configured with policies to deny end-user access to Cloud Applications. There are two separate settings that may cause this issue. They are:

  1. User assignment; and
  2. End-user consent

An Azure Administrator will need to amend policies to allow the CLASS AAD Application to let users grant consent to sync their own user data.

You do not need to grant users permission to save their claim through the registration website - this will just mean that the CLASS Admin will need to manually paste in the AD Object ID into the user account in CLASS. New CLASS users created after MFA is implemented will receive a link to this site in place of the existing password reset link they currently get so you will also need to tell users to ignore this link.