This guide covers how to configure the Quicklaunch System Check-In Feature with Azure Active Directory (Azure AD).


Contents

1 Overview

2 Configuring Work Accounts

3 Configuring Work AND Microsoft Personal Accounts


1) Overview

Quicklaunch supports two configurations of System Check-In using Azure AD:


a) Work Accounts Only - only work accounts can authenticate using System Check-In. This includes Office 365 and/or integrated Azure AD accounts

b) Personal Microsoft AND Work Accounts - both work accounts and personal Microsoft accounts can authenticate using system Check-in.


Differences between these two options from the Users Perspective are shown in the table below:

 

a) Work Accounts only

b) Personal Microsoft and Work Accounts

Account selection
User is not prompted to select either a Work or a personal Microsoft account
User is prompted to select either a Work or a personal Microsoft account
Consent and permissions (see link below)
Will not be prompted for consent
Will be prompted for consent


For more information from Microsoft about Admin consent please see: https://docs.microsoft.com/en-us/azure/active-directory/develop/application-consent-experience



2) Configuring Work Accounts Only


Subsections:

A) Register an Application in Azure Active Directory

B) Consent Process

C) Quicklaunch Configuration


2A) Register an Application in your Azure Active Directory


Step 1.
Log into https://portal.azure.com with an account that has the Global Administrator role.

Select Azure Active Directory, followed by App registrations


Step 2.

Select New application registration.


Step 3.
Enter the information 


Name: Quicklaunch - System Checkin
Application Type: Select Native
Redirect URI: 
https://login.microsoftonline.com/common/oauth2/nativeclient

Press the Create button.


Step 4.

Confirm the application has been created.

Copy the Application ID somewhere for future use. The Application ID is needed when configuring Quicklaunch to use System Check-In


Step 5.
Select Settings followed by Redirect URIs


Step 6.
Enter a 2nd Redirect URI. Use the URI listed below:


urn:ietf:wg:oauth:2.0:oob

Then press Save

This URI is need by Quicklaunch to indicate that the request is a Desktop authentication request and to close the authentication browser window after the users authentication has completed.


Step 7.
Using the left navigation menu, select Azure Active Directory then Enterprise applications.


Step 8.

In the presented list find and click on Quicklaunch - System Checkin


Step 9.
Once in the details for Quicklaunch - System Checkin select the Permissions menu item. When the permissions screen is displayed select the Grant admin consent for [YOUR ORGANIZATION]



2B) Consent Process

Step 1.
The consent process will begin, you will need to enter a user who is in the Global Administration role, select Next and then enter the password for the user then select Next


Step 2.
After you enter a valid username/password you will then be asked for consent to allow the application to read basic user profile information (username, full name and picture) for all users who authenticate using System Checkin. After you accept the consent window can be closed as no further user input is necessary.


Step 3.
After closing the consent window you can refresh the Permissions screen and confirm that the Admin consent has been applied. Please note it make take a few minutes for the changes to be applied.



2C) Configure Quicklaunch and Verify
Step 1.
Enter the application id that was created from the Application Registration Portal and click on the Verify link beside the application id


Step 2.
Enter a "Work" account and press Next.


Step 3.
Enter Password and press Sign in


Step 4.

If there is a little green check-mark visible in-front of the Verify link then authentication is properly configured.



Switching from Azure AD authentication and or removing Consent

  1. To switch from Azure AD authentication and or remove Consent follow these steps:
  2. Disable System Check-in or switch to a different authentication type and save settings
  3. Log into the https://portal.azure.com
  4. Navigate to Azure Active Directory -> Enterprise Applications
  5. Find and click on Quicklaunch - System Checkin
  6. Press the Delete link in the top left corner



Troubleshooting

During the Verify you may encounter the screen below. If this screen is present then please verify that the application id is correctly entered





3) Configuring Work and Microsoft Personal Accounts

This configuration is for supporting both "Work" and "Personal Microsoft" accounts where the "Work" account is a work assigned account and the "Personal Microsoft" account is an account that the user has created. The application id can be shared across all installs of Quicklaunch.


During this configuration you will need to do the following:

A) Register an application in Microsoft's Application Registration Portal

B) Configure Quicklaunch, Verify and give Admin consent via the Admin consent flow


For more information on the Admin consent flow and permissions, please read:

https://docs.microsoft.com/en-us/azure/active-directory/develop/application-consent-experience



3A) Register an application in the Application Registration Portal


Step 1.
Log into https://apps.dev.microsoft.com using a work account for your organization. This is required in-order to link the application to your Azure AD when authenticating "Work" accounts and to consent to the permissions. 


NOTE: "Personal Microsoft" accounts cannot be configured to suppress the users permission consent.


Step 2.
Select Add an app.


Step 3.
Enter the following information:
Application Name: Quicklaunch - System Checkin
Guided Setup: Not Checked


Then press the Create button.


Confirm the application was created and copy the Application ID, this will be need when you configure Quicklaunch to use this application id when configuring System Checkin


Step 4.
Under the Platforms section press the Add Platform button


Step 5.

Select the Native Application option


Step 6.

Leave the default values for the Native Application and Save your changes (bottom of the window)


Step 7.

Confirm that the changes you made were saved. Copy the Application Id created to be used in Quicklaunch



3B) Configure Quicklaunch, Verify and give Admin consent via the Admin consent flow
Step 1.

Open Quicklaunch Settings (CTRL + ALT + S) and Navigate to Accounts > Login

Enter the application id that was created from the Application Registration Portal and click on the Verify link beside the application id


Step 2.

Enter your "Work" account which has Global Admin permissions in your Azure AD and press Next.


You can reference https://docs.microsoft.com/en-us/azure/active-directory/develop/application-consent-experience#common-consent-scenarios for more information on this Consent flow.



Step 3.

Select "Work Account"


Step 4

Enter Password and press Sign in


Step 5.

You should see a screen similar to below with your organizations information displayed. Please review the consent options being displayed. 


Select "Consent on behalf of your organization." 


When a user uses a "Work" account to authenticate using System Check-in they will not be asked to consent to the permissions listed in the dialog. 


Users who authenticate using a "Personal Microsoft" account however will be asked to consent to the permissions.


Step 6.

In Quicklaunch Settings, there should be a green check-mark visible.




Switching from Azure AD authentication and or removing Consent


  1. Disable System Check-in or switch to a different authentication type and save settings
  2. Log into the https://apps.dev.microsoft.com with the same account that was used to create the application and then "Delete" the application


NOTE:Doing this will remove the application as well as remove the consent for every user that had previously consented.




Troubleshooting

During the Verify you may encounter the screen below. If this screen is present then please verify that the application id is correctly entered