Microsoft AADC and Tyler Identity

Tyler Technologies has introduced an exciting new product called Tyler Identity (TID), which offers additional flexibility in authentication options for the various products in the Tyler suite. Utilizing your organization's existing infrastructure, TID further secures user logins by using heightened encryption technologies when your workforce logs into the system.

In some instances, an organization may have several domains in their environment from which users will need to log in. In a typical NWERP environment, one domain is used, and all users generally exist under this domain. In more complex environments, however, users may exist in several domains that are part of the same organization, and thus need to be handled accordingly.

Microsoft has developed technology that pulls these different scenarios together and, with the integration of TID, users in a multi-domain scenario may still access NWERP.

Azure AD Connect will integrate your on-premises directories with Azure Active Directory. This allows you to provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD Connect.

Please review this document link from Microsoft that explains the pre-requisites you will need to ensure before implementing AAD:

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites

Azure Active Directory may incur a cost for your organization based on the number of Objects that connect to the network, but it should not be expected to do so. Please see the following link from Microsoft, which explains the pricing matrix based on your organization’s needs:

https://azure.microsoft.com/en-us/pricing/details/active-directory/?cdn=disable

  • Client must have Directory extension attribute sync enabled from the Azure connector on their Domain Controller.
  • From the Directory Extensions screen, the client will then need to add sAMAccountName and userPrincipalName to the Selected Attributes.

  • From the client’s Azure Portal, they will need to set up App registrations for each TID instance you have installed for your environments. When they add the TID authtokenserver URL under the App registrations Reply URLs, please make sure to use a trailing forward slash (/) at the end of the URL, i.e., https://<hostname>.<domain>.com/prod/tylerid/authtokenserver/)

    For each App registration, client will need to provide each unique Application ID, API Key (only available to copy when first generated during setup), and the Directory ID for their Azure AD Tenant.

    Application and API Key available from Azure Portal under Azure Active Directory > App registrations > **app name**.

    Directory ID available from Azure Portal under Azure Active Directory > Properties.

  • In each App registration Manifest, oauth2AllowImplicitFlow will need to be changed to true.

  • Under each App registration > Settings > Required permissions > Windows Azure Active Directory API > "Access the directory as the signed-in user" must be selected under DELEGATED PERMISSIONS. Then Save, then Grant permissions.

    You may need to make this change with an Azure AD Global Administrator account for the setting to take effect for all Azure AD users.

  • Client will need to follow the process in Azure Graph to obtain values to save for later for sAMAccountName and userPrincipalName. This will also ensure that the Directory extension attributes were properly synced from the client's on-premises AD. In the highlighted section, the values will be unique to every client in between extension and userPrincipalName and sAMAccountName.