Integrating MYOB Acumatica with Microsoft Azure Active Directory

After you have enabled integration with the identity management system, user accounts for domain users are created automatically when the users sign in to your MYOB Acumatica instance for the first time.

The accounts of domain users in MYOB Acumatica are based on their accounts in the domain. The password of a domain user in MYOB Acumatica is the same as the domain account password. The email address and the first and last name of the user are populated from the domain account as well. However, the login, password, email address, and first and last name are managed through the domain and cannot be changed in MYOB Acumatica.

You cannot restore the passwords of domain users by using MYOB Acumatica tools. You should restore users’ domain credentials by using tools of Active Directory (AD).

To speed up authentication of users, the information about AD groups is automatically cached by MYOB Acumatica. To update the list of the user groups in MYOB Acumatica with current information from AD, click the Reload AD Groups button on the User Roles (201005) form. The Reload AD Groups button appears only when you integrated MYOB Acumatica instance with Azure AD.

After the integration of MYOB Acumatica with Azure AD has been set up, users use single sign-on (SSO) with the domain to sign in to MYOB Acumatica. By default, each user performs the following steps:

1. On the Welcome page of your MYOB Acumatica instance, the user selects the Azure AD icon () to open the Azure AD sign-in page.

2. On the sign-in page, the user enters the domain credentials in the following format: <User_Name>@<Domain_Name>, where <User_Name> is the user account name in the integrated domain and <Domain_Name> is the UPN suffix, also known as the domain name.

If you configured a multicompany instance and selected the Secure Tenant on Login option on the Tenant Setup page (see Managing Tenants Locally), then users with access to several companies, who sign in to MYOB Acumatica using single sign-on with an external identity provider, will be logged in to the first company with enabled single sign-on.

When a domain user tries to access MYOB Acumatica, user authorisation occurs as follows:

1. The application instance sends an authentication request to the AD server to validate the user’s credentials.

2. When validation has completed successfully, the AD server sends MYOB Acumatica the list of AD groups to which the user is assigned.

3. MYOB Acumatica compares the list of AD groups with the internal MYOB Acumatica roles, based on the mapping rules defined on the User Roles (SM201005) form.

4. The system finds any MYOB Acumatica roles that are associated with AD groups to which the domain user account is assigned. If MYOB Acumatica finds at least one role, the user is authenticated to sign in to the MYOB Acumatica instance.
   The user access rights within the MYOB Acumatica application instance are based on the internal list of roles.

For more information about authentication, see Managing User Access. For details about roles and access rights, see Configuring User Roles.

Domain users inherit access rights from the AD groups that you mapped to MYOB Acumatica user roles. In addition, you can assign specific user roles to each domain user if the access rights for this user should differ from the AD group rights.

New domain users automatically get the rights to sign in to MYOB Acumatica when they join a domain. The membership of these users in MYOB Acumatica roles is then automatically updated to comply with the membership of the users in the domain groups.

The user type functionality cannot be applied to domain users.

Because AD authentication creates new user accounts, the licenses from the existing users need to be reallocated.

The AD user will automatically inherit licences when their Email Address (populated from Active Directory) matches the Login of the existing user. This means that if your existing users' logins match their AD email addresses, licencing within and between tenants will be automatically shared.

If your existing users have logins that do not match their email address, you will need to reallocate the licenses manually.

You can see how a user was created in the Source column when selecting a user on the Users form. Users created manually in MYOB Acumatica are labelled Native.

Secure authentication and Azure Active Directory are mutually exclusive. Only one can be enabled at a time.

If a user that has been associated with secure authentication wants to log in after enabling Azure AD, they will need to use the standard MYOB Acumatica login and password.