To improve your own security you can add Azure AD OAuth2 to Mention Me so that your employees can access Mention Me by logging in via Azure AD. They will no longer need their password and you can manage their authentication from your own Azure AD console.
Account provisioning and the roles for each account are still managed within Mention Me.
We currently support authentication via Google, Okta, Auth0 and Azure AD. If you would like to use an alternative OAuth source please talk to your Client Account Manager.
The Security page in the Edit Brand menu item lets you set up Azure AD OAuth on the Mention Me side.
Feature overview
If desired, Mention Me can perform authentication via Azure AD OAuth for users that manage their authentication with Azure AD.
- Clients using Azure AD can authenticate Mention Me users via Azure AD accounts.
- Users log in to Mention Me by authenticating with their Azure AD account.
- When enabled, Mention Me authenticates users only with Azure AD OAuth (email/password access will cease)
- For users with access to more than one Brand, users will be able to access the platform via any of the login mechanisms for those Brands (either OAuth or email/password as configured)
Note that:
- When enabling Azure AD OAuth, only accounts whose email address matches the configured domain(s) will be able to authenticate. All other accounts will lose the ability to log in.
Preliminary requirements
Using Azure AD OAuth requires the following:
-
An Azure AD account for the organization.
-
At least one domain controlled by the organization and registered to the Azure AD account.
- Users with email addresses in the domain associated with the Azure AD account.
You will need:
Before you begin these steps, you will need:
- An Azure AD administrator to perform steps in the Azure AD admin tools
- Mention Me administrator access to your account
Setup on the Azure AD side
The steps for enabling Azure AD OAuth on the Azure AD side are described below. Follow Azure AD's generic description of these steps.
- Go to the Azure AD Admin console
- Create a new Application to integrate SSO with Mention Me
- Enter a name for the application (e.g. "Mention Me") typically as a Regular Web App.
- Decide who will have access and Save with the default options
- Mention Me requires only the default scopes (name and email), so typically no additional scope configuration is required
-
In the Sign-in redirect URIs field, enter the URL found in the steps on the Mention Me side below.
Replace xxxx with the Merchant Id of your account. This redirect URL is provided in the Mention Me admin console.
https://mention-me.com/oauth/client/redirect/xxxx
- Click Save.
- Azure AD displays your client ID and your client secret.
- Copy your client ID and your client secret and domain values — you will need them to configure Mention Me below.
NOTE: Mention Me has a Live and a Demo platform. If you want login for your users to work seamlessly across both platforms you'll need to add two separate redirect URIs to Azure AD.
For demo, add the URL: https://demo.mention-me.com/oauth/client/redirect/xxxx. The ID (xxxx) will be different to the one used for Live.
You can use the same Client ID and Client Secret and Account name or Custom domain.
Setup on the Mention Me side
The steps for enabling Azure AD OAuth on the Mention Me side are below.
If you want to enable access to Demo to be controlled by Azure AD, you will need to repeat these steps.
-
From the Mention Me platform, while logged in as an administrator, go to Edit Brand
-
Under the Security group, find the Single Sign On configuration section.
-
Choose Azure AD from the SSO options
-
Enter your Azure AD Auth Settings
- Client ID and Client Secret - Copy and paste these values from the Azure AD Dashboard, as in the Azure AD setup instructions above.
-
Domains - Your organisation’s Azure AD-managed domain name(s). Only users with an email address and account matching these domain(s) can log in to your Mention Me account.
-
When you save changes, your changes will be applied to all users and they will no longer be able to login via their email/passwords. It won't log your users out but it will change their login method at next login.
Default Permissions
When a user logs in with Azure AD, we can automatically grant the following permissions:
- On demo we can automatically grant "Marketing" permissions to all users who login with Azure AD
- On prod we can automatically grant "Customer Service" permissions to all users who login with Azure AD
To enable this functionality, click the relevant checkbox on the Mention Me Security SSO setup page.
Permissions can be changed subsequently after a user has signed up by an Administrator.
Sample Email for rolling out the change to your users
Hi,
- We're switching from using an email/password on the platform to using "Login via Azure AD".
- This applies across both the live and demo platforms of Mention Me.
- It's better for security and easier to administer accounts internally
- It's also more convenient for you - one less password to keep track of
- You'll stop being able to login with your email/password and instead will need to click on a "Login via Single Sign On" (or Login via Azure AD) link at the bottom of the login form on Mention Me
- The first time you click this you'll need to enter your [domain] email address so the platform can identify you
- The second and subsequent times you'll just click it and it will log you in
Disabling Azure AD Auth once it has been enabled
If you’d like to disable Azure AD Authentication for your Mention Me platform after it has already been enabled, just bear in mind that:
- Users can return to using email login and password, but users created since SSO was being used will not know or be sent their passwords. They will need to perform a reset password (or you can trigger it via Mention Me) in order to receive a link to be able to recover their passwords.