Modern authentication
With Modern Authentication, users authenticate with OpenID Connect against the customer’s own Azure tenant using a browser. This means that user accounts are centralized to the customer’s own Azure and are by definition subject to the already-existing security policies.
Tenant configuration
To enable Azure AD authentication integration to Enreach Voice services, two Enreach Voice enterprise applications must be consented by the customer’s Azure tenant administrator:
EnreachVoice application
Enables the users to sign in via Enreach Identity
EnreachVoice UserSync application
Enables Enreach backend to read and synchronize user information from Azure. This is needed to correlate users in Enreach system to Azure users.
Consent is granted by generating the following two links pointing to the customer tenant.
https://login.microsoftonline.com/<tenant-id>/adminconsent?client_id=36773b1f-bfe6-4cc6-b5d8-cd36a7b740a7
https://login.microsoftonline.com/<tenant-id>/adminconsent?client_id=5717fd23-b335-454d-bb65-af56dca00304
After generating the links by populating the correct tenant id, a tenant Global Global administrator follows the links and grants the consents in Azure.
Classic authentication
In classic mode, user credentials are passed through Enreach backend to Azure for validation. This mode is maintained for backwards compatibility - new deployments focus on Modern Authentication.
To enable classic Azure AD Authentication integration for your organization, an Azure AD application must be registered to customer Active Directory in Azure management portal.
If Multi-Factor Authentication (MFA) is enabled on Azure AD, Enreach Datacenter IP Addresses (80.88.186.0/23) must be whitelisted. More information: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips
Registering the Authenticator Application
1. Log in to https://portal.azure.com
2. Select Azure Active Directory -> App registrations
3. Select New application registration
4. Enter details and click Register
Name for application, for example 'Enreach Authenticator'
Accounts in this organization only
Redirect URI: https://discover.enreachvoice.com/
5. Go to Authentication tab and configure following
Select “Add a platform”
Select Web
Configure Web
Enter https://api.beneservices.com as RedirectURI
Select ID Tokens
Click Configure
Set Allow public client flow = Yes
Click Save
6. Go to Permissions tab
Make sure that app have User.Read permission
Click Grant admin consent and Yes to confirmation
Make sure that there is a green mark for Admin consent
8. Go to Overview tab
Send Application ID value to Enreach