When a user logs in to Link using Azure AD authentication Link will initiate the Authorization code flow using the Oauth2 standard.
The AD will validate the users credentials and by success return an authorisation code to Link. Link will use this short lived code together with a Client Id and Client Secret to obtain an access token (JWT). The access token gives Link access to retrieve user information from the AD. Together with the access token we also retrieve a long lived refresh token. The purpose of this token is to get new access tokens before these expire.
Azure AD tenant validation
With the access token Link is able to get information about the user. This information is used to determine if the user belongs to an Azure AD tenant approved for login. If the tenant is not known in Link the tenant will be created and marked as unapproved. An Link administrator will have to approve this tenant - until then, users from this tenant are denied access and met by a message saying that their AD Tenant is not approved.
Creating and updating user information
If the user is known in Link the user informations will be updated and finally the user is signed in. If it is the first time the user signs in, a new Link user account will be created in Link.
In both cases the following informations are used for creating or updating the user:
Username (emails address)
Domain Account Name
Link user accounts created based on a Azure AD user are locked for editing and must be managed in the AD. Including group memberships. Like wise these user account can only be used for Azure AD authentication - Link username/password authentication is not possible.
User group mappings
User groups are assigned to users based on Azure AD groups. Azure AD groups are matched to Link user groups using the Domain Account Name property.
If a user is member af an Azure AD group, with a matching Link user group, this user group is assigned to the user.
In the example above users that are member of the Azure AD group Link Viewer will be assigned the Link user group Viewer when signing in to Link.
Azure AD syncrionization
When the user is successfully logged in, Link will periodically syncronize the user information from the AD. The freqency depends on the access token life time. When 80% of the life time has passed the process of refreshing the token and updating (and validating) the user informaton is started. In practice this means that if the user has been disabled or a required group membership has been removed, the user will be signed out.