How to configure TM Master to use Azure User authentication.

Outline

Integrating TM Master with your Azure domain will allow all TM user administration to occur in Azure with no need to manually create new user accounts in TM Master. By linking Azure user groups with TM Master user groups, the user rights within TM Master will be controlled from the Azure domain. When a first-time user logs on TM Master, a TM Master user will be created during log on, based on the Azure user user-rights.

This function is only available in the following TM Master V2 versions and newer.

• 665 Release (31.03.2023) v2.665.8490.23401   

• 664 Release (31.03.2023) v2.664.8490.23308

•662 Release (31.03.2023) v2.662.8490.23212

The function requires a license in the office system and on any units\vessels that will use it.

In a Nutshell here is what needs to be done to set up the integration.

1. Create a list of all the various user groups that are needed for your organisation. If you already have TM Master User groups in TM Master, review them to verify that they will fit with how you create user groups in Azure AD.

2. Create new, modify, or verify existing user groups in TM Master. User rights will still need to be given to TM User groups. To make it easier for yourself, consider using the same name for the TM User Groups as for the Azure AD groups.

3. Log on to Azure AD, to locate the “Tenant ID” and to create a TM Master “Client ID”

4. Create appropriate Azure AD User groups to cover all the user groups in your organisation. Tip! Use a prefix to the TM Master user groups, to make it easy to filter them. IE: “TM-“ Example: “TM-SuperIntendant”, “TM-ChiefEngineer”, etc… (Described here https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-groups)

5.Configure ,(but do not activate yet), TM Master “Office” to use the Azure authentication integration. 

6. Link your TM Master User groups with your Azure AD user groups. 

7. If you are going to use this function onboard, make a procedure for how the users should log on TM Master when the internet connection for the vessel is down. 

8. When all is ready, activate the Azure AD integration. If the Azure AD integration will be used onboard, and not just in the office, it might be an idea to start with a limited number of vessels, to ensure your configuration is working. 

How to add TM Master as an Application in Azure Active directory?

1. Log on to Microsoft Azure (https://portal.azure.com/)

2. In the “Azure Overview.” Click [App Registrations] in the menu on to the left-hand side.

3. In the “App registration” view. Click [New Registration] in the top menu.

4. On the “Register an application” page

1. • Enter a name for the application. IE: “TM Master”  
   • Choose “Accounts in this organizational directly only (<Company name> only – Single tenant)”
2.  
3.  
4. 5. Under the “Redirect URI (Optional)” heading
   • Select “Public client/native (mobile & desktop)”
   • Enter: https://login.microsoftonline.com/common/oauth2/nativeclient/

6. Click [Register] at the bottom of the page. You will now be directed to the “APP overview.”

7. In the “App Overview.” While here you can copy…

1. • the Directory (tenant) ID.
   • The Application (client) ID.

8. Click API permissions.

9. Click the [Add a permission] button.

10. Click [Microsoft Graph]

11. Click [Delegated permissions] 

12. Locate the group “User”, and tick “User read”.

13. Locate the group “Group”, and tick “Group, Read all”.

14. Click [Add permission] button at the bottom

15. Click [Grant admin consent for <Company Name>]

How to configure TM Master “Office” to use the Azure authentication integration?

The following pre-requisites must be in place before it is possible to activate the integration.

• TM Master V2 license including the “TMv2_AzureAdIntegration” license.
• The Company MS Azure “Tenant ID.”

(Ref. step 6 in How to add TM Master as an Application in Azure Active directory?) • The MS Azure “Client ID” created for “TM Master”.

(Ref. step 6 in How to add TM Master as an Application in Azure Active directory?)

Once the above pre-requisites are in place, it is time to configure TM Master to connect to your Azure domain.

1. Click [System] →[Settings] →“Integrations” tab → “Azure Active Directory” sub tab.

2. Tick the “Activate Azure AD Integration” check box to activate the Azure AD integration. You will be able to configure the settings without activating the integration.

Note! : Before activating this setting, make sure you have configured the system properly, linking the TM User groups to your Azure AD User groups and granting the AD users membership to the appropriate AD groups.. All users logging on to the system after it has been activated will be affected, which may result in users not being allowed to log on to the system, or they will not have the appropriate user rights.

3. Enter your details in the “General Settings”. When hovering the mouse over the individual fields, a short explanation for each field will be displayed on the right-hand side of the fields.

• TenantID: Enter the Tenant ID for the Azure Active Directory instance TM Master should connect to. (Ref. step 6 in How to add TM Master as an Application in Azure Active directory?)

• ClientID: Enter the “Application ID”/ “Client ID” for TM Master, created in the Azure

Active directory. (Ref. step 6 in How to add TM Master as an Application in Azure Active

directory?)

• Trim default Email from username: Here you can enter your company’s email domain. TM Master will then create new TM Master v2 users without the email extension, when the authorized users log on. In addition, if an existing TM Master user without the extension is found, TM will link the Azure AD user to the existing TM User. Example: If the user john.doe@company.com logs on without the “trim” setting, the TM Master user created when he logs on will also be john.doe@company.com. If the email domain is added to the setting

“@company.com”, the username in TM Master will only be “john.doe”.

• Azure Ad Group Name Filter: The Azure Active Directory will, for most companies contain a lot of “User groups” where most of them are unrelated to TM Master. Adding a “filter” will limit the number of groups made available in TM Master, when linking the TM User groups to the Azure user group. Example: If your AD Azure user groups related to TM Master are named, “TM-SuperIntendent”, “TM-FleetManager” etc.. entering the filter : “TM-“ will only make the Azure AD groups starting with “TM“ available in TM Master.

4. ““Office System” specific settings”: By default, activating the “Azure AD integration” will only affect the “office” system. Azure provides three different “login procedure types”, and Azure has the option for one “default” login procedure type. TM Master is by default configured to follow the Azure AD Domain default. However, it is possible to choose one of the other “types” for the TM Master application  

• Office Azure Login Types: By default, this is set to “Use Domain Default”, but the following options are available. By clicking the [?] next to the button, short explanations for the different options will become available;

• “Ask for User”: The user will be presented with an Azure AD login dialog  asking for a username and then a password for every logon

• “Select User”: An Azure AD login dialog with a list of previously used Azure AD users will appear. User can select one or enter a new one, and then provide the appropriate password. This is the ideal choice when multiple users share one computer using the same windows login.

• “None/Automatic”: The user will be logged on automatically, using the existing Azure AD login credentials found for the logged-on Windows user on the computer. This is the ideal choice for users who have their own computers, and do not share it with others.

• “Use Domain Default”: It is possible to specify any of the above options as the domain default login mode. This is the ideal choice if you want the TM Master login to follow whatever the default domain is configured to use.

How to configure TM Master “On board” to use the Azure authentication integration?

To configure the Azure authentication integration for vessels, the integration will need to be configured as described in the chapter above. In addition, each of the unit installations will need to have a TM Master V2 licence including the “TMv2_AzureAdIntegration” licence. All configuration is managed in the Office installation. 

Note! Please make sure to grant all users the appropriate “Azure AD User group” membership, and that the “Azure AD user groups” are connected to the appropriate “TM User groups” before activating this function.

1. Click [System] →[Settings] →“Integrations” tab → “Azure Active Directory” sub tab.

2. How to configure the “General settings” is described in the chapter above.

3. It is possible to activate the integration for “All units” or “Individual units”. 

 a. To enable for all Units:

i. “Enable for all units”: By ticking this check box, all units will be added to the “unit list” grid below with the currently selected “Default Unit Azure Login

Type.” ii. “Default Unit Azure Login Type”: Please see: “Office Azure Login types” for more details on the options available in this field. Whatever is selected here will be set as the default for the vessels/units.

iii. Changes made will only become active after the settings are [Saved]

b. To enable for individual Units:

• Click the  [Add Unit] button in the “Unit” grid menu bar.
• Select the units to activate for, either individually or by selecting “unit groups.” by ticking the unit\unit group to activate the function for.
• Click [OK]
• To modify the “Login type” for an individual unit, click the [Edit in Grid] button, then click in the “Login Type” column to modify the “login type.”
• To remove one or more unit from the list, select them and click the [Remove Unit] button.

vi.  

How to link TM Master User groups with the Azure AD User groups?

After the “General Settings” for the Azure AD Integration have been configured, as described in the chapter: How to configure TM Master “Office” to use the Azure authentication integration?, it will be possible to link the “TM Master” user groups to the equivalent “Azure AD” user groups.

1. Click [Administration] → [User Groups]

2. Open a user group by double clicking it.

3. Click the “Active Directory Groups” tab.

4. Click the  [Add Azure Group] button.

5. Log on using a valid Azure user in the Azure login dialog that will appear. Please note that this is a logon to your Azure domain, and you will need to contact your Azure administrator if you have any issues logging on.

6. Once properly logged on to Azure, a list of the available Azure AD groups will appear.

7. Select the appropriate user group and click [OK] 

Note! If you are unable to find the Azure groups for TM Master, add an Azure Ad Group Name

Filter, as described in the chapter How to configure TM Master “Office” to use the Azure authentication integration?.

8. Any Azure AD users logging on to TM Master, after the link has been established, that are a member of the selected “Azure AD User group”, will be granted the user rights given to this TM Master User group.

How to log on when internet is unavailable?

The Azure AD domain is only available if the computer logging on to TM Master has access to the internet. An internet connection is only required during “log on” to TM Master that. Once logged on to TM Master, users will be able to use the application as normal, even if the internet connection is lost. 

If a user starts TM Master without an internet connection, TM Master will default to the traditional login, requiring an active TM Master user and password.

Any users that have been created manually prior to activation of the Azure AD login will work, as long as the user remembers the original password.

Users that have been created automatically through the Azure AD login will not work, as TM Master does not know the user’s password, as it depends on the user verification done by Azure. 

Contingency User

If the internet connection to the vessel is down, resetting the password from the office side will have little immediate effect for the user, as the replication is also dependent on the internet connection. So, one alternative as a contingency plan is to create  “emergency break glass” users. Where the TM Master password is known and shared with the selected users who may use it.

Example: Create a generic “Chief Engineer” TM Master user. Name it “Chief engineer (Contingency user)” or something similar, and set a password for it. If the internet is not available and the “Chief Engineer” needs to log on, he can log on using this “contingency” user.

As an alternative, it is possible to use the “Reset password” function for users, enabling them to log on using the traditional TM Master user authentication. There is, however, a risk in resetting a user’s password, if the user subsequently never logs on to reset the password. When the user logs on using the Azure authentication, the user is not prompted to reset the TM Master password.

 There is, however, a way to “bypass” the Azure login, even when internet access is available. By turning on [Scroll Lock] before starting the application, TM Master will bypass the Azure login, and use the TM Master user authentication. This allows the user to reset the TM Master password, which can be used later when the internet connection is not available.