Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  1. Fotoware Alto
    • 11.14 Schreckhorn
    • Terminology
    • Solutions
    • User Guide - Deutsch
    • User Guide - English
    • API Changelog
  2. Fotoware Veloz
    • Managing users and groups
    • Configuring archives
    • Configuring workflows
    • Configuring site behavior
    • Navigating and searching to find your assets
    • Working with your assets
    • Editing asset metadata
    • Uploading files
    • Version Control in Fotoware
    • Albums - Creating and sharing collections
    • Placing assets in a CMS
    • Working with the Fotoware Pro interface
    • Using the Fotoware plugins
    • Consent management
    • User guide to FotoWeb for iPad (Legacy)
    • Picture conferencing with FotoWeb Screens (Legacy)
    • What's what in Fotoware
    • GDPR
    • Fotoware Veloz releases
    • Activity Exports
    • Fotoware Example Workflows
  3. Fotostation
    • Getting started with Fotostation
    • Viewing, selecting and sorting files
    • Managing your assets with archives
    • Adding metadata to assets
    • Searching for assets
    • Working with your assets
    • Version Control in Fotostation
    • Automating tasks with Actions
    • Configuring metadata fields and editors
    • Configuring Fotostation
    • Configuring Fotostation for multi-user environments
    • Troubleshooting Fotostation
  4. Fotoware Flow
    • What is Flow?
    • Getting started
    • Flow dictionary
  5. Fotoware On-Premises
    • Getting started
    • Index Manager
    • FotoWeb
    • Color Factory
    • Connect
    • Operations Center Guide
  6. Integrations and APIs
    • The Fotoware API
    • Creating integrations using embeddable widgets
    • Authorizing applications using OAuth
    • Auto-tagging
    • FotoWeb Drag and Drop export
    • Integration using webhooks
    • Optimizely and Episerver plugin documentation
    • User Interface Integrations
  7. Fotoware Mobile
    • User guide for Fotoware Mobile for iPhone and Android
    • User guide to FotoWeb for iPad (Legacy)
    • User guide to FotoWeb for iPhone and Android (Legacy)

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • Support

Table of Contents

Role-based versus group-based access control Should I choose role-based or group-based access control? RBAC limitations Choosing the Fotoware groups to link to AD groups Assigning a license to group members Related topics What's next?
  • Home
  • Fotoware Veloz
  • Managing users and groups
  • Configuring authentication providers and single sign-on in Fotoware
  • Microsoft Entra ID integration and SSO

Groups and access control for Microsoft Entra ID

How to choose the groups you want to import from Microsoft Entra ID.

11. April 2025

Elaine Foley

Table of Contents

Role-based versus group-based access control Should I choose role-based or group-based access control? RBAC limitations Choosing the Fotoware groups to link to AD groups Assigning a license to group members Related topics What's next?

Role-based versus group-based access control

Groups, permissions, and licenses in Fotoware can be assigned based on assigned roles or group memberships of the user logging on via Microsoft Entra ID (formerly Azure Active Directory) . Both can also be used to determine which users in the directory are allowed to log into Fotoware.

  • Role-based Access Control (RBAC) is the preferred method for all new SSO (single sign-on) integrations. Roles can be defined in the Azure portal and assigned to groups and individual users.
  • Group-based access control is supported for compatibility with existing SSO integrations and should not be used. It is turned off by default in Fotoware on new sites and can be turned on using the Enable group-based access control option. It requires administrator approval in the Azure portal and is considered less secure. It is recommended that existing SSO integrations be migrated to RBAC. Note that RBAC can still be used, even if Enable group-based access control is turned on, so group-based and role-based access control can be mixed, although this is not recommended.

Should I choose role-based or group-based access control?

If you are setting up SSO on a new site, choose RBAC.

If your site was already set up with SSO using group-based access control, it will still work, and no action is required. However, we recommend migrating to RBAC.

RBAC limitations

RBAC currently does not recognize nested group memberships. 

For example, if a user is a member of a group called Image Editors Sports, which in turn is a member of a group called DAM Editors, and the Editors role is assigned to the DAM Editors group, then a user who is a direct member of Image Editors Sports but not DAM Editors will not be assigned the Editors role.

There are some possible workarounds:

  • Use group-based access control (you can also use both RBAC and group-based access control on the same site)
  • Add users as direct members to directory groups with assigned roles. This can be difficult to manage, so use this solution carefully.
  • Assign roles directly to nested groups. This can also create some management overhead, but less than having to manage individual users.

Setting up Role-Based Access Control (RBAC) for Microsoft Entra ID 

  1. Define one or more roles in the Azure portal.
  2. Assign one or more roles to groups and users that should have permission to log into Fotoware.
  3. In the SSO settings, select Manage Linked Groups.
  4. Select Link New Group.
  5. Enter the role name of a role.
  6. Search for a group to assign to the role, or enter the name of a new group to create and assign.
  7. Repeat the last steps for all roles.

Migrating from Group-Based Access Control to RBAC

You can migrate an existing SSO integration without losing existing user accounts.

  1. Set up RBAC according to the instructions above.
  2. If there are any remaining groups linked to groups in Microsoft Entra ID, unlink them.
  3. Turn off the Enable group-based access control option.
  4. In the Azure portal, remove the Directory.AccessAsUser.All permission from the application registration and revoke admin consent.

Choosing the Fotoware groups to link to AD groups

Linking groups is necessary for the following reasons:

  • A user who is a member of a linked group in Microsoft Entra ID will be added to the corresponding group in Fotoware when logging in with SSO.
  • A user who is assigned a linked role in Microsoft Entra ID will be added to the corresponding group in Fotoware when logging in with SSO.
  • A user must be added to at least one linked group when logging in with SSO. Otherwise, access to Fotoware is denied.

Groups in Fotoware can be linked to roles and groups in Microsoft Entra ID .

  1. Go to Site Configuration > Security > Single Sign-on.
  2. Open the Linked Groups tab. Select Add linked group.


     
  1. In the dialog that opens, enter an Microsoft Entra ID role name in the External Group ID field. 
  2. Select a value from the Group Name drop-down list or enter a group name. If the group does not already exist, it will be created.
  3. Select Add to add this group to the Linked Group list. Select Unlink if you need to remove the link to the group.

Assigning a license to group members

After choosing the groups to import, make sure you set group permissions and define a default license for members of that group.

At least one group that the user is a member of after login must have a default license. This can be fulfilled in the following ways:

  • One or more linked groups that the user is added to have default licenses.
  • One or more Fotoware groups that the user is already a member of have default licenses.
  • One or more groups that any of the above groups (i.e., linked groups or Fotoware groups that the user is a direct member of after login) are members of have default licenses (i.e., licenses are also assigned to users via indirect group memberships).

If multiple groups have default licenses, the "best" license is assigned to the user the first time they sign in to Fotoware. You can change the license assigned to a user later.

Note: When a new group is created, its license level is set to None by default. Ensure a license level is assigned to the group before users log in, or they will receive a message that no license has been assigned to the group.

Related topics

  • Organizing users into groups and setting group permissions
  • Good practice for organizing users in groups

What's next?

Next, you typically assign archive permissions to the groups you have imported. For more information, see Setting archive access and permissions.

security teams

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Assigning album permissions to groups
  • Assigning API access to a group
  • Specifying default license types for users and groups
eco-lighthouse-miljøfyrtårn

Company

  • About us
  • Resellers
  • Careers
  • Contact us

Help & support

  • Support center
  • Consultancy
  • Tech partners
  • Fotostation
  • System status

Trust Center

  • Legal
  • Security
  • Sustainability & ESG

Locations

Fotoware AS (HQ)
Tollbugata 35
0157 OSLO
Norway
FotoWare Switzerland AG
Industriestrasse 25
5033 Buchs (AG)
Switzerland

Copyright 2025 Fotoware All rights reserved.

  • Terms of service
  • Privacy policy
  • Cookie policy

Knowledge Base Software powered by Helpjuice

Expand