What is the University's central directory?
The University uses Microsoft’s Entra ID (formerly Azure Active Directory) as its directory service for users, groups and other objects. It is part of the Office 365 cloud suite.
The University’s Microsoft Entra ID instance holds user details of many people from both inside the Collegiate University and also from outside. It is the recommended solution for authentication at Cambridge supporting both OpenID Connect and SAML2.
Users in our Entra ID system are forced to authenticate using multi-factor authentication (MFA).
Managing groups and other resources
We do not support direct access to the Entra ID administration portal in Office 365. Instead, institutions can have access to manage resources (for example, groups and application registrations) for their institutions via the UIS delegated management tool, Toolkit.
Creating new users
Users are created automatically based on data feeds from other systems. For example, University Information Services’ (UIS') identity and access management (IAM) system, Jackdaw.
We do not support manually creating users in Entra ID. We also take data feeds from:
- Cambridge Human Resources Information System (CHRIS)
- Cambridge Student Information System (CamSIS)
- Lookup for some fields
Usernames
In Entra ID terminology, the username is called the User Principal Name (UPN). Refer to Microsoft's documentation for more in-depth information. These look a bit like an email address. For example, fjc55@cam.ac.uk.
You must not assume that all users authenticated to you by the University’s Entra ID will have the domain of “@cam.ac.uk”. Application developers must treat the username as an opaque string because of these variations.
An Entra ID identity says nothing about the status of the user. You must not assume a user authenticated by Entra ID is a member of staff or a student at Cambridge or one of its colleges. You must use other APIs to get information about a user. For example, separately interrogating Entra ID for group membership of a user.
Person’s name
A person’s name can be set in several places. This is the algorithm used to populate the name fields in Entra ID:
- If the person’s Display Name and Registered Names in Lookup are different, use the name components from Lookup
- If the person’s Display Name and Registered Names in Lookup are the same, use the person’s name components from the following systems in the order of:
- CHRIS as the highest priority
- CamSIS next priority
- Lookup as the source of last resort
Extension attributes
Objects in Entra ID can have multiple extension attributes that can be used to store data that does not fit into the normal object schema. UIS uses these for its own internal purposes. Users must not use these for any purpose. UIS provides no support for their use.
Groups
There are 2 broad categories of group within Entra ID: on-premise-hosted and cloud-hosted.
Previously we only supported the on-premise-hosted groups. We are now starting to support cloud-hosted groups and encourage users to use these types of group where possible. The UIS delegated management tool Toolkit can manage both categories of group.
On-premise-hosted groups
These groups are created and managed via the on-premise Blue Active Directory. A tool called AD-Connect periodically synchronises these groups to Entra ID (typically every 30 minutes). These groups must be used if they are applied to resources/objects in Blue Active Directory.
Cloud-hosted groups
These only exist in Entra ID and cannot be used in Blue Active Directory.
Group types
Both cloud-hosted and on-premise-hosted groups have 2 main types of group:
- Security group: these can be used for managing security (for example, giving permission)
- Mail-enabled security group: as well as security, these can be used to send email to their members (meaning it can act like an email distribution list)
The cloud-only version of mail-enabled security groups has extra features above the on-premise-hosted ones:
- Ability to manage the group membership via Outlook.
- Ability to enforce message moderation.
Central groups
As well as allowing institutions to manage groups local to their institution, UIS also centrally provides some groups that they may find useful.
|
Group name |
Description |
GUID |
|---|---|---|
|
uoc-users-staff |
listed in the CHRIS data feed as a current member of university staff* |
1f440b90-597d-45b4-9a0d-11707f784de7 |
|
uoc-users-students |
listed in the CamSIS data feed as a current student* |
0cbcd7fb-1f17-48fc-ac3e-4a22131fa92d |
|
uoc-users-alumni |
all alumni accounts (with a UPN of <crsid>@cantab.ac.uk) |
bc7a045e-6775-423a-abc6-deac53b50712 |
|
uoc-users-cam-upn |
all regular user accounts (with a UPN of <crsid>@cam.ac.uk). Roughly equivalent to the list of users authenticated by the old ucam-webauth protocol. |
b7a0f932-5964-41b2-9bb0-9b8cadf6b999 |
|
uoc-user-guests |
all guest accounts in Entra ID (external users invited to Teams or SharePoint) |
20c3c1f1-309f-497d-9169-3ac4907098a1 |
|
uoc-users-all |
all accounts in Entra ID |
cc2cdd8b-eace-4a4b-a950-9b989a183b97 |
|
<XXX>-members-from-camsis |
Per institution group listing all members as per the CamSIS data feed |
|
|
<XXX>-members-from-chris |
Per institution group listing all members as per the CHRIS data feed |
* User accounts can exist in zero, one or several of these groups. For example, a user may be in both the CamSIS and CHRIS data feeds.
Membership of these groups is defined by rules. We will not accept requests for exceptions to these rules.
Authenticating users
Entra ID supports both SAML2 and Open ID Connect (OpenIDC), but we recommend using the OpenIDC method because it is simpler to manage.
You can do this via the Application Registration section in via the Application Registration section in Toolkit. We provide some sample application configurations for Apache 2, Django and Wordpress.