I tried making this change, and tried both "SecurityGroup" and "All" for the values, but still can not authenticate my group.
Is it necessary to restart Filemaker Server or clear any caches, etc. for this to take effect?
Thanks for your help on this.
No, don't thinks so. But try it anyway.
I've tried a number of things.
I tried setting up a "guest" account and a normal account under my Azure domain.
In both cases, the accounts do not work, even if I add them specifically to the user lists. I'm getting an error on the Microsoft login page.
"ADSTS90093: This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators."
In addition, I'm finding the "auto" login very frustrating. The only way I can force a fresh login in Chrome is to clear the cache. In Firefox I haven't figured out how to over-ride the defaults.
So at the moment, the only login I have working is my own Adminstrator level login, only when I specifically add my user name in Filemaker. My Azure account is a couple years old, so I'm wondering if my account is stuck in some kind of legacy mode. I'm checking with Microsoft on this. I may just setup a new account, though not my preference.
OK, I've gotten past this issue.
Once you setup Application permissions and save them, you have to EXPLICITLY GRANT those permissions to the application for the AD Users. That at least allowed me to login successfully as a "Guest" user, but ONLY by specifically including that user in the list of Filemaker Accounts. Still no success trying to use a group.
OK, two extra "hitches" that I had to work through.
1. After you set and save the Application Permissions in Azure, you click "Save", but that does not actually apply the settings to the application. You must go under the Application Security panel and click "Grant Permissions".
2. When using Groups in Azure, you DO NOT USE THE GROUP NAME. The Name is for Display purposes only. You MUST use the GROUPs ID#. This is kind of spelled out in the Filemaker Security Dialog when assigning the Group, but I was looking past it.
3. Make the edit to the Manifest as Wim directs above to use Groups!
Once you have the permissions granted in Azure AD, Adjust the Manifest, AND use the GROUP ID, bingo!
Hope this helps someone else. If this was covered elsewhere, excuse my glossing over those details.