Using with Azure Active Directory

When logging in to Haivision Hub using Azure Active Directory (AD), you may encounter an “Approval Required” prompt.

This is due to a policy setting in your organization's deployment of the Azure Active Directory. Consequently, approval from your organization's network administrator is needed to authorize Haivision Hub as a client and allow single sign-on with your Azure AD account. Since Haivision Hub doesn't request any internal access beyond basic identity verification, approving Haivision Hub to use AD authentication is a relatively easy and low-risk task for your network administrator.

Tip

While the decision is up to your organization's IT administrators, Haivision recommends enabling all users of your Azure AD to authenticate to Haivision Hub . This will make it easier for you to grant new users access to Haivision Hub and eliminate the need for your IT organization to grant authorization for each user individually.

The first time a user with an Azure account tries to log in, Haivision Hub requests information from your organization’s AD authentication service.

We typically recommend customers use their SSO credentials that they normally use for their organization. The Azure AD warning seems ominous, but Haivision Hub doesn’t actually collect anything significant from your AD. Haivision Hub does need to know the users’ email addresses and display names. Using Azure B2c with the MS Graph API, we are requesting the lowest level of permission that grants us email address: User.ReadBasic.All. From the Microsoft Graph API Permissions Reference:

The User.ReadBasic.All permission constrains app access to a limited set of properties known as the basic profile. This is because the full profile might contain sensitive directory information. The basic profile includes only the following properties:

displayName
givenName
mail
photo
surname
userPrincipalName

For more information, refer to these Microsoft articles on Azure AD user consent workflows: