Itemit supports integration with Microsoft Entra ID (formerly Azure Active Directory). If your organisation uses on-premises Active Directory, you can synchronise it with Microsoft Entra ID and connect it to itemit.
You can select user groups within Active Directory and assign them specific roles and access permissions in itemit. Users will then be able to sign in using their existing Active Directory credentials and access all standard itemit features.
itemit Active Directory settings:
Open https://web.itemit.com and sign in to your itemit workspace as an Owner or Admin.
Click the Settings button in the top-right corner and select Active Directory Integration from the menu on the left.
Click the Connect button to begin the setup.
4. You will see a popup named "Connect to Azure Active Directory" appear.
Microsoft Entra ID (formerly Azure AD) Settings
In a second browser tab or window, open the Microsoft Azure portal: https://portal.azure.com
Sign in using your organisation’s Owner or Administrator account.
Select View in the Manage Azure Active Directory section, or alternatively choose Microsoft Entra ID if that option is shown.
3. You will now see your organisation’s Active Directory overview page. In the left-hand menu, under the Manage section, select App registrations, then click New registration at the top.
4. Enter an application name, for example "itemit" then below in "Supported account types" select "Accounts in this organizational directory only" and click "Register".
5. Once the registration is complete, you will be taken to the application overview page. In the left-hand menu, under the Manage section, select API permissions.
6. In the "API permissions" page, select "Add a permission". You will need to select and then grant a number of permissions, so itemit can get Active Directory users and groups data from your organisation directory.
7. In the Add permissions pane, select Microsoft Graph, then choose Delegated permissions.
Below, in the Permissions column, open the OpenID permissions section and select the following:
email
offline_access
profile
Then, scroll down to the User section and select:User.Read
These permissions are required for successful login of an Active Directory user into itemit, using their Active Directory login and password.
8. After selecting the 4 delegated permissions above, select "Application permissions" on top and then search and select following application permissions:
Directory > enter Directory.Read.All
Group > Group.Read.All
User > User.Read.All
And finally select "Add permissions" in the bottom.
9. If everything has been successful, you will see the following list of permissions.
10. Click "Grant admin consent for ... " and approve. Make sure you have Status "Granted for ..." for each of permissions.
11. Now you need to add a secret key so itemit can securely communicate with Active Directory. In the left-hand menu, under the Manage section, select Certificates & secrets, then click New client secret.
12. Enter description for a new secret, for example, "itemit secret" and select the maximum expiry date of 24 months. Click "Add".
13. Important! After your new secret is created copy and securely save its "Value" as you won't be able to see it again.
14. Now you will need to setup app Authentication so Active Directory users will be able to login using their accounts on the itemit website and mobile apps.
Select "Authentication" on the left side and then select "Add a platform" in platform configurations.
14.1. (optional) If you don't need your users to login on web.itemit.com you can skip this step in "Configure platforms" select "Single-page application".
Then in "Redirect URIs" enter "https://web.itemit.com" and click "Configure".
If everything is correct you should see the same section "Single-page application" as below.
14.2 (optional) If you don't need your users to login on the itemit Android app you can skip this step.
Click "Add a platform" and select "Android" in "Mobile and desktop applications" section.
Please enter following details, then click "Configure":
Package name: com.redbite.itemit
Signature hash: WDAkVt0lK9Nob+82mOBkFKs1ieU=
14.3 (optional) If you don't need your users to login on the itemit iOS app you can skip this step
Click "Add a platform" and select "iOS / macOS" in "Mobile and desktop applications" section.
Please enter Bundle ID: com.redbite.redthings then select "Configure" and "Done".
Once done go back to "Overview" section on the left side.
15.Verify and copy your Azure / Microsoft Entra ID authentication credentials:
On the App registration overview page, copy the following details required for the integration with itemit:
Application (client) ID → Client ID
Directory (tenant) ID → Tenant ID
Secret ID → Client Secret (created and saved in step 13)
Domain → Domain Name (you can find it by clicking the application Display Name link; the Publisher domain field shows your Domain Name)
All of these details will be needed to complete the integration with itemit.
Now you are ready integrate Active Directory with your itemit workspace!
16. Open web.itemit.com and navigate to Active Directory Integration, then enter your application credentials.
• Add your credentials as described in step 15.
• Click Next Step to continue.
16.1 1Now you can select an Active Directory group with users you want to give access to itemit.
Important! Currently we only support synchronisation by groups. Your Active Directory will need groups with assigned users in order to sync those users to itemit.
16.2 In the next step select itemit role and access for members of that AD group. Same as sharing to itemit users, you can share whole workspace or just a subset: collection/location.
16.3 If everything was completed successfully, you will see the message "Add AD group successfully".
Newly added group will also appear in the section below with group name, role and access description.
If you want to add additional groups, you can select "Add New Group" and repeat the process.
Important!
To be successfully imported into itemit, the Active Directory user must have First name, Last name and email set in their user profile in Active Directory. Users that are missing any of these properties will be ignored.
Active Directory users can only be in one group in the workspace at the same time. If you are synchronising another group which has the same user, the group will be synchronised except for that user, and you will get an error message informing you which user wasn't synchronised.
Important!
Currently there is an automatic synchronisation of users in groups which runs every midnight (UTC time).
If you make any changes in your Active Directory groups (remove or add members) and want to see changes in itemit, you will need to go to itemit web portal Settings → Active Directory Integration and resync affected groups so itemit can get all the changes.
Imported AD users have limited rights compared to normal users.
They can't:
edit their own data
create personal workspace
leave shared workspace
share a workspace or been shared with other workspace (other than been shared via AD configuration)
manage AD configuration
Personalised Active Directory shortcut URL for login
In order to simplify process of Active Directory users login into itemit, we support itemit configured domain name as a URL query parameter: https://web.itemit.com/?domain=domainName or https://web.itemit.com/login?domain=domainName
So, for example, if your Active Directory domain name is redbite.com, then shortcut URL for login will be https://web.itemit.com/?domain=redbite.com or https://web.itemit.com/login?domain=redbite.com
You can share such URLs to your Active Directory users and they won't need to type in domain name during login to itemit.
Common Q&A:
Q: How can I remove a single AD user from itemit?
A: In order to remove a single AD user you will need to go to your MS Active Directory integration and remove the specified user from the relevant group which you added to itemit. After that, you will need to synchronise the same group in itemit and this user will be removed from itemit.
Q: How can I remove a whole AD group?
A: In itemit open "Active Directory Integration" in "Settings", find the group that you want to remove and click remove icon. Type "REMOVE" in the popup window and click remove. This will remove the group and all of it's users from itemit.Q: How can I update/change permissions of the users in AD Group?
A: Directly updating AD group permissions within itemit is not possible. Instead, you will need to remove the group first and then re-add this group back, selecting new permission levels at this point.
Q: My AD synchronisation was working fine, but recently stopped working. What can be the reason?
A: If you haven't made any changes in your Microsoft Active Directory integration, then it could be that your secret has expired. Please follow steps 11-13 of this integration guide to create a new secret and copy the new secret value (not secret ID). After that, open your "Active Directory Integration" in itemit website in "Settings", select "Edit Configuration" and enter new client secret there. After you have saved configuration with a new client secret, try to synchronise it to see if the problem is solved. If this has not solved the problem, please reach out to the itemit team at [email protected].
Q: What happens when an AD User is deleted from itemit?
A: When an AD user is deleted from itemit, they will no longer be able to log into itemit or access the system. They will no longer appear in the users list. Their name will still be assigned to any items they were assigned to, so they will need to be removed from these where applicable. Their name will also still appear in relevant History sections if they have performed any actions with items. Their names will still appear as associated with any comments they previously left on items. If you would like their name removed for GDPR purposes, please contact us at [email protected].