# KeyNect Set-up

The customer’s IT department is responsible for creating and maintaining the user accounts/roles for KeyNect within the customer’s Entra ID tenant within their Azure Portal.

### KeyNect Licencing

To use KeyNect you must be a licenced user. Licences are for individual users and cannot be shared across multiple users. 

### KeyNect Access

KeyNect uses the users Microsoft account credentials to login. The same details used to login to Outlook or another Microsoft account.

Users must log into the KeyNect portal as one of the Customer Roles as mentioned [below](#user-roles) (Admin, Standard or Read-Only) in order to create calls or access their relevant areas.

### Microsoft Entra ID

The customer will need to provide Omfax their **tenant Id** for their Entra Id tenant to which the KeyNect users will belong to and **preferred email domain**.

**All** users of KeyNect must be logged in via Microsoft Entra ID and must be business users (i.e. in a tenant of their own - not a Home or Hotmail user). 

The customer's IT department will make the KeyNect application available to users within the customer's company and setup the permissions for each of their users ensuring the customer's IT department has control over onboarding new staff and clearing leavers.

### External User (e.g. Out of Office / On Site Engineer)

KeyNect supports the concept of authorised users from another organisation having access to video call resources (videos and images) that they did not themselves create.

This is intended to allow external site-contractors to have read-only access to those resources as required. These users can choose to have read-only access only, or purchase licenses to make their own video calls.

Contractors who are external to the customer's domain can gain access in two ways:

1. By being given an email address within the customer domain via the customer's Entra ID 
2. By incorporating KeyNect into their Entra ID environment and being setup to be a 'guest' domain of the customer that wishes to share their call videos and images (rights to make calls can also be given for sub-contractors also)

### Call-Centre - Subcontractor User

KeyNect supports the concept of authorised users from another organisation having call-centre rights to use KeyNect on another company's behalf via Keyfax.

This is intended to allow external call-centre contractors to have access to make video calls from Keyfax using KeyNect against a central account managed by the main licensor.

### Entra ID User Set Up

Users are assigned roles created within the ‘KeyFax KeyNect’ application definition within the Azure 'Omfax Systems Ltd - Apps Tenant'. These roles (along with the app) only become available once a 'Global Administrator' user from the customer's Azure Tenant has given Admin Consent to KeyFax KeyNect.

A member of your IT Team must follow the process below:

1. Login as a user with 'Global Administrator' role for the customer's Entra ID tenant within the Azure Portal.
2. Copy the tenant ID for their tenant and add to the URL in 3, below.
3. Navigate to and login as the same user used above (in 1): [https://login.microsoftonline.com/\[customer-tenant-id-goes-here\]/v2.0/adminconsent?client\_id=1e05bf31-0cf5-426c-bcb4-dbe2abd3af42\&redirect\_uri=https://keynect.biz/Welcome\&state=12345\&scope=User.Read%20access\_as\_user](https://login.microsoftonline.com/452fb554-60fc-49fc-b403-9cabece4d68c/v2.0/adminconsent?client_id=1e05bf31-0cf5-426c-bcb4-dbe2abd3af42\&redirect_uri=https://keynect.biz/Welcome\&state=12345\&scope=User.Read)
4. Give admin consent where this information is then displayed (by pressing the 'Accept' button)

<figure><img src="https://2882349412-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MARm6St_qFGM52R3pBa%2Fuploads%2FqjwShNUl8a6NBnaYuQ40%2FEntra%20ID%20Permissions.png?alt=media&#x26;token=b085ae6b-7704-44c9-b7a6-7b7d08965a2a" alt=""><figcaption></figcaption></figure>

5. This will create a service principal for the application within the customer's own tenant
6. Switch back to the Azure Portal and search for the 'Enterprise Application' 'Keyfax KeyNect'
7. Navigate to the 'Users and groups' blade within the 'Keyfax KeyNect' 'Enterprise Application'
8. Click on 'Add user/group' - from here the customer may assign the following roles to any users within their organisation (whether those users are invited guests to the customer's tenant or created within the customer's tenant):
   * 'Customer Admins'
   * 'Customer Users'
   * 'Customer ReadOnly Users'
   * Any other roles assigned will \[in most cases] not be supported (e.g. those roles postfixed with (Development) or (Test) as these are only available via prior arrangement with Omfax Systems Ltd. To keep things simple a test environment for KeyFax should be set to work against the production version of KeyNect - only where specific upgrades to KeyNect are required to go through Test might these extended roles be an option for customers and only by prior arrangement)
9. From this point forward it is the responsibility of the customer's IT department to manage the users and roles (and therefore access) to the 'Keyfax KeyNect' application. A user with no roles will still be able to 'see' the KeyFax KeyNect application but is limited to the About page only.

Omfax will monitor the number of concurrent users per month to give an indication of adherence to the license agreements with regard of number of users.

### KeyNect User Roles

There are three types of user roles within KeyNect.&#x20;

<table data-header-hidden><thead><tr><th valign="top"></th><th valign="top"></th><th valign="top"></th></tr></thead><tbody><tr><td valign="top"><strong>Role</strong></td><td valign="top"><strong>Permissions</strong></td><td valign="top"> Suitabl<strong>e for</strong></td></tr><tr><td valign="top">Customer Admin</td><td valign="top"><p>Can edit the configuration for the customer, including splash page customisations for desktop and mobile, also able to do any of the actions of the other two roles.</p><p> </p><p>Access:</p><p>·       Call Resources</p><p>·       Customisation</p><p>·       Call Classifiers</p><p>·       Create Call</p><p>·       Reports</p><p>·       API Documentation</p><p>·       About Keyfax KeyNect</p></td><td valign="top">IT staff and Operational Managers to control the settings and parameters of KeyNect.</td></tr><tr><td valign="top">Customer User</td><td valign="top"><p>Can create calls using Keyfax or KeyNect, can search for their own calls and view call resources of their own calls (videos and images).</p><p> </p><p>Access:</p><p>·       Call Resources</p><p>·       Create Call</p><p>·       About Keyfax KeyNect</p></td><td valign="top"><p>Front line staff who need to make outbound calls either through Keyfax or directly via KeyNect.</p><p> </p><p>Contractors who need to make outbound calls from the KeyNect portal.</p></td></tr><tr><td valign="top">Customer Read-Only User</td><td valign="top"><p>Cannot make calls, but can search for calls and view their own call resources of any user (videos and images).</p><p> </p><p>Access:</p><p>·       Call Resources</p><p>·       About Keyfax KeyNect</p></td><td valign="top">Support staff and contractors who only need to view call history and associated photos and video.</td></tr></tbody></table>

{% hint style="info" %}
Access to the 'Create Call' tab can be disabled if required for standard users so they can only create calls through Keyfax.
{% endhint %}

### Entra ID - Azure Portal

Below are some examples of what the customer can see in their Azure Portal for KeyNect.

Automatically (optionally) allow users to request access by simply visiting the site and trying to login – when they do this the assignation of a default Role (e.g. ‘Customer User Read Only’) can also be configured to occur automatically using this page:

<figure><img src="https://2882349412-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MARm6St_qFGM52R3pBa%2Fuploads%2Fo2qzX0T5izgAJoucjonD%2FEntra%20ID%20Settings1.png?alt=media&#x26;token=94b9e805-b697-491a-8d0d-5f7f3a67302a" alt=""><figcaption></figcaption></figure>

Users can be given specific login flows (with or without two factor authentication – 2FA) depending on their user groups within their organisation (e.g. CPN workers can be forced to use 2FA whilst internal network users need not):

<figure><img src="https://2882349412-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MARm6St_qFGM52R3pBa%2Fuploads%2FsQc1UnUpA5C7z3YCTZMZ%2FEntra%20ID%20Settings2.png?alt=media&#x26;token=95268e87-e113-4d18-b795-f924b7d49f98" alt=""><figcaption></figcaption></figure>

User’s login history can be tracked from with Azure by the customer without needing to resort to KeyNect reporting (accurate reporting \[over date ranges] of logins can be viewed or data exported):

<figure><img src="https://2882349412-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MARm6St_qFGM52R3pBa%2Fuploads%2Fvim2Oyo7AujhL8ndgIIR%2FEntra%20ID%20Settings3.png?alt=media&#x26;token=eb7e4b42-587c-4454-9c7c-4e286b29dc5a" alt=""><figcaption></figcaption></figure>

Changes to permissions/roles can be reported on using Audit Logs within Entra ID for the company:

<figure><img src="https://2882349412-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MARm6St_qFGM52R3pBa%2Fuploads%2FH96rSuiPk1ClTRBhU9Dg%2FEntra%20ID%20Settings4.png?alt=media&#x26;token=d3ea05e8-bc82-4af0-8d38-2b0f1d1f6c74" alt=""><figcaption></figcaption></figure>