Managing RealVNC Connect users, roles and groups with Entra ID/Azure AD

Follow

SSO - Legacy.png
Available-on-all-AddOn-BF.png

If you or your organization have enabled RealVNC Connect's Account SSO and linked your RealVNC Connect Team to Entra ID/Azure AD, you will no longer be able to invite people and assign roles within the RealVNC Connect Portal. Instead, all people and role assignment takes place in Entra ID/Azure AD. To discuss enabling SSO for your subscription, please contact us.

Managers and Admins can use the RealVNC Connect Portal to view the current members of the team, but cannot use it to add, remove* or edit members. The list of members in the RealVNC Connect Portal only includes those who have signed-in at least once.

* while there is a Remove button in the RealVNC Connect Portal, if the user is still assigned an app role within the Entra ID/Azure AD app (VNC-Connect-SSO) they will be automatically re-added to the team when they next sign-in.

Membership and role changes made within Entra ID/Azure AD are not immediately reflected within RealVNC Connect, and will instead update as below:

  • If a user is signed in, then the changes will be applied within an hour
  • If a user is not signed in, then the changes will be applied when they next sign-in

Adding the VNC-Connect-SSO app to Entra ID

The VNC-Connect-SSO Enterprise app shown in this guide is only available by working with our Product Support team to link your RealVNC Connect Team to your Entra ID/Azure AD tenant.

If your subscription includes Account SSO, please submit a ticket here to start the SSO onboarding process.

RealVNC Connect users, roles and groups are managed by the VNC-Connect-SSO Enterprise app in Entra ID. This app is not available in the Entra ID app gallery and does not require you to create an app registration.

Instead, when signing in to RealVNC Connect with SSO for the first time after it has been enabled by our Product Support team, you will be prompted to consent to using the VNC-Connect-SSO app, as shown below.

We recommend that an Entra ID administrator performs the first sign-in and checks the "Consent on behalf of your organisation" checkbox so that remaining users do not have to consent when they sign in.

Managing user and group assignments

  1. Navigate to the Entra ID/Azure AD portal, and sign in with an account that has appropriate permissions to assign users/groups to Enterprise applications
  2. Click Enterprise applications from the menu

    roles1.PNG

  3. Click the VNC-Connect-SSO app from the list

    roles2.PNG

  4. Click Assign users and groups in the Getting Started section, or Users and groups on the left menu

    roles3.PNG  or roles3b.png

Assigning new roles

  1. Click Add user/group at the top

    roles4.PNG

  2. Select the users and/or groups you'd like to grant access to RealVNC Connect, by clicking None Selected and then selecting from the list that appears
    Note, group assignment may require Entra ID/Azure AD Premium P1 or above

    roles5.PNG

  3. Select the role that you would like to assign to the selected users/groups
    Note, only 1 role can be selected. To assign a second role, e.g. Technician for On-Demand Assist, if included in your subscription, follow these steps again

    roles5a.png

  4. When you have completed your selections, click Assign

    roles5b.png

  5. The selected users and role assignments will appear in the list, and the users are able to sign in to RealVNC Connect!

    roles6.PNG

Editing role assignments

  1. To edit an assigned role, select the user or group and click Edit

    edit1.png

  2. Select the role that you would like to assign

    edit2.png
  3. Click Assign and the selected user/group role will be updated

Removing role assignments

  1. To edit an assigned role, select the user or user group and click Remove

    remove1.png

Linking Entra ID/Azure AD Security Groups to RealVNC Connect People Groups

RealVNC Connect's Account SSO makes it possible to link Entra ID/Azure AD security groups to RealVNC Connect's people groups, allowing you to manage group membership (e.g. for computer discovery permissions) in Entra ID/Azure AD instead of the RealVNC Connect Portal.

Once a group is linked, its members can no longer be viewed or edited in the RealVNC Connect Portal. Any users currently in the group are removed and replaced by users that are members of the Entra ID/Azure AD Security Group. Adding or removing members from the Entra ID/Azure AD Security Group will cause those users to be automatically added or removed from the RealVNC Connect group.

When a group is unlinked, it retains any members it had when it was linked, but these members are no longer automatically updated from Entra ID/Azure AD and can now be edited within the RealVNC Connect Portal.

Group changes made within Entra ID/Azure AD are not immediately reflected within RealVNC Connect, and will instead update as below:

  • If a user is signed in, then the changes will be applied within an hour
  • If a user is not signed in, then the changes will be applied when they next sign-in

Linking a group

  1. Follow the steps for Assigning new roles (above) to assign the Security group a role in RealVNC Connect
  2. Select the group from the list of Users and Groups in the VNC-Connect-SSO Enterprise app

    group1.PNG

  3. Copy the group's object ID

    group2.PNG

  4. Sign in to the RealVNC Connect Portal using a SSO account that has been assigned as a Manager or Admin
  5. Click People on the left menu, then select Groups from the top menu.

    group3.PNG

  6. Choose to either Create a new group, or edit an existing user group using the 3 dots button next to the group

    Create_groups.png

  7. If creating a new group, enter the name of the group. For new and existing groups, select Link to an organization group and enter the Entra ID/Azure AD group's object ID. Click Save

    group5a.PNG or group5b.PNG


  8. The group will be synced with Entra ID/Azure AD and ready to use in RealVNC Connect.
Was this article helpful?
1 out of 5 found this helpful

Comments

0 comments

Article is closed for comments.