Chances are in your organization, not everybody will need access to every resource you provide. For example, your billing team might not need access to HR resources and vice versa. Limiting access to links that users don’t need access to is called security trimming, and it’s a common practice among businesses and corporations of all sizes. In Masthead, we’ve made this process simple and cohesive.
How do I link Azure AD groups to Masthead?
Start by navigating to Manage Organization. From there, head over to the “Manage Groups” tab. From here, you’ll see an “Add Group” button to link an Azure AD group to Masthead.
In the “Name” field, enter a name for your group. This will appear as a selectable option later. In the “Group ID” field, you’ll need to enter your group’s GUID.
Please note that this feature is in its early stages. This feature is currently for advanced users but will be simplified shortly. Right now, you must manually add groups from your Azure Active Directory using their GUIDs (see here for instructions).
So I’ve added some groups, now what?
Now that you’ve got some groups added for your organization, it’s time to customize who can access what.
When creating a new navigation, you’ll notice a “Trim to Groups” option. If you already have your navigation set up, you can change this by editing individual navigation items. This is where you will choose which groups have access to which links.
By default, all navigation items are created with permissions set to “Every User“. This means the link is available to anyone using your site.
Select only the groups that need access to this navigation. If done correctly, the navigation items will not appear for any other groups.
This action can also be performed on sub items. However, you’ll notice that if you’ve modified permissions for a parent menu, their child menus will be locked to those permissions as well. In other words, you can make a sub item visible to fewer people than its parent, but if a user doesn’t have access to the parent it will never be able to see the sub item.
Remember that you need to publish for these changes to take place.
An Important Note…
Sometimes it can take up to a day for groups to start working properly. This is a limitation of Azure AD.
Using groups is security by obscurity. You are simply preventing the link from being displayed to certain users. You still need to ensure you are properly securing your sites as Masthead is not doing this for you. A user with the direct link will still be able to access the resource.
Also note that you cannot security trim to a specific user in Masthead. When selecting who can view links, it must be linked to an Azure AD group.