Setting up your end users for MFA

Updated: 24 September 2021

To set up your end users to be MFA-ready ahead of the go-live date we have developed a template you can use to map the user details between the two systems for all your users - we will then update CLASS using that mapping as we deploy the MFA feature. This should be far less work for you to complete than manually updating user details in CLASS.

To do this, you will need: 

  1. To have completed our initial admin setup guide.
  2. Access to Azure Active Directory with any of the following roles: Global Administrator, Application Administrator or a Cloud Application Administrator (if your Azure setup is managed by an external IT provider, they can complete any steps related to this).
  3. Access to a CLASS user account in your Centre's live database with the CLASS Admin - Advanced role
  4. A downloaded copy of our User Mapping template.
Tip: We will indicate for each step if the task is performed by the Azure Admin or the CLASS Admin. The steps should be completed in sequence.

Why do I need to do this?

This process is optional, but has been designed to provide the most efficient way to make sure your users have immediate access to CLASS once MFA is switched on in the live system.

How can users get into CLASS after MFA is switched on if I don't do this step?

As long as your usernames already match up with your Microsoft logins, users can use the self-serve user registration portal to save their claim to their CLASS account the same way as in the final steps of the admin setup guide.

  1. In CLASS, navigate to System Settings > User Accounts.
  2. In the search bar in the Active column, type Yes and hit enter.
  3. Hover over the Export icon and select Export to Excel.

  1. Open the User List.
  2. Hover over Bulk Operations and select Download Users.
  3. Give the file a meaningful name and click Start.

  1. Open the CLASS user list and your empty template file in Excel or similar
  2. Ignore the Centre ID column. We will set this for you when you send the file to us
  3. Copy the Username column from the CLASS list and paste it into the Existing CLASS Username column of the mapping template
  4. Copy the Email column from the CLASS list and paste it into the Existing CLASS Email column of the mapping template
  1. Open the Azure user list.
  2. For each row in the mapping template, find the corresponding row in the Azure user list and:
    1. Copy the "userPrincipalName" value into the Azure AD UPN column for that row in the mapping template.
    2. Copy the "id" value into the Azure AD User ID column for that row in the mapping template.
    3. Enter the Set CLASS Email column for that row - if it is already correct just copy it.

What if my CLASS Username and/or Email already matches Azure AD?

That makes things easier for you! All you have to do is remove any rows you don't need from the Azure user list, sort both lists by a matching column so they line up, and copy the objectId column in its entirety into the mapping sheet - you will still need to fill the Azure AD UPN column as well, but this can also just be copied.

Can I set a different email address to my Azure Username?

Yes you can! As long as the email address is unique to that user it is fine - the email address is used to send workflow emails to users and to send new users the MFA registration link.

What if I want emails for all my volunteers to go to the same inbox?

If you have created individual Microsoft user accounts for your volunteers but want them all to receive CLASS emails in one place, you have a couple of options:

  1. If you use Exchange 365 or Google as your mail server you can use plus addressing to route unique email addresses to one mailbox; or
  2. You could create multiple aliases in your Exchange Server for one email account.

If you intend to continue using the IP whitelist functionality for any/all of your users, put the value Y in the Set Supervised User column of the User Mapping Sheet for each user you want to do this for.

Warning: You will need to provide us with a complete list of static IP addresses for your whitelist if you intend to continue using it. Please provide this list to us when you send us the user mapping list. Please note that the CLASS VPN will be decomissioned alongside switching on MFA so if you want users to connect to a trusted network in order to access CLASS you will need to setup your own VPN.

Save the file, and raise a ticket in our helpdesk portal, ensuring to attach the file. If you are unable to login to the portal or do not know your login details you can email us instead.