thewealthworks Customer Support Portal

Introduction

The option to sign in to WealthWorks+ with a Microsoft account is available in WealthWorks+ release 4.19 onwards.  You can use your existing Microsoft account (either personal or work/school) to authenticate and access WealthWorks+ instead of using your existing account username and password, creating a seamless sign in process.  Sign in with Microsoft requires your installation of WealthWorks+ to use secure Https (secure http), and we can offer assistance in enabling Https. 

To enable this feature, please contact our Support team for assistance.  Once enabled users will need to give permission to sign in using their Microsoft account.  Users also have the option of revoking permission to gain access to WealthWorks+.

If you have enabled 2 Factor Authentication (2FA) using an authenticator app, this will still operate if you choose to enable Sign in with Microsoft.

Each user should have the email address for which they have a Microsoft Account, added to the contact details in WealthWorks+.  Go to the Options > System Administration menu category and select the User Administration tab.  For each user, click on the contact link to open the contact record.  Add the email address to Email 1, 2 or 3, found in the contact details tab, Internet portlet.  

Please Note: If more than one contact record has the same email address, the Sign in with Microsoft using this email, will not grant access to WealthWorks+.  

Signing In

When enabled, the user should now see the Sign in with Microsoft button when accessing WealthWorks+.  If clicked, and the email address is found to have a Microsoft Account, a permission screen is displayed for the user to grant access to WealthWorks+ using their Microsoft Account. Click Accept.

Signing Out

If the user signs out of the application, this will not sign them out of their Microsoft Account.  When accessing WealthWorks+ again, they can continue to sign back in with Microsoft by clicking the button.  The permission request will no longer be displayed.

Revoking access using Microsoft Account

The user should login into Microsoft with the account they are using.  Go to the page https://myapps.microsoft.com 

Find the WealthWorks+ application in the list of applications and click 'manage your application'. 

Click the Revoke consent button.

See also https://myaccount.microsoft.com for details of the users sign in's to WealthWorks+.

Understanding the Architecture behind Microsoft Sign-In

Our application integrates Single Sign-On (SSO) using OpenID Connect (OIDC) in C#, with Microsoft Entra ID (formerly Azure Active Directory) serving as the identity provider. OIDC is an identity layer built on top of the OAuth 2.0 protocol, enabling client applications—such as C# web apps—to authenticate users and retrieve basic profile information from trusted identity providers like Entra ID, Google, or Okta.

By leveraging OIDC, our application supports seamless and secure user authentication. Users can sign in once using their Microsoft credentials and gain access to multiple services without needing to re-authenticate. This approach delegates identity management to Microsoft Entra ID, ensuring robust security and a streamlined user experience.

While authentication and access control are managed by the customer through Entra ID, user roles and permissions within the application (WealthWorks+) remain under our control. This separation of concerns allows for flexible role management while maintaining centralized authentication.