[
  {
	"Comment": "This document defines a mapping from Azure Active Directory (AAD) groups to FMX building access and user types. It exists to work around limitations in AAD and isn't necessary in most scenarios. For common scenarios, follow the guidance here instead: https://help.gofmx.com/hc/en-us/articles/205612265."
  },
  {
    "Comment": "This is a mapping rule. Mapping rules are executed in sequential order starting with this one. Comments are optional but help make the document maintainable because they improve readability. First we revoke building access. This rule demonstrates a couple ways of doing that. We can either revoke access to specific building IDs or we can revoke access to all buildings.",
    "RevokeBuildingAccess": [569, 476],
    "RevokeAllBuildingAccess": true
  },
  {
    "Comment": "Next we begin granting building access. This rule grants access to the [High School] (569) building if the user is a member of the [Location - High School] (66e0f388-868f-4cb5-aade-6c53d54bbd84) group in AAD.",
    "IfMemberOf": "66e0f388-868f-4cb5-aade-6c53d54bbd84",
    "GrantBuildingAccess": [569]
  },
  {
    "Comment": "We can also grant access to multiple FMX buildings based on membership with a single group in AAD. This rule grants access to the [Middle School] (476) and [Elementary School] [44830] buildings if the user is a member of the [Locations - K-8] (978defb6-0132-4126-a030-2376a19c6782) group in AAD.",
    "IfMemberOf": "978defb6-0132-4126-a030-2376a19c6782",
    "GrantBuildingAccess": [476, 44830]
  },
  {
    "Comment": "Next we set user type. FMX users have a single user type. This rule sets the [Administrator] (20) user type if the user is a member of the [Role - Admin] (4e3249e2-26ae-43df-aeb9-4e7b690651a8) group in AAD.",
    "IfMemberOf": "4e3249e2-26ae-43df-aeb9-4e7b690651a8",
    "SetUserType": 20
  },
  {
    "Comment": "If multiple rules set user type then the last rule to execute wins. This rule sets the [Maintenance Tech] (19) user type if the user is a member of the [Role - Tech] (106d401f-89d0-4219-bc01-4d8d94243bcb) group in AAD.",
    "IfMemberOf": "106d401f-89d0-4219-bc01-4d8d94243bcb",
    "SetUserType": 19
  },
  {
    "Comment": "That's all there is to creating a mapping document! When finished, create an AAD claim named 'urn:fmx:dir:attribute-def:groups-mapping' and copy/paste the contents of this document into its value. Be aware that AAD imposes a ~20k character limit so you may need to shorten or strip comments before pasting. Finally, create a group claim that returns security groups and name it 'urn:fmx:dir:attribute-def:groups'. It should use the 'Group ID' source attribute."
  }
]