Introduction
Windows Azure Active
Directory (WAAD) is a cloud-friendly REST-based implementation of Active
Directory for identity management of cloud applications. It
provides centralized identity management for Microsoft Office 365, Windows
Intune, over 580+ commercial SaaS applications and your own cloud-based
applications. To support unified identity management with traditional
on-premises applications, WAAD can also be integrated with on-premises Active
Directory via DirSync and Active Directory Federation Services (ADFS) gateway
components
Setup Active Directory
Creating and setting up
active directory in cloud is very easy just follow the below steps:
a. Go to “Active
Directory” tab, click on New -> Active Directory -> Directory ->
Custom Create Tab.
b. Select “Create
a new directory” option, give a name, domain name and provide Country or
Region where this AD should be created.
c. Once completed, navigate to Dashboard and it
should show options like “Users”, “Groups”, “Applications”, “Domains”,
“Directory Integration” etc.
d. On the “Users”
Tab, click on Add Users to create new Users.
Note:
- You can create a new user associated with the AD domain or a user with Microsoft Account or add a user from another Active Directory.
- Your azure subscription account user will be the default one added to the list of user
e. On the “Groups”
Tab, click on Groups -> Add a Group
f. Once the Group is created members/users can be
associated with the group.
Note: Group can add users/members from another
group but within its own AD
Integrating existing Apps. (Webapp, Webapi, Native
or SAAS apps) with Active Directory to provide SSO
Let’s consider a basic
scenario: a user in a web browser needs to authenticate to a web application. This
scenario though basic can illustrate capabilities of Azure AD.
- Azure AD is the identity provider, responsible for verifying the identity of users and applications that exist in an organization’s directory, and ultimately issuing security tokens upon successful authentication of those users and applications.
- An application that wants to outsource authentication to Azure AD must be registered in Azure AD, which registers and uniquely identifies the application in the directory.
- Once a user has been authenticated, the application must validate the user’s security token to ensure that authentication was successful for the intended parties.
SSO for Webapp, Webapi & Native Applications
Now that
you know how AD can authenticate it’s time to register the application in AD. Below
are the steps to follow:
a) Go to the “Applications”
Tab, click on Add and Select the first option “Add an application my organization is developing” and click Next
b) Provide a name for the application and select “Web App/WebAPI” option
c) Provide the sign-on and app id Url and Click Ok
d) Once done your application is configured to use
Azure AD.
e) One more step is to associate users to the
newly created application. For this refer the “Setup Active Directory point#d” (create
a new user). Once the users are created, Go to Application -> Owners Tab,
click “Add Owners” and select the new
user which you created and click ok.
f) Now let’s create a web application which will
use Azure AD as an identity provider.
i.
Open
VS2012, create a MVC4 web application
ii.
Select your
project in the Solution Explorer,
then in the Properties pane,
switch SSL Enabled to True.
iii.
Select the
SSL URL and copy it
iv.
Now we need
to let Visual Studio know that we always want to use the HTTPS endpoint during
debug. Go back to the “Solution Explorer”,
right-click on the project and choose “Properties”. Choose the “Web”
tab on the left, scroll down to the “Use Local IIS Web server”
option and paste the HTTPS URL in the “Project Url” field. Save settings (CTRL+S) and close the property tab.
v.
At this
point we have an application that is suitable to be configured to leverage
Azure AD for sign-on. The next step will be to let your Azure AD tenant know
about this specific app
vi.
Go to Tools
-> Extension and Updates and search for the keyword “Identity”. Download and install Identity and Access Tool.
vii.
Now go to “Identity and Access” menu and select the
option as shown
viii.
Enter the STS
metadata, Go to Azure Portal -> Active Directory -> Applications and
click on the “View Endpoints” and
copy the URL of the “Federation Metadata
Document” and add to the STS metadata and click OK.
ix.
Next run
the application it will take to the Microsoft Sign in Active Directory Page
Provide the credentials which you created above in “SSO for Webapp, Webapi & Native Applications point#e” and click Sign In.
You should be able to authenticate successfully.
SSO for SAAS Applications
Configuring Single Sign-On to many different
SaaS application of various vendors can be a difficult and demanding task.
Azure Active Directory simplifies the process by providing the most popular
SaaS applications preintegrated and ready to use.
Much of the SAAS applications requires that you already have an account (Business account not the Free option) with them. I will show the steps required to connect and display SSO for some free SAAS apps.
Below are the steps to follow:
a. Go to your Active Directory -> Applications
-> Add and click “Add an application
from the gallery”. This link will show all the supported SAAS apps. Select
“Yahoo Mail”
b. On the Dashboard click “Configure single sign-on” and select “Password Single Sign-On” option and click ok
c. Next, we need to assign AD Users who can access
Yahoo Mail. Click on “Assign Users” and
select an Active Directory User and click Assign. It will open an option to
enter the valid credentials. Enter a valid Yahoo! UserId and Password and click
ok.
d. Repeat steps a-c to configure other Free SAAS
apps. like Skype, Pluralsight etc.
e. Now in order to test that the user has been
granted access to these applications Microsoft has provided a tool “http://myapps.microsoft.com/”. Login with the assigned AD Credentials to
this URL and you can see all the applications which are assigned to you.
f. Click on Yahoo icon and it will automatically
authenticate and take you directly to the Yahoo Email. similarly it works for
Skype, Pluralsight
Setup Domain and Active Directory Sync between
On-Premises and Cloud
Pre-requisites:
·
Get a
Domain Name Registered
·
Added
Entries in the DNS Management of the Service Provider as below
Added the entries in the “A” Records
Once the pre-requisites are completed we can
start configuring for that lets follow the below steps:
a. In the Active Directory -> Domains, added a
new Domain and went through the steps to verify it
b. Enter the Domain Name and Click on add.
c. On the next screen copy the TXT or MX records
and update these entries on your registered Domain Name.
d. Next to simulate an On-Premises environment I
have created a Windows Server 2008 R2 Enterprise Edition system having a
separate network and associated the Domain Name to it. Also installed Active
Directory Services to it and created some users.
e. Next Go to Portal -> Active Directory ->
Directory Integration Tab and click the Directory Sync to “Activated” mode and save the changes.
f. Next download the Directory Sync Tool and
install it on the On-Premises Server.
g. Click
Next Button once installation shows completed
h. Click on Finish to “Start Configuration wizard now”
i. The configuration screen comes up with the list
of steps to configure
j. Provide the Global Administrator credentials
k. Provide the Active Directory Enterprise
Administrator Credentials
Note: Make sure the User is assigned to Enterprise Admin and FIMSyncAdmin Group
Note: Make sure the User is assigned to Enterprise Admin and FIMSyncAdmin Group
l. On the next screen “Hybrid Deployment” hit the
space bar to enable “Enable Hybrid
Deployment” checkbox
m. Enable the “Enable
Password Sync” checkbox option
n. Clicking Next will setup the configuration,
once completed click Next
o. On this last step, it will ask the option to
Synchronize the directories
p. Once the sync runs login to azure portal and
verify the local Active Directory users will now be automatically part of the
Azure Active Directory Users List.
Note: The “Sourced From” column will display Local Active Directory against on-premises AD user accounts.
Note: The “Sourced From” column will display Local Active Directory against on-premises AD user accounts.
Below image
shows the Groups which are synced during the first run
q. Now I have created couple of new users in the
on-premises Active Directory and will check that it gets sync up in the Azure
Active Directory.
To monitor
our changes we can also use the Synchronization Service Manager tool, which
ships with DirSync.
Navigate to
the following directory on the member server you installed the dirsync tool C:\Program Files\Windows Azure Active
Directory Sync\SYNCBUS\Synchronization Service\UIShell and Double-click miisclient.
Note: The export stats below shows that the dir sync tool has synced 4 objects. The users we added to on-premises AD in the above steps.
Note: The export stats below shows that the dir sync tool has synced 4 objects. The users we added to on-premises AD in the above steps.
If you open one of those objects and click Properties then you can see the on-premises AD user sync to Azure AD.
To verify that those on-premises users got successfully
added, go to the Azure Portal -> Active Directory -> Users and now you
can see the new users added to the list.
Different types of Authentication – Single
Sign-on, Multifactor Auth.
We have already seen
the Single Sign-on example and setup in the “SSO for Webapp, Webapi
& Native Applications”. So in this topic I will be describing on Multifactor Authentication.
Multi-factor authentication (MFA) or two-factor authentication (2FA) is a method of authentication that requires the use of more than one verification method/technique and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:
- Something only the user knows (e.g., password, PIN, pattern);
- Something only the user has (e.g., ATM card, smart card, mobile phone); and
- Something only the user is (e.g., biometric characteristic, such as a fingerprint).
Let’s setup a
Multifactor Authentication using Active Directory, below are the steps to
follow:
a. Go to the “Users”
Tab, click on Add Users and create the user
b. Once done select the user and click on the “Manage Multi-Factor Auth” button
c. On the new screen, select the checkbox against
the user and click on Enable link to enable the authentication
d. Next in order to test go to the URL http://myapps.microsoft.com and sign in with the same user which you have
enabled for authentication.
e. On the next screen it will ask how would you
like to set up the multi factor auth. Click on the “Set it up Now” button and specify the contact method and click Next
with a quick verification.
f. On successfully completing this next time when
you login using the AD credentials it will ask for the additional
authentication. After successfully authenticated you can see your apps screen
as shown below
Query AD using GraphAPI
The Azure AD Graph API
is the interface for navigating the content of Azure AD and accessing (creating
and manipulating) the information stored therein. Developers can perform CRUD
operations through REST API endpoints when developing applications such as web
and mobile apps.
Graph API is
REST-based. REST is the de facto standard for new types of APIs. It is rather
simple to use, especially when compared with traditional methods for directory
access such as the LDAP.
The Graph API of Azure
AD provides a broad set of standard queries that can be used to retrieve
metadata information about the tenant’s directory and its data structure, but
also about users, groups, and other common entities. Apart from these standard
queries, there are so-called differential queries that allow developers to
request only the changes that have happened on the result set of the query
since the previous query run.
Access to the Graph API
is done in two steps. The first one is the authentication (based on tenant-ID,
client-ID and credentials), which is done against the Azure AD authentication
service. The authentication service returns a JWT Token. This token then can be
used for running Graph API queries. The Graph API relies on an RBAC (Role Based
Access Control) model. It authorizes every request and returns the result set
if the authorization has been successful.
Overall, the Graph API
is a simple yet powerful concept for accessing content of the Azure AD. It is
the successor to traditional approaches for directory access such as LDAP with
its rather complex structure. Being based on REST, it is a familiar approach
for web developers.
More information on
GraphAPI can be found here -> http://msdn.microsoft.com/en-us/library/azure/hh974476.aspx and a sample code here -> https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet
Azure Active Directory Premium Features
Premium edition of
Azure AD gives all the capabilities that Free has to offer, plus feature-rich
Enterprise-level identity management capabilities.
Below are the steps to
enable Active Directory Premium
a. Go to your AD and click Licenses Tab and click
“Try Azure Active Directory Premium Now”
link.
Note: This trial will be active for a period of 90 days
Note: This trial will be active for a period of 90 days
b. Next the screen will show the available
licenses and how many are assigned.
c. You can now assign licenses to the AD users who
can then use the Premium Features.
.
AD
Premium Features:
a. “Reports” Login to the portal with
the credentials granted to access AD Premium Features. Next go to AD ->
Reports, click on the “Application Usage”
report.
The “Application Usage” Report displayed to the user who does not have Premium access assigned
b. “Company Branding” To make the end user experience even better,
you can add your company logo and color schemes to your organization’s Sign In
and Access Panel pages.
Go to AD -> Configure and click on “Customize Branding” and upload the images
Go to AD -> Configure and click on “Customize Branding” and upload the images
Wait for a few minutes and then try to login to the portal, the login screen should now appear in the company branding format.
Branding of
company logo is also displayed on the http://myapps.microsoft.com/ screen for the AD user
c. “Multi-Factor Authentication” please refer “Different types of Authentication – Single Sign-on,
Multifactor Auth”
d. “Self Service Password reset” A user can now reduce helpdesk calls whenever users
forget their password by giving all users in your directory the capability to
reset their password.
e. More Azure AD Premium Features can be referred from
this link http://msdn.microsoft.com/library/azure/dn532272.aspx
