Tag Archives: Azure Active Directory

#AzureAD : Access Panel/My Apps


In digital world, end-users have unspecified number of apps in their personal life as well as professional. In large enterprises, IT team doesn’t know the exact count of applications used by their organization. If counting or remembering the name of the application is quite challenging, you just imagine how someone can remember the URLs and credentials of these applications.

To simplify it, Microsoft has web based access panel called My Apps for enterprise/social applications. You can publish cloud apps available in enterprise gallery or on-premises apps through application proxy or both together seamlessly using a single access control panel. This access panel is not only meant for accessing applications but at the same time it provides few self-service capabilities as well. It also makes sure that security is not compromised at all in any scenario by using capabilities such as Multi-Factor Authentication (if enabled).

Default url of this web-based portal is https://myapps.microsoft.com but can be customized with your specific domain such as https://myapps.microsoft.com/<youscustomdomain>.com . Though, it looks attractive and ease your life but it has following dependency:

  1. It needs Azure AD (native or synced identity)
  2. Cloud applications need to be published through Enterprise gallery
  3. On-premises applications need to be published through application proxy.

Look and feel of myapps:

Scenario 1: Let see how does it look for a user who doesn’t has anything published.

Scenario 2: Let see how does it look for a user who has published apps.

Look and feel of self-service feature in myapps:

Note: You can see few options here (Change password, Set up self service password reset and Additional security verification), it is because of self-service password configuration for this user in his organization. You may not see this options if it is not configured in your environment.

Different applications may have different set “single sign-on mode” methods for authentication and authorization and every method has different configuration. Here is a list of single sign-on modes that cover most of the options:

Azure AD single sign-on disabled

Single sign-on disabled means that you do not want this application to be integrated into Azure Active Directory for single sign-on. This means that when a user signs in to the application, that user must manually enter their username and password. If you had previously enabled an application for Azure Active Directory single sign-on integration and then change back to the single sign-on disabled mode, this will result in users needing to enter their username and password every time they launch this application.

SAML-based Sign-on

Federated single sign-on enables rich and secure authentication to applications using the SAML protocol. Follow the steps below to connect Salesforce to Azure AD using SAML.

Password-based Sign-on

Password-based single sign-on enables secure application password storage and replay using a web browser extension or mobile app. This leverages the existing sign-in process provided by the application, but enables an administrator to manage the passwords and does not require the user to know the password.

Linked Sign-on

Linked sign-on allows you to add a link to an application in the Azure Active Directory Access Panel and/or Office 365 application launcher for selected users. This option does not add single sign-on to the application, however the application may already have single sign-on implemented using another service such as Active Directory Federation Services.

Integrated Windows Authentication

Integrated Windows Authentication (IWA) provides a single sign on experience by allowing the Application Proxy Connectors permission in Active Directory to impersonate users to the published application, using Kerberos constrained delegation.

Header-based Sign-on

Microsoft and Ping Identity have partnered to extend Azure AD Application Proxy to support single sign-on (SSO) for header-based authentication to web applications running on-premises.

Note: These are sign-on methods and few of them need additional configuration based on application. Therefore, please make sure that you have all required information to configure any one of these sign-on methods.

Web browser requirements: Browser used to access myapps application should have minimum JavaScript and CSS enabled. Following browsers are supported for myapps:

Edge on Windows 10 Anniversary Edition or later

Chrome — on Windows 7 or later, and on MacOS X or later

Firefox 26.0 or later — on Windows XP SP2 or later, and on Mac OS X 10.6 or later

Internet Explorer 8, 9, 10, 11 — on Windows 7 or later (limited support)

Extension required for my apps secure sign-in: You need to install an extension to use my apps secure sign-in. Make sure you are not trying to install it in incognito window or private mode.

Mobile Apps for Android and iOS: My apps is also available through mobile app. You can use it either on android device or an iOS device

Min Android version: 4.1 and above

Min iOS version: 7 and above

Advertisements

#AzureAD : Self-service group management


Azure AD simplifies the security group management process by providing self-service capability. By default, administrator manages the requests to add/remove someone from a group or bunch of groups but it is a repeated job that doesn’t create any value for the organization. Azure AD provides two ways to manage these groups, delegated group management and self-service group management.

Delegated group management: It allows administrator to delegate the group management task to the people who can take care of it. If administrator delegates group management task to user A and User A starts managing these groups membership and in the future Manager extends his team with new team members and wants to delegate the membership of new team members to another user B from extended team, administrator delegates user B to manage this group as well. Now, user A and user B both can manage the membership of their team members / peers independently but will not be able to vice-versa.

Self-service group management: It allows a user to create a new security group and manage its membership. This group owner can assign ownership to other users or can ask administrator to do same as well. In this scenario if one security group is being used by two different teams to assign access on one of the application and administrator wants to push a new application through the gallery, then it can be easily done by just adding to this group. Therefore, if any a new user will be added going forward then it will have access on new application as well.

Now, let’s have a look how to do it.

First, allow administrator to enable this feature. Login to https://portala.azure.com or https://aad.portal.azure.com . In my case, I am using https://aad.portal.azure.com

Go to the Users and groups.

Go to the Group settings.

In the General section of this window, enable self-service group management. You can also specify either security groups can be created or not and who can manage security groups. In my scenario, only members of SSGM group can manage the security groups.

Now, ask users to login to https://aad.portal.azure.com and allow them to manage their security groups.

Once login, go to the Users and groups.

Go to the All groups and click on +New group to create a new security group.

Fill the required details and add members.

Once, group is created then you can add members to this group any point in time.

You will notice if another user who has privilege to manage security groups and try to manage this group, he can’t add members or remove any one from this security group.

Once, owner of this security group or administrator allow this privilege user to manage this security group by adding him under owners.

Now, you can see that he can manage the membership of this security group.

You can do many more things gently with the capability of self-service group management. Therefore, play with it and share your experiences/queries through the comment box.

#Azure AD : Self-service Password Management


Azure AD provides self-service capabilities for Password management. This built-in capability of Azure AD not only reduce the number of helpdesk tickets but at the same time it enhances the productivity of the user by saving time and efforts put in requesting for the password reset or account unlock. Azure AD self-service password reset capability also known as SSPR. Azure AD SSPR provides different set of capabilities with different edition of Azure AD.

Azure AD Free: Supports SSPR for Cloud-only administrators.

Azure AD Basic: Supports SSPR for Cloud-only users.

Azure AD Premium: Supports SSPS for all the users including cloud users, on-premises users with password sync and federated users but the password write-back must be enabled for on-premises users.

Azure AD SSPR simplifies the password management in following scenarios:

Forgot Password: This is a common issue among the users. If user forgot his password and wants to rest the password then he must go through one of the validates authentication methods:

  • By phone call to validated mobile phone
  • By text message to validated mobile phone
  • By email to validated secondary email account
  • By answering security questions

Change password: If any time users wants to change his/her password for any reason, they can change their password but they should remember their current password.

Unlock account: This is another common issue among the users. If your account has been locked and you are unable to login, use this method to unlock your account with valid authentication methods.

Now, let’s have a look how to do it.

First, login to Azure AD to configure Azure AD for SSPR.

Go to the Password reset and select the appropriate SSPR option. Either you can select the group for SSPR or select all for all the users.

If you want to SSPR for all the users then select All and then save the configuration.

In my scenario, I am selecting Selected for specific groups.

I have selected a group called SSPR here to provide SSPR capability to the users.

Now select the Authentication method.

I am selecting all the methods. If you select “security questions” option then you need to set the security question. Click on “Select security questions”

You can select the security question from Predefined and Custom options.

In my case, I am selecting 5 predefined security questions.

Select all the questions and click on OK.

Once configured all the authentication methods, click on Save.

Now, it is time to configure the end user setting.

Ask your users to login to the https://portal.azure.com and configure their accounts with additional security.

Select the required options and set them now.

Select the questions from drop down menu.

Answer these questions and click on save answers.

Once done, click on finish.

Login to your Azure services. I am trying to login to the https://myapps.microsoft.com . Enter your user name and click on Next.

Click on “Forgot my password”

Fill the details and click on Next

Answer your security questions for verification and click on Next.

Now, enter your new password and click on Finish.

Your password has been reset, Now, login with your new password and enjoy!

#AzureAD : Multi-factor Authentication


Multi-factor authentication mostly refers to two-factor authentication that provides enhanced security to user sign-ins and transactions. There are many solutions available in the market and Azure MFA is one of them. Azure MFA is a cloud access control service offering, and quite simple to use and configure. However, MFA for Office 365 and Azure AD admins available at no extra cost but Azure Multi-Factor authentication full version license can be configured through Azure Active Directory Premium or Enterprise Mobility + Security.

With the third-party partnership offerings, Microsoft makes this service a real multi factor authentication by adding one more layer of authentication mechanism. Therefore, now you can call it three-factor authentication. Third-party MFA partners are:

 

 

Azure MFA native verification process can be achieved by three options.

  1. Authentication Phone
  2. Office Phone
  3. Mobile App

Let’s see how to set it up:

Login to the Azure Portal and go to the Azure Active Directory.

Go to the Users and groups, and go to the All users.

Click on Multi-Factor Authentication.

MFA console will open in new tab.

Select a user and click on Enable.

Click on enable multi-factor auth.

Once, updated successfully. Click on Close. Now, MFA has been enabled successfully for the selected user.

Once as an administrator, you have enabled any user for MFA then user has to follow the following steps to complete the process.

Now, user should go to the browser try to login to the Azure services. In my scenario, I am trying to login to the https://myapps.microsoft.com

Once user has entered his/her credential, he/she will be redirected to the new page to setup his/her MFA. Click on set it up now.

Now, user can see; there are three options available for additional security verification.

Option 1: Authentication phone

Option 2 : Office phone

Option 3 : Mobile app

In my scenario, I have selected option 1 with “call me” method. Enter required details and click on Next

Now, user will receive a call for verification.

Once, verification will be completed successfully then user will be redirected to step 3. Read the information and click on Done.

Next time, whenever user will try to login; he/she will receive a phone call for verification.

Hope, this blog post helped you to understand Microsoft Azure MFA. However, you can try different verification methods and post your queries in comment section.

#AzureAD : Application Proxy


I believe many of you have heard about reverse proxy multiple times in your IT career. If anytime you had published any web application through reverse proxy, you can easily understand the complexity and pain behind it. To publish a web application, you would have been worked with multiple teams for fulfilling security, network and DMZ requirements. Azure AD makes it quite simple for us, you just need to enable, download and install application proxy, and finally publish your internal web application. To use this application proxy server, you need a Windows server with either Windows Server 2012 R2 or Windows Server 2016 operating system and keep this VM as a standalone machine. So now, let’s have a look how to do it.

Login to the Azure Portal from application proxy VM and go to Azure Active Directory and then go to the Application proxy to download connector.

A web browser will open, select terms and condition and download the tool.

Once tool is downloaded, run the tool and agree to the license terms and condition and click on Install.

Now, AAD Application Proxy Connector installation will start.

Login to the Azure AD through your AAD admin account to complete the installation.

Now, installation will progress further and will finish in few minutes.

Now, go to the Azure portal and enable application proxy.

Once it is done, you will be able to find your application proxy server in active status.

Now, It is a time to publish your internal application. Therefore, go to the Enterprise applications under Azure AD.

Click in “On-premises application”.

Enter your internal url and save the settings. However, you should note down the external url to access this application.

Select Assign a user for testing.

Add users and define their roles and click on Assign.

Once, you are done please wait for some time. Now access your application from the internet by using the external url. You can also publish this app through myapps portal, the way we publish enterprise apps from the gallery.

Now, you can see that I am able to access my intranet portal. (I am not a developer, however I tried to modify the default IIS page )

If you have MFA enabled for your users, you can leverage an additional layer of security for your internal web applications as well.

#AzureAD : SSO to SaaS


In this era, Software as a Service offerings have changed the entire applications landscape. Now, organizations want to take advantage of the enterprise applications to solve their business problems but trying to avoid heavily in deploying and managing these applications. Azure AD is playing a vital role in this space by providing single sign experience to the enterprise users. It is not just providing SSO experience but at the same time maintaining security context for the applications by providing features such as MFA and auditing.

Let’s have a look, how to configure enterprise application from the gallery and associate with your Azure AD.

Login to the Azure portal and go to the Azure Active Directory.

Go to the Enterprise applications.

Click on New application.

There are around 3000 applications available in gallery. Look for the application that you like to add.

In my case, I am trying to add twitter for single sign on. Now, you may have a quick question; why twitter? Just think about any multinational organization, it operates in several countries and obviously every country would like to tweet something specific to their country. How will manage it? You wouldn’t like to create multiple accounts or different local identities for your organizations as you have unique brand value associated with specific name. Here, with Azure AD you can have a single twitter account and its password managed by one responsible person and access can be given to multiple people who are involved in PR activities.

Click on Add.

Now you are ready to configure your application. You can assign user, configure single sign-on, conditional access etc.

Let me add two users so that both can access this account without knowing the password through https://myapps.microsoft.com

Select the users and click on select.

Once users selected, click on Assign.

Now, it is time to set the Single-Sign-on mode. Go to the Single sign-on mode and select the Password -based Sign-on.

As, I would like to set the password for my twitter account and give access to end users. Therefore, select the user and click on update credentials.

Set the twitter account credentials. If you don’t want to update the credential in future then select “I want Azure AD to automatically manage this user or group’s password” option so that Azure AD can manage it on your behalf. Perform the same steps for another user.

Now, login to https://myapps.microsoft.com and access your applications.

#AzureAD : Azure AD Connect


Azure Active Directory Connect (a.k.a. AAD Connect) is a tool provided by Microsoft to connect your Windows Server Active Directory to Microsoft Azure AD. It incorporates all the features provided by preceding synchronization tools (Azure AD Sync and Dir Sync) and provides many advance features natively. Future release of AAD Connect is about to provide many FIM 2010 R2 (Forefront Identity Manager) and MIM 2016 (Microsoft Identity Manager) features such as connect to single or multiple on-premises LDAP directories, connect to on-premises AD and on-premises LDAP directories, connect to custom systems (i.e. SQL, Oracle, MySQL etc.) and connect to on-premises HR Systems (i.e. SAP, Oracle, eBusiness, Peoplesoft).

Here is the system pre-requisite to install AAD Connect:

  • At least Windows Server 2008 or later. (Note: If using Windows Server 2008 or 2008 R2 then apply the latest updates and hotfixes before starting the installation.)
  • Windows Server Standard edition or above, Essential is not supported.
  • Full GUI version of Windows Server, server core is not supported.
  • Server must have .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0 or later installed.
  • At least Windows Server 2008 R2 SP1 or later if you have plan to use password synchronization feature.
  • At least Windows Server 2012 or later if you have plan to use group managed service account feature.
  • Server must not have PowerShell Transcription Group Policy enabled.

Now let’s have a look on how to install and configure AAD Connect. I am using Windows Server 2016 for AAD Connect server and will use local SQL server 2012 express edition. SQL Server 2012 express edition is a default DB option and recommended for small to medium AD environment with up to 100K AD objects. Otherwise, you can use SQL server instance with “customize” option at the time of installation.

First, go to your Azure AD tenant and create an account with global administrator directory role. This global administrator account will be used to configure AAD Connect.

Once user is created, login to the https://portal.azure.com to set the new password.

Now, open https://portal.azure.com on AAD Connect server and login with global administrator account.

Now click on Azure Active Directory in the left panel.

Now, Click on Azure AD Connect.

Now, click on “Download Azure AD Connect”. (Note: you can also download it directly from the web.)

Now, Run the executable file to install the Azure AD Connect tool.

Once installation is completed, a new wizard will open. Accept the term and conditions and click on continue.

Now, you have two options either go with express settings or click on customize. If your AAD Connect server is not domain joined then you will not have a choice to go with express settings.

Installation using express settings is too simple. You just need to make sure your AAD Connect server is domain joined and then follow the steps.

In this blogpost let me show you how to install AAD Connect with customize option. There are four optional self-explanatory configuration choices but I’m not going to select anyone for customization. However, I’ll explain these options in next step.

If you select first two options for customization then you need to provide an installation location path for “Specify a custom installation location” option and SQL server name and instance name for “Use an existing SQL Server” option. As well as you need to make sure required ports are open to connect to SQL Server.

“Use an existing service Account” customization option requires either Managed Service Account credentials or service account credential that is part of the domain in Domain Account option to connect with remote SQL Server. Make sure the user who is running the installation has SA role in SQL so that a login for the service account can be created. By default, AAD Connect creates four sync groups in local server but if you would like to select your own groups then specify those here and make sure those groups are local to the server, not in domain.

In my installation, I am not performing any optional configuration. Click on Install.

Once Installation starts, will take couple of minutes.

In User sign-in window select the sign on method and click Next.

Enter the credential of Azure AD global administrator. This step will verify your credentials.

Now, you need to connect your Widows Server Active Directory forest. This step is quite simple if your AAD Connect server is domain joined. Enter your forest fqdn and click on Add Directory.

Now, you have two option either create new AD account using Enterprise Admin credential or use existing account. In my case, I am creating a new AD account.

You may find the following error while creating a new account.

[Workaround: Go to your Active Directory and you will find a newly created user with MSOL_****** in Users container. Reset the password and copy the user name. While doing it please make you are assigning required permission (read and write) to this user.]

Required permissions:

For Password Sync: Replicate Directory Changes and Replicate Directory Changes All

For Password Writeback: Reset password

Enter the MSOL_***** credential under “Use existing AD account”.

Now, you can see that forest has been added under configured directories. Click on Next.

In Azure AD sign-in configuration you will find your Active Directory UPN Suffix but in Azure AD Domain section you can find three different states (Verified, Not Verified and Not Added).

If you want to change the Azure AD Domain status, go to the Azure portal and add custom domain. However, while adding custom domain you can verify your domain as well. In my case, I didn’t verify it.

Refresh, now you can see that status has been changed from “Not Added” to “Not Verified”. Select “continue without any verified domains” and click on Next.

Select required option and click on Next.

Select “Let Azure manage the source anchor for me” and click on Next.

Select required option and click on Next.

Select required features and click on Next.

Click on Install.

Configuration will take couple of minutes.

Once configuration completes, you will get this wizard. Click on Exit.

Now, you Windows Server Active Directory has been synced with Azure AD. If you want to do any customization after initial setup, you can open Azure AD Connect and make the necessary changes.