Connecting to an Azure Active Directory using Microsoft Azure portal

admin

The Azure directory option allows for LogonBox to connect to a Windows Azure Active Directory (now called Microsoft Entra ID), or Office 365 database using the main Microsoft Azure portal at https://portal.azure.com

The configuration process consists of two parts, configuring the Entra ID domain to accept connections from LogonBox and configuring LogonBox to connect to your Entra AD. Both steps are detailed below.

 

Creating an Azure Application

LogonBox's Azure connector communicates with your Entra ID through an application configured against the AD domain. The first stage of the configuration process is to create an application. 

To go to the Windows Azure login portal at https://portal.azure.com and login with your Windows Azure management account

 

Once you have successfully logged in click on Microsoft Entra ID in the left hand menu and switch to the directory you want to use if not the Default Directory.

Whilst you are here, make a note of the domain name listed next to Primary Domain. This is the Tenant Domain setting that you will need later.

 

 

Click Add at the top of the page, then select App registration.

 

 

You will be prompted for information to create the application. Enter a new Name for this application.

Set the Supported account types to Accounts in this organizational directory only.

In the Redirect URI section, change the dropdown to Web, then in the text box to the right we need to put in the URL for the LogonBox server, which will be https://<server>/app/api/azure/oauth/end

(replacing <server> with the host or IP of your LogonBox server).

Click Register to create the new application.

 

 

Get the Client ID

Now that the Application has been created click on Overview in the left menu, you will be taken to a screen as shown below.

Find and copy the Application (client) ID using the Copy to clipboard button that appears. This is the setting that will be used as the Client ID for the Connector configuration later.

 

Assigning the application to a role

In the top menu, click All services, then Subscriptions.

 

Select the subscription (resource group or resource) you wish to assign the application to.

 

Select Access Control (IAM) then Add, then Add role assignment.

 

Select the Role you wish to assign to the application. The following image shows the User Access Administrator role.

 

Select the Members tab, and set Assign access to to User, group, or service principal.

In the Members field, click Select members, we need to find and select the name of the application configured earlier.

By default, Entra ID applications aren't displayed in the available options. To find your application, you must provide the name of it in the search field. Select it then click Select.

 

In the Conditions tab, set any conditions on what a user can do. Here we're allowing the user to assign all roles except privileged administrator roles.

 

Click Review + assign twice to complete.

 

Configure Client Secret

We now need to create a client key which will be used to get the access token required for the application to work.

Go back to Microsoft Entra ID>App registrations and click on the application created earlier.

Now click Certificates & secrets then New client secret.

 

Type in any name for the Description and select an Expires duration for the key and then click Add.

 

The Client secrets section will now display a key value which will be used by the application for authentication. Make a copy of this key now by clicking the Copy to clipboard for the value section. You will need this information for the Directory configuration later.

 

API permissions

Click on API permissions. There should already be an entry in place for Microsoft Graph, click on this entry.

 

In the Request API Permissions list, select Delegated permissions and tick the following items:

Directory->Directory.AccessAsUser.All (Access directory as the signed in user)

Directory->Directory.ReadWrite.All (Read and Write directory data)

Group->Group.ReadWrite.All (Read and write all groups)

User->User.Read (Sign in and read user profile)

User->User.Read.All (Read all users' full profiles)

 

 

Now select Application Permissions at the top, then tick:

Directory->Directory.ReadWrite.All (Read and write directory data)

These will account for all functions that LogonBox can be set to perform with the directory accounts.

Click Update permissions at the bottom.

 

All 6 permissions should now be shown.

 

As we added Permissions, we now need to grant permissions. Above the permissions, click Grant admin consent for <company>, then click Yes to perform the grant.

 

All of the items in the Admin Consent Required column should now be ticked.

 

Required permissions

Select Microsoft Entra ID on the left again, then select User settings and set the value of Users can register applications to No then click Save.

 

Delegating User Control Permissions

To be able to fully manage Azure, we need to set up full user control permissions, including delete. These permissions cannot be delegated from within the Azure web UI, so to assign these you must use some Powershell cmdlets.

The specific instructions are as follows:

On a PC, run Powershell as an administrator.

If you don't have the Azure module installed already, install this with: Install-Module MSOnline

Type Y when prompted to install.

 

Connect to the Azure subscription with: Connect-MsolService.

This cmdlet will open a credentials window where you need to enter the credentials of a global administrator for your AD directory. After logging in, you can start scripting against your directory.

 

Now run Get-MsolServicePrincipal –AppPrincipalId YOUR_APP_CLIENT_ID
This cmdlet will return the service principal information for your AD application. Replace YOUR_APP_CLIENT_ID with the Client ID that you noted earlier.

The returned object contains a property named ObjectId, copy this value and store it with the Client ID, tenant name and key as you will need this later:

 

Finally, this last cmdlet will add your AD application to the ‘User Administrator’ role, granting it permissions to delete both users and groups.

Replace the YOUR_OBJECT_ID with the object id just noted.

Run: Add-MsolRoleMember -RoleMemberType ServicePrincipal -RoleName ‘User Administrator’ -RoleMemberObjectId YOUR_OBJECT_ID

 

This completes the Azure configuration process. At this stage, you should have 4 items of information that can be used for the Connector configuration:

Tenant Domain

Client ID

Key

Object ID

 

Configuring the Azure Directory in LogonBox

Step 1 - Create Directory

Whilst managing the tenant realm, navigate to Access Control and select Configure User Database located at the top of the User table. 

 

From the form that opens up select Realm Type as Azure.

 

Step 2 - Configuring your standard AD Settings

With the correct realm type selected, the next step requires the Azure settings to be configured.

There are two top level tabs available: Standard and Advanced. Step 2 concerns all the settings in Standard.

 

Step 2a - Connection

You will need to provide the following information that was noted when creating the Azure configuration earlier in this article: 

  • Tenant Domain: the Azure AD domain e.g. Nervepoint.onmicrosoft.com
  • Client ID: The Client ID value identified in the Azure application configuration settings
  • Key: client secret created for the application
  • Object ID: The Object ID value identified in the Powershell delegation section

 

You may set the Read Only option to On, which can be useful for testing if you don't want any changes to be made, but this should be set to OFF if you want to update users or reset passwords.

 

If you are happy for your tenant to synchronize with these settings (and reconcile all users on the domain), click Update. If everything is correct the details will be saved.

From there the first synchronisation with your Azure Active Directory will begin, you will see a green status message, reconciling with directory, once completed, a similar message stating, reconcile finished successfully, will be shown. 

 

Step 2b - Restricting Synchronization by Groups

With the core Azure settings configured, your tenant will begin synchronizing all users from your directory. If you wish to limit these to members of certain groups, you can do so under the Org Units tab.

Settings here are:

  • Include Groups: The names of any groups that you only want to import users and groups from. Type in the group name and press enter or click the plus icon to add the filter.
  • Exclude Groups: The names of any groups that you wish to exclude from importing from. Type in the group name and press enter or click the plus icon to add the filter.

The Exclude filter will run after the Include filter, so if a user is a member of a group which is included as well as a member of an excluded group, then the user will be excluded from the synchronisation.

 

Step 2c - Principal Filter

The Principal Filter tab works in a similar way to the Org Units filter, but for ignoring specific usernames and groups. Just type in the username or group you wish to exclude from the reconcile and press Enter or click the plus icon.

Note here that the Exclude Groups filter is different than in Org Units. If you define an Ignored Group here, then that group will not be visible in Access Control->Groups.

 

Step 3 - Advanced Settings

The configuration items below are not neccesary to get your Azure Active Directory connected and synching with your tenant, however they may be useful for those that wish to add a little more control.

Click on the Advanced link above the tabs to see the advanced settings.

 

Step 3a - Reconcile

The Reconcile tab contains settings relating to how LogonBox reconciles your users. The settings here are:

  • Rebuild Cache: By default, reconciles will only handle any changes to users or groups to keep things quick. Setting this option to ON will perform a full reconcile of every item and is generally used in certain troubleshooting cases. Defaults to OFF.
  • Purge Duplicates: On rare occasions with an out of date cache, duplicate users may be created. Set this to ON to purge any duplicates on the next reconcile. Defaults to OFF
  • Cache Passwords: Create a one way hash and store on LogonBox so that subsequent authentication attempts do not need to contact AD. Recommended to keep this set to OFF.
  • Reconcile at Login: If set to ON, perform a reconcile on the user's account when they log on to pull in any changes immediately. Defaults to OFF, which should give best user performance.

 

 

Step 4 - Status information

There is another tab that only appears after you have configured your Directory and you edit the Directory configuration again. This tab is Status and contains information fields relating to the reconcile status.

These fields are:

  • Status: The status of the last reconcile, which can be Completed or Failed.
  • Next Due: What date and time the next reconcile will be started.
  • Last Performed: What date and time the previous reconcile was started.
  • Last Error: If the status is failed, this contains the error that caused the failure.

 

Conclusion

This article has detailed all of the settings needed for your tenant to begin reconciling with your Azure Active Directory. Your tenant should now successfully begin synchronizing with your Azure enabling your users to be able to fully manage their Azure accounts in the cloud.