Connecting to an Azure Active Directory using Microsoft Azure portal

admin

The Azure directory option allows for LogonBox to connect to a Windows Azure Active Directory, or Office 365 database using the main Microsoft Azure portal at https://portal.azure.com

The configuration process consists of two parts, configuring the Azure AD domain to accept connections from LogonBox and configuring LogonBox to connect to your Azure AD. Both steps are detailed below.

 

Creating an Azure Application

LogonBox's Azure connector communicates with your Azure AD through an application configured against the Azure AD domain. The first stage of the configuration process is to create an application. 

To go to the Windows Azure login portal at https://portal.azure.com and login with your Windows Azure management account

 

Once you have successfully logged in click on Azure Active Directory in the left hand menu and switch to the directory you want to use if not the Default Directory.

Whilst you are here, make a note of the domain name listed below the Switch directory button. This is the Tenant Domain setting that you will need later.

 

 

Select the App registrations menu then create a new application by clicking the New registration button at the top of the page.

 

 

You will be prompted for information to create the application. Enter a new Name for this application.

Set the Supported account types to Accounts in this organizational directory only.

In the Redirect URI section, change the dropdown to Web, then in the text box to the right we need to put in the URL for the LogonBox server, which will be https://<server>/app/api/azure/oauth/end

(replacing <server> with the host or IP of your LogonBox server).

Click Register to create the new application.

 

 

 

Click on the new application just created then click the Authentication menu. Scroll down to Advanced Settings and in Allow public client flows, turn on the option for Enable the following mobile and desktop flows.

Click Save at the top.

 

 

Get the Client ID

Now that the Application has been created click on Overview in the left menu, you will be taken to a screen as shown below.

Find and copy the Application (client) ID using the Copy to clipboard button that appears. This is the setting that will be used as the Client ID for the Connector configuration later.

 

 

Assigning the application to a role

In the top menu, click All services, then Subscriptions.

 

 

Select the particular subscription (resource group or resource) to assign the application to.

 

Select Access Control (IAM) then Add, then Add role assignment.

 

 

Select the Role you wish to assign to the application. The following image shows the Owner role.

Select the Members tab, and set Assign access to to User, group, or service principal.

In the Members field, click Select members, we need to find and select the name of the application configured earlier.

By default, Azure Active Directory applications aren't displayed in the available options. To find your application, you must provide the name of it in the search field. Select it then click Select.

 

Click Review + assign twice to complete.

 

Configure Client Secret

We now need to create a client key which will be used to get the access token required for the application to work.

Go back to Azure Active Directory>App registrations and click on the application created earlier.

Now click Certificates & secrets then New client secret.

 

Type in any name for the Description and select an Expires duration for the key and then click Add.

 

The Client secrets section will now display a key value which will be used by the application for authentication. Make a copy of this key now by clicking the Copy to clipboard for the value section. You will need this information for the Directory configuration later.

 

API permissions

Click on API permissions. There should already be an entry in place for Microsoft Graph, click on this entry.

 

 

In the Request API Permissions list, select Delegated permissions and tick the following items:

Directory->Directory.AccessAsUser.All (Access directory as the signed in user)

Directory->Directory.ReadWrite.All (Read and Write directory data)

Group->Group.ReadWrite.All (Read and write all groups)

User->User.Read (Sign in and read user profile)

User->User.Read.All (Read all users' full profiles)

 

 

Now select Application Permissions at the top, then tick:

Directory->Directory.ReadWrite.All (Read and write directory data)

These will account for all functions that LogonBox can be set to perform with the directory accounts.

Click Update permissions at the bottom.

 

All 6 permissions should now be shown.

 

As we added Permissions, we now need to grant permissions. Above the permissions, click Grant admin consent for <company>, then click Yes to perform the grant.

 

All of the items in the Admin Consent Required column should now be ticked.

 

Required permissions

Select Azure Active Directory on the left again, then select User settings. Check the App registrations setting. This value can only be set by an administrator. If set to Yes, any user in the Azure AD tenant can register an app.

If the app registrations setting is set to No, only users with an administrator role may register these types of applications. See available roles and role permissions to learn about available administrator roles and the specific permissions in Azure AD that are given to each role. If your account is assigned to the User role, but the app registration setting is limited to admin users, ask your administrator to either assign you to one of the administrator roles that can create and manage all aspects of app registrations, or to enable users to register apps.