Connecting to an Azure Active Directory using Azure Active Directory admin center

admin

The Azure directory option allows for LogonBox to connect to a Windows Azure Active Directory, or Office 365 database using the main Azure Active Directory admin center at https://aad.portal.azure.com

The configuration process consists of two parts, configuring the Azure AD domain to accept connections from LogonBox and configuring LogonBox to connect to your Azure AD. Both steps are detailed below.

 

Creating an Azure Application

LogonBox's Azure connector communicates with your Azure AD through an application configured against the Azure AD domain. The first stage of the configuration process is to create an application. 

To go to the Azure Active Directory admin centrer at https://aad.portal.azure.com and login with your Windows Azure management account

 

Once you have successfully logged in click on Azure Active Directory in the left hand menu and switch to the directory you want to use if not the Default Directory.

Whilst you are here, make a note of the domain name listed below the Switch directory button. This is the Tenant Domain setting that you will need later.

 

 

Select the App registrations menu then create a new application by clicking the New registration button at the top of the page.

 

You will be prompted for information to create the application. Enter a new Name for this application.

Set the Supported account types to Accounts in this organizational directory only.

In the Redirect URI section, change the dropdown to Web, then in the text box to the right we need to put in the URL for the LogonBox server, which will be https://<server>/app/api/azure/oauth/end

(replacing <server> with the host or IP of your LogonBox server).

Click Register to create the new application.

 

Click on the new application just created then click the Authentication menu. Scroll down to Advanced Settings and in Allow public client flows, turn on the option for Enable the following mobile and desktop flows.

Click Save at the top.

 

Get the Client ID

Now that the Application has been created you will be taken to a screen as shown below.

Find and copy the Application (client) ID using the Copy to clipboard button that appears. This is the setting that will be used as the Client ID for the Connector configuration later.

 

Configure Client Secret

 

Now click Certificates & secrets then New client secret.

 

Type in any name for the Description and select an Expires duration for the key and then click Add.

 

The Client secrets section will now display a Value which will be used by the application for authentication. Make a copy of this key now by clicking the Copy to clipboard next to the value (not the Secret ID). You will need this information for the Directory configuration later (which will be referred to as Key).

 

API permissions

Click on API permissions. There should already be an entry in place for Microsoft Graph, click on this entry.

 

In the Request API Permissions list, select Delegated permissions and tick the following items:

Directory->Directory.AccessAsUser.All (Access directory as the signed in user)

Directory->Directory.ReadWrite.All (Read and Write directory data)

Group->Group.ReadWrite.All (Read and write all groups)

User->User.Read (Sign in and read user profile)

User->User.Read.All (Read all users' full profiles)

 

Now select Application Permissions at the top, then tick:

Directory->Directory.ReadWrite.All (Read and write directory data)

These will account for all functions that LogonBox can be set to perform with the directory accounts.

Click Update permissions at the bottom.

 

All 6 permissions should now be shown. As we added Permissions, we now need to grant permissions. Click Grant admin consent for <company>, then click Yes to perform the grant.

All of the items in the Admin Consent Required column should now be ticked.

 

Required permissions

Select Azure Active Directory on the left again, then select User settings. Check the App registrations setting. This value can only be set by an administrator. If set to Yes, any user in the Azure AD tenant can register an app.

If the app registrations setting is set to No, only users with an administrator role may register these types of applications. See available roles and role permissions to learn about available administrator roles and the specific permissions in Azure AD that are given to each role. If your account is assigned to the User role, but the app registration setting is limited to admin users, ask your administrator to either assign you to one of the administrator roles that can create and manage all aspects of app registrations, or to enable users to register apps.

 

Delegating User Control Permissions

To be able to fully manage Azure, we need to set up full user control permissions, including delete. These permissions cannot be delegated from within the Azure web UI, so to assign these you must use some Powershell cmdlets.

The specific instructions are as follows:

On a PC, run Powershell as an administrator.

If you don't have the Azure module installed already, install this with: Install-Module MSOnline

Type Y when prompted to install.

Connect to the Azure subscription with: Connect-MsolService.

This cmdlet will open a credentials window where you need to enter the credentials of a global administrator for your AD directory. After logging in, you can start scripting against your directory.

 

Now run Get-MsolServicePrincipal –AppPrincipalId YOUR_APP_CLIENT_ID
This cmdlet will return the service principal information for your AD application. Replace YOUR_APP_CLIENT_ID with the Client ID that you noted earlier.

The returned object contains a property named ObjectId, copy this value and store it with the Client ID, tenant name and key as you will need this Object ID later:

 

Finally, this last cmdlet will add your AD application to the ‘User Administrator’ role, granting it permissions to delete both users and groups.

Replace the YOUR_OBJECT_ID with the object id just noted.

Run: Add-MsolRoleMember -RoleMemberType ServicePrincipal -RoleName ‘User Administrator’ -RoleMemberObjectId YOUR_OBJECT_ID

 

This completes the Azure configuration process. At this stage, you should have 4 items of information that can be used for the Connector configuration:

Tenant Domain

Client ID

Key

Object ID

 

Configuring the Azure Directory in LogonBox

Step 1 - Create Directory

Whilst managing the tenant realm, navigate to Access Control and select Configure User Database located at the top of the User table. 

 

From the form that opens up select Realm Type as Azure.