Azure Active Directory Services⚓︎

More and more companies use cloud services. Therefore, also the management of users is outsourced. Instead of a classic Active Directory via LDAP, an Azure AD is used more often. Password Secure integrates the possibility to bring in users and roles from Azure. To use users and roles from multiple Azure ADs, you can create multiple profiles.

Introduction⚓︎

Differences to the LDAP connection⚓︎

The connection to the Azure AD differs in one special point from the connection to a conventional Active Directory. While Password Secure queries the users, groups, and roles actively from the conventional AD, the Azure AD is pushing them automatically to our server. For this a so-called SCIM service is used.

To login to Password Secure, after entering the username a popup opens for the authentication with the entered Microsoft account. Here, a possible configured second factor is also requested. The authentication is handled via the Open ID Connect protocol.

Linking Azure AD⚓︎

Below you will find instructions on how to connect Azure AD to Password Secure. In the Azure portal, go to the management page of your Azure Active Directory. Use an account with administrative permissions for this. During this, login to Password Secure with an account that has the user right "Display organisational structure module", "Can manage Azure AD profiles", and "Can create new Azure AD profiles" enabled.

Setup⚓︎

New Azure application⚓︎

Login to the Azure portal and go to the management page of your Azure Active Directory.

• Write down your "Tenant ID" shown in the Azure console or by using PowerShell:

Connect-AzureAD

• Navigate in your Azure AD to "Enterprise applications"
• Add an own application, that is not listed in the Azure Gallery – in our example, we name it "Password Secure"

• When the application was created successfully, you are redirected to it automatically
• Write down the "Application ID"
• In the navigation, click "Users and groups"
• Add the Users and groups that should be available to Password Secure

• Navigate to the "Provisioning" page
• Configure the Provisioning Mode to "Automatic"

Password Secure Azure AD configuration⚓︎

• Navigate to the module "Organisational structure"
• In the toolbar, click on "Manage profiles" in the category "Azure AD"
• Create the profile with your information
• Insert the Tenant ID and the Application ID
• As soon as the profile has been saved, a popup opens for generating a token
• Choose a desired expiration date (max. 10 years) and click "Generate token"
• Write down the values of the fields "Tenant URL" and "Secret Token"

Azure provisioning configuration⚓︎

Fill the fields "Tenant URL" and "Secret Token" with the information provided by Password Secure Click "Test Connection" When the test has been successful, click on "Save" at the top of the page Back on the "Provisioning" page, click "Start provisioning" In the settings of the provisioning, check if "Provisioning Status" is set to "On" All allocated users and groups are created in Password Secure now

Azure login configuration⚓︎

To enable the Azure login for your users, a few more steps are required:

• Navigate to the Overview page of your Azure AD
• Navigate to "App registrations"
• If no application is displayed, click "All applications"
• Click on "Netwrix Corporation Password Secure" and navigate to "Authentication"
• Click on "Add a platform", select "Mobile and desktop applications" and configure the required URIs:

Set API permissions⚓︎

Finally, the API permissions for the Azure API have to be set, so the login to Password Secure can be performed successfully.

Navigate to "API permissions" and click "Add a permission" Select "Microsoft Graph" and then "Delegated permissions" Set the checkboxes for "openid" and "profile" just under "OpenId permissions" Click on "Add permissions" Click on "Grant admin consent for YOUR_AD_NAME"