The Office 365 connector allows for Access Manager to connect to a Windows Azure Active Directory, or Office 365 database.
The configuration process consists of two parts, configuring the Azure AD domain to accept connections from Access Manager and configuring Access Manager to connect to your Azure AD. Both steps are detailed below.
Creating an Azure Application
Access Manager's Azure connector communicates with your Azure AD through an application configured against the Azure AD domain. The first stage of the configuration process is to create an application.
To go to the Windows Azure login portal at https://portal.azure.com and login with your Windows Azure management account
Once you have successfully logged in click on Azure Active Directory in the left hand menu and switch to the directory you want to use if not the Default Directory.
Whilst you are here, make a note of the domain name listed below the Switch directory button. This is the Tenant Domain setting that you will need later.
Select the App registrations menu then create a new application by clicking the New registration button at the top of the page.
You will be prompted for information to create the application. Enter a new Name for this application.
Set the Supported account types to Accounts in this organizational directory only.
In the Redirect URI section, change the dropdown to Web, then in the text box to the right we need to put in the URL for the Access Manager server, which will be https://<server>/completeWebAuth.html
(replacing <server> with the host or IP of your Access Manager server).
Click Register to create the new application.
Get the Client ID
Now that the Application has been created you will be taken to a screen as shown below.
Find and copy the Application (client) ID using the Copy to clipboard button that appears. This is the setting that will be used as the Client ID for the Connector configuration later.
Assigning the application to a role
In the top menu, click All services, then Subscriptions.
Select the particular subscription (resource group or resource) to assign the application to.
Select Access Control (IAM) then Add, then Add role assignment.
Select the Role you wish to assign to the application. The following image shows the Owner role.
Set Assign access to to Azure AD user, group, or service principal.
In the Select field, we need to enter the name of the application configured earlier.
By default, Azure Active Directory applications aren't displayed in the available options. To find your application, you must provide the name of it in the search field. Select it then click Save.
Configure Client Secret
We now need to create a client key which will be used to get the access token required for the application to work.
Go back to Azure Active Directory>App registrations and click on the application created earlier.
Now click Certificates & secrets then New client secret.
Type in any name for the Description and select an Expires duration for the key and then click Add.
The Client secrets section will now display a key value which will be used by the application for authentication. Make a copy of this key now by clicking the Copy to clipboard. You will need this information for the Directory configuration later.
API permissions
Click on API permissions. There should already be an entry in place for Microsoft Graph, click on this entry.
In the Request API Permissions list, select Delegated permissions and tick the following items:
Directory->Directory.AccessAsUser.All (Access directory as the signed in user)
Directory->Directory.ReadWrite.All (Read and Write directory data)
Group->Group.ReadWrite.All (Read and write all groups)
User->User.Read (Sign in and read user profile)
User->User.Read.All (Read all users' full profiles)
Now select Application Permissions at the top, then tick:
Directory->Directory.ReadWrite.All (Read and write directory data)
These will account for all functions that Access Manager can be set to perform with the directory accounts.
Click Update permissions at the bottom.
All 6 permissions should now be shown.
As we added Permissions, we now need to grant permissions. In the Grant Consent section, click Grant admin consent for <company>, then click Yes to perform the grant.
All of the items in the Admin Consent Required column should now be ticked.
Required permissions
Select Azure Active Directory on the left again, then select User settings. Check the App registrations setting. This value can only be set by an administrator. If set to Yes, any user in the Azure AD tenant can register an app.
If the app registrations setting is set to No, only users with an administrator role may register these types of applications. See available roles and role permissions to learn about available administrator roles and the specific permissions in Azure AD that are given to each role. If your account is assigned to the User role, but the app registration setting is limited to admin users, ask your administrator to either assign you to one of the administrator roles that can create and manage all aspects of app registrations, or to enable users to register apps.
Delegating User Control Permissions
To be able to fully manage Azure, we need to set up full user control permissions, including delete. These permissions cannot be delegated from within the Azure web UI, so to assign these you must use some Powershell cmdlets.
However, the specific instructions are as follows.
On a PC, run Powershell as an administrator.
If you don't have the Azure module installed already, install this with: Install-Module MSOnline
Type Y when prompted to install.
Connect to the Azure subscription with: Connect-MsolService.
This cmdlet will open a credentials window where you need to enter the credentials of a global administrator for your AD directory. After logging in, you can start scripting against your directory.
Now run Get-MsolServicePrincipal –AppPrincipalId YOUR_APP_CLIENT_ID
This cmdlet will return the service principal information for your AD application. Replace YOUR_APP_CLIENT_ID with the Client ID that you noted earlier.
The returned object contains a property named ObjectId, copy this value and store it with the Client ID, tenant name and key as you will need this later:
Finally, this last cmdlet will add your AD application to the ‘User Account Administrator’ role, granting it permissions to delete both users and groups.
Replace the YOUR_OBJECT_ID with the object id just noted.
Run: Add-MsolRoleMember -RoleMemberType ServicePrincipal -RoleName ‘User Account Administrator’ -RoleMemberObjectId YOUR_OBJECT_ID
This completes the Azure configuration process. At this stage, you should have 4 items of information that can be used for the Connector configuration:
Tenant Domain
Client ID
Key
Object ID
Configure the Office365 Connector in Access Manager
Using the information that has been created and gathered during the Azure phase it is now possible to configure an Office 365 connector in Access Manager.
Login to Access Manager as an admin user and go to the the Directories page. From here select the Add New Connector option.
In the Directory Discovery page select the Configure Manually option and then select the Office365 option. Select Next to move to the configuration page.
On the Directory Configuration page enter the required details as extracted from Azure during application configuration.
- Tenant Domain: the Azure AD domain e.g. logonbox.com
- Client ID: The Client ID value identified in the Azure application configuration settings
- Key: The secure key created for the application
- Object ID: The Object ID value identified in the Powershell delegation section
Once all details have been provided select Next. A check will be performed so that Access Manager can verify the connection, if successful you will be able to complete the directory configuration.
When the directory is completed successfully Access Manager and the Azure AD will be connected. You will now be able to view, access, and link the Office 365 accounts.
