Azure Active Directory

InsightCloudSec supports using Azure Active Directory authentication as a valid authentication server. Because the authentication flow for Azure Active Directory is so different from typical LDAP and Active Directory implementations, changes must be made within the Azure Portal to configure the Azure Active Directory for use with external applications. Check out Active Directory for details on Microsoft Active Directory.

Prerequisites

Before getting started you will need to have the following

  • A functioning InsightCloudSec platform
  • Appropriate InsightCloudSec permissions (Domain Admin or Org Admin)
  • Administrative credentials to your Azure Portal

For questions or issues reach out to us through the Customer Support Portal.

Azure Active Directory & Just In-Time Provisioning

For instructions specific to setting up an Authentication Server for Azure Active Directory and enabling Just In-Time Provisioning refer to our Azure Active Directory - Just In-Time Provisioning page.

InsightCloudSec - Azure Active Directory Authentication Server Setup (Start)

Before you configure Azure Active Directory to work with InsightCloudSec, you'll first need to complete some initial setup within InsightCloudSec, including generating a redirect URL.

  1. Login to your InsightCloudSec instance and navigate to Administration > Identity Management. Click Authentication Servers at the top of the page.
  2. Click Add Server to open the Create Authentication Server form.
  3. Complete the top of the Create the Authentication Server from as follows:
    • Nickname: Enter a nickname
    • Select Server Type: Select Azure Active Directory
    • Global Scope Checkbox: Select the Global Scope checkbox if you want to use this server across all of your Organizations.
    • Authentication Type: Select API Key/Secret or Client Certification, based on your preference.

Redirect URL

Copy the provided redirect URL value and keep it on-hand for later.

  1. Leave InsightCloudSec open in a browser window and open a new tab.

Azure - New App Registration

This section assumes you want to create a new app registration within the Azure console.

If you have an existing App Registration, and it is of the Web app/API type that you’d like to use, you can skip to Existing App Registration.

  1. Select New. This should bring you to the Register an application screen.
  2. Complete the App Registration Form as follows:
    • Name: Enter something simple and descriptive for the name.
    • Supported account types: Select the default Accounts in this organizational directory only ((Default Directory) only Single tenant).
    • Redirect URI: Input the URL you copied from InsightCloudSec in the previous section.
  3. Click Register to complete the App registration.
    This should create a new App and open an overview screen of the application.
  4. Copy the Application ID on this page and keep the information in a safe place. You will need the Application (client) ID for configuration later during this process.
  5. On the left panel navigation under Manage select Authentication.
  6. Scroll down on the Authentication page and locate the Implicit grant and hybrid flows section.
    Here you need to ensure you check/enable the ID tokens (used for implicit and hybrid flows) checkbox.
  7. From the left side navigation under Managed, select Certificates & secrets.
  8. Under Client Secrets click on the New client secret button. Provide a description, select an expiration interval, and click Add to complete.
  9. Copy the value that you created for the secret. Store this information in a safe location. Note: You will not be able to return to this view.
  10. Navigate to API Permissions, select Add Permissions.
  11. Click on Microsoft Graph and then select Application permissions.
    Scroll to GroupMember and click the checkbox next to GroupMember.ReadAll, click Add Permission.
  12. Repeat steps 13 & 14 to add one additional permission.
    • Click on Add a permission, select Microsoft Graph and then select Application permissions
    • Scroll to User and click the checkbox next to User.ReadAll, click Add Permission

At this point, the Azure Active Directory should be configured for use within InsightCloudSec. You may now return to the browser window containing InsightCloudSec and finish the setup. Continue to this section for details.

Azure - Existing App Registration

This section assumes you have an existing app of the Web app/API type that you’d like to use with InsightCloudSec.

To modify an existing app registration the steps are as follows:

  1. In the Azure Portal, locate the App registrations page and select the application you want to modify. Click to open the overview page.
  2. This section should already contain one Redirect URI with the URL you supplied when you created the App Registration. You will need to click Add URI to create new a new field, and add the the redirect URL you copied from InsightCloudSec in the first section.
  3. Click Save in the top-left corner of the page.

Existing Keys

You can use an existing key if you already have created one and know its secret, but creating a new secret for InsightCloudSec is recommended.

  1. From the left side navigation under Managed, select Certificates & secrets.
  2. Under Client Secrets click on the New client secret button. Provide a description, select an expiration interval, and click Add to complete.
  3. Copy the value that you created for the secret. Store this information in a safe location. Note: You will not be able to return to this view.

At this point, the Azure Active Directory should be configured for use within InsightCloudSec. You may now return to the browser window containing InsightCloudSec and finish the setup. Continue to the next section.

InsightCloudSec - Azure Active Directory Authentication Server Setup (Finish)

This section assumes that you have set up your Azure Active Directory to function with InsightCloudSec. If you have not done so, or need assistance, refer to one of the sections above (creating a new App, or updating an existing App) or reach out to us through the Customer Support Portal.

Follow the steps below to finish setting up an Azure Active Directory Authentication Server:

  1. Finish the Create Authentication Server form.

    • Tenant: Provide the domain name associated with the Azure Active Directory instance you are authenticating against.
    • Authority Server Hostname/IP: Unless you have a private Azure instance from Microsoft, you probably want to leave the Authority Host URL set to https://login.microsoftonline.com.
      • If you are using a private Azure instance, the Authority Host URL should be the authoritative login URL for that private instance.
    • Application ID: Provide the Application ID you saved from your Azure App Registration. 2-a. If you selected API Key/Secret for your Authentication Type provide the API Key. Use the secret key value that we created in the earlier steps. If that key is not available, create a new one as per the instructions. 2-b. If you selected Client Certificate for your Authentication Type provide:
    • the PEM Certificate
    • the Certificate thumbprint
  2. The options that appear after the authentication fields (e.g. Enable periodic user provisioning using graph API, etc.) are specific to configuring an Azure AD Authentication server, the steps are identical up until this point but JIT includes different capabilities.

  3. Click Submit to finalize your authentication server and enable the system to verify that the values you entered are correct. If an error message appears, check that the values you entered are correct for the Active Directory instance for which you are trying to configure authentication.

Because the Azure Active Directory instance uses an oAuth mechanism for authentication, you won’t be able to assign usernames to users authenticating against the Azure Active Directory system. Instead, you must use the email address for that user as it is in the Azure Active Directory for both the name and email values when creating users for this Authentication Server.