Azure Active Directory - Just In-Time Provisioning

Overview

InsightCloudSec supports using Azure Active Directory authentication as a valid authentication server. Because the authentication flow for Azure Active Directory is so different from typical LDAP and Active Directory implementations, changes must be made within the Azure Portal to configure the Azure Active Directory for use with external applications. Check out Active Directory for details on Microsoft Active Directory.

Prerequisites

Before getting started you will need to have the following

• A functioning InsightCloudSec platform
• Appropriate InsightCloudSec permissions (Domain Admin or Org Admin)
• Administrative credentials to your Azure Portal

For questions or issues, reach out to us through the Customer Support Portal.

InsightCloudSec - Azure Active Directory Authentication Server Setup (Start)

Before you configure Azure Active Directory to work with InsightCloudSec, you'll first need to complete some initial setup within InsightCloudSec, including generating a redirect URL.

1. Login to your InsightCloudSec instance and navigate to "Administration --> Identity Management"

• Click "Authentication Servers" at the top of the page.

2. Click "Add Server" to open the "Create Authentication Server" form.

3. Complete the top of the "Create the Authentication Server" from as follows:

• Nickname: Enter a nickname
• Select Server Type: Select "Azure Active Directory"
• Global Scope Checkbox: Select the Global Scope checkbox if you want to use this server across all of your Organizations.
  • Learn more about Organizations.
• Authentication Type: Select API Key/Secret or Client Certification, based on your preference.

❗️

Redirect URL

Copy the provided redirect URL value and keep it on-hand for later.

4. Leave InsightCloudSec open in a browser window and open a new tab.

Azure - New App Registration

This section assumes you want to create a new app registration within the Azure console.

Note: If you have an existing App Registration, and it is of the “Web app / API” type that you’d like to use, you can skip to Existing App Registration.

1. From within the Azure portal, search for "App registration".

2. Select "New". This should bring you to the "Register an application" screen.

3. Complete the App Registration Form as follows:

• Name: Enter something simple and descriptive for the name.
• Supported account types: Select the default Accounts in this organizational directory only ((Default Directory) only Single tenant).
• Redirect URI: Input the URL you copied from InsightCloudSec in the previous section.

4. Click "Register" to complete the App registration.

• This should create a new App and open an overview screen of the application.

5. Copy the "Application ID" on this page and keep the information in a safe place. You will need the Application (client) ID for configuration later during this process.

6. On the left panel navigation under "Manage" select "Authentication".

7. Scroll down on the Authentication page and locate the "Implicit grant and hybrid flows" section.

• Here you need to ensure you check/enable the "ID tokens (used for implicit and hybrid flows)" checkbox.

8. From the left side navigation under "Managed", select "Certificates & secrets".

9. Under "Client Secrets" click on the "New client secret" button.

• Provide a description, select an expiration interval, and click "Add" to complete.

10. Copy the value that you created for the secret. Store this information in a safe location.
- Note: You will not be able to return to this view.

11. Navigate to API Permissions, select "Add Permissions".

12. Click on "Microsoft Graph" and then select "Application permissions".

• Scroll to "GroupMember" and click the checkbox next to GroupMember.Read.All, click "Add Permission"

13. Repeat steps 13 & 14 to add one additional permission.

• Click on "Add a permission", select "Microsoft Graph" and then select "Application permissions"
• Scroll to "User" and click the checkbox next to User.Read.All, click "Add Permission"

At this point, the Azure Active Directory should be configured for use within InsightCloudSec. You may now return to the browser window containing InsightCloudSec and finish the setup. Continue to this section for details.

Azure - Existing App Registration

This section assumes you have an existing app of the “Web app / API” type that you’d like to use with InsightCloudSec.

To modify an existing app registration the steps are as follows:

1. In the Azure Portal, locate the App registrations page and select the application you want to modify. Click to open the overview page.

2. This section should already contain one Redirect URI with the URL you supplied when you created the App Registration. You will need to click "Add URI" to create new a new field, and add the the redirect URL you copied from InsightCloudSec in the first section.

3. Click "Save" in the top-left corner of the page.

📘

Existing Keys

You can use an existing key if you already have created one and know its secret, but creating a new secret for InsightCloudSec is recommended.

4. From the left side navigation under "Manage", select "Certificates & secrets".

5. Under "Client Secrets" click on the "New client secret" button.

• Provide a description, select an expiration interval, and click "Add" to complete.

6. Copy the value that you created for the secret. Store this information in a safe location.
- Note: You will not be able to return to this view.

At this point, the Azure Active Directory should be configured for use within InsightCloudSec. You may now return to the browser window containing InsightCloudSec and finish the setup. Continue to the next section.

InsightCloudSec - Azure Active Directory Authentication Server Setup (Finish)

This section assumes that you have set up your Azure Active Directory to function with InsightCloudSec. If you have not done so, or need assistance, refer to one of the sections above (creating a new App, or updating an existing App) or reach out to us through the Customer Support Portal.

Follow the steps below to finish setting up an Azure Active Directory Authentication Server:

1. Finish the Create Authentication Server form.

• Tenant: Provide the domain name associated with the Azure Active Directory instance you are authenticating against.
• Authority Server Hostname/IP: Unless you have a private Azure instance from Microsoft, you probably want to leave the Authority Host URL set to https://login.microsoftonline.com.
  • If you are using a private Azure instance, the Authority Host URL should be the authoritative login URL for that private instance.
• Application ID: Provide the "Application ID" you saved from your Azure App Registration.

2-a. If you selected "API Key/Secret" for your Authentication Type provide the API Key.

• Use the secret key value that we created in the earlier steps. If that key is not available, create a new one as per the instructions.

2-b. If you selected "Client Certificate" for your Authentication Type provide:

• the PEM Certificate
• the Certificate thumbprint

Enabling JIT for Azure Active Directory

These steps are a continuation of the steps above. They assume you are interested in enabling the Just In-Time Provisioning (periodic user provisioning) feature. If you are not familiar with this feature check out the Just In-Time User Provisioning (Authentication Server Support) summary details.

3. To enable JIT, select the following checkboxes:

• Enabled periodic user provisioning using graph API: enables the synchronization between InsightCloudSec and your Azure Active Directory. We will now be able to synchronize your users in Active Directory once an hour or on-demand (by clicking on the "synchronize users" option next to the server name in the actions menu)
• Update profile (email & display name) on periodic user provisioning: every time we sync (every hour, or every manual sync) we will update the username and email within InsightCloudSec to match what is supplied from Azure Active Directory.

3. Complete the following to finalize your JIT setup for Azure Action Directory:
Note: These fields are used to populate user details during synchronization of provisioning data.

• displayName: (Default is displayName). This field defines the Display Name provided for the user profile during provisioning.
• userPrincipalName: (Default is userPrincipalName) This field defines the Principal Name provided for the user profile during provisioning.
• displayName: (Default is displayName) This field defines the Display Name provided for the user profile during provisioning.
• user profile: (Optional) This field can be used define a last name included in the display name
• mail: (Default is mail). This field defines the email provided for the user profile during provisioning.

If your setup contains these properties in another location, input those details here.
Note: If you enable JIT and do not provide these details we will not have the information required to populate these details.

If it's a new setup these fields will likely already be populated, if you are modifying an existing Azure Active Directory server setup you will need to provide these values.

❗️

Managing Entitlements!

Before you proceed with Group Mappings for external authentication you must have all of your desired entitlements configured.

If you create a group and enable group mapping BEFORE you establish entitlements, the users within your groups will have nothing configured and will not be able to access anything.

Refer to our documentation on Permissions Entitlements for details.

4. Click "Submit" to finalize your authentication server and enable the system to verify that the values you entered are correct. If an error message appears, check that the values you entered are correct for the Active Directory instance for which you are trying to configure authentication.

Note: Because the Azure Active Directory instance uses an oAuth mechanism for authentication, you won’t be able to assign usernames to users authenticating against the Azure Active Directory system. Instead, you must use the email address for that user as it is in the Azure Active Directory for both the name and email values when creating users for this Authentication Server.