Configuring Identity to use Azure Active Directory will allow your end-users to be able to log into their macOS devices using the same email and password they have been provided via Azure. This will also make sure that all users are following your password policies and that their passwords stay synced across the identity provider and local system.
Note: At this time, Identity is fully supported on Azure cloud-only implementations and a subset of Azure Active Directory Hybrid configurations. Azure Active Directory Hybrid Identity with Password Hash Synchronization (PHS) or Pass-Through Authentication (PTA) is supported at this time. Azure Active Directory Federation Services (ADFS) is not supported. For more information on the different Hybrid Identity configurations supported in Azure Active Directory, please review What is Hybrid Identity with Azure Active Directory?
1. Enabling Identity:
Enabling Identity is simple. We've provided a knowledge base on enabling Identity here: How to Enable Identity. Once enabled continue to step 2.
2. Select Azure as your identity provider within the policy settings
Now that we have Identity enabled, we can configure the individual policy settings by:
- Navigating to the Policies > Settings > Identity section.
- Select Azure from the identity provider dropdown
Once Azure has been selected, this will unveil a few more fields, Tenant ID, Client ID, and Client Secret. Let's move to step 3 to find out how to generate this information.
3. Register an Application under your Azure Active Directory Instance
This part of the setup takes place within the Azure portal. When we arrive at the Azure Portal Homepage:
- Select Azure Active Directory from the navigation on the left-hand side
- Now that we are within our Active Directory pane, select App Registrations from the secondary navigation on the left-hand side
- Now select the New Registration which is located on the top left of the screen
- You'll see a form with the following information, Name, Supported Account Types, and Redirect URI.
- Name: Any name works, we recommend something that would help you remember this App is for Addigy Identity.
- Supported Account Types: Any options will work, pick whichever suits your organization best.
- Redirect URI: Click the dropdown and Web then enter the following URI: https://login.microsoftonline.com/common/oauth2/nativeclient
- Once the application is complete, you'll be redirected to that Applications home page. You'll be able to see the ClientID and TenantID from this page. Take note of those IDs as we will need them later.
- Next, Select API Permissions from the left navigation. And select Grant admin consent for "EXAMPLEDOMAIN.ad" (in this example below we see addigy.ad)
- Lastly, Generate a Client Secret by heading over to the Certificates & Secrets section. (Take note of the expiration date as it will have to be renewed)
Note: The VALUE must be used for the client secret, not the secret ID.
4. Populate Application settings under Identity policy settings
Now that we have our Tenant ID, Client ID, and Client Secret, we are ready to populate the Azure information over into the Identity Policy Settings.
Let us navigate back to Addigy console and finish where we left off on step 2:
- Add in the Tenant ID, Client ID, and Client Secret
- Configure any additional settings such as Background and Logo.
- Save and you are all done!
Now that Identity is tied to your Azure Active Directory, your users will be able to seamlessly authenticate with the same email and password they are accustomed to using within their organization.
Customize the Login Window Branding
Microsoft provides the ability to change the logo and colors for the sign-in form to align with your organization's branding. Any modifications you make in your Azure Active Director settings will also appear in Identity’s sign-in form.
Branding your Azure Active Directory sign-in page