Configuring Identity to use Azure Active Directory will allow your end-users to be able to log into their macOS devices using the same email and password they have been provided via Azure. This will also make sure that all users are following your password policies and that their passwords stay synced across the identity provider and local system.
Note: At this time, Identity is fully supported on Azure cloud-only implementations and a subset of Azure Active Directory Hybrid configurations. Azure Active Directory Hybrid Identity with Password Hash Synchronization (PHS) or Pass-Through Authentication (PTA) is supported at this time. Azure Active Directory Federation Services (ADFS) is not supported. For more information on the different Hybrid Identity configurations supported in Azure Active Directory, please review What is Hybrid Identity with Azure Active Directory?
Addigy Identity using Azure supports collection of Device User Attributes into Addigy Facts.
Enabling Identity
Enabling Identity is simple. We've provided a knowledge base on enabling Identity here: How to Enable Identity.
Select Azure as your identity provider within the policy settings
Now that we have Identity enabled, we can configure the individual policy settings by:
- Navigating to the Policies >> Settings >> Identity section.
- Selecting Azure from the identity provider dropdown.
Once Azure has been selected, the Tenant ID, Client ID, and Client Secret fields will appear. Let's move to step 3 to find out how to generate this information.
NOTE: The Client Secret is ONLY required if you register your Azure application as "Web".
Register an Application under your Azure Active Directory Instance
- Navigate to the Azure Portal Homepage.
- Select Azure Active Directory.
- Select App Registrations.
- Select New Registration, which is located on the top left of the screen.
- Select a Name for the App registration.
- Select a Supported Account Types option that best suits your organization.
- Select either Web (required to use MFA) or Public Client/Native and add the following Redirect URI: https://login.microsoftonline.com/common/oauth2/nativeclient
- Select Register.
- Once the application is complete, you'll be redirected to that applications home page. You'll be able to see the ClientID and Tenant ID from this page. Take note of these IDs as they will be needed later.
- Next, select API Permissions from the left navigation. Select Grant admin consent for [exampledomain].ad.
- If you are using "Web" for the application you registered, generate a Client Secret in the Certificates & Secrets section. Take note of the expiration date as it will have to be renewed.
A client secret should not be used if using "Public client/native".Note: The Client Secret VALUE and must be used for the client secret, not the Secret ID.
Populate Application settings under Identity policy settings
Now that we have our Tenant ID, Client ID, and Client Secret, we are ready to populate the Azure information over into the Identity Policy Settings.
Navigate to the Addigy console and complete the following steps:
- Add in the Tenant ID, Client ID, and, if you registered your Azure Application as "Web", the Client Secret
- Configure any additional settings such as Background and Logo.
- Save and you are all done!
Now that Identity is tied to your Azure Active Directory, your users will be able to seamlessly authenticate with the same email and password they are accustomed to using within their organization.
Additional Information
Branding The Sign-In Page
Microsoft provides the ability to change the logo and colors for the sign-in form to align with your organization's branding. Any modifications you make in your Azure Active Directory settings will also appear in Identity’s sign-in form.
Branding your Azure Active Directory sign-in page
Duo's Two-Factor Authentication + Azure Active Directory Feature
The latest version of Addigy Identity, v2.13.5, now supports the integration of Duo's two-factor authentication with Microsoft Azure Active Directory Conditional Access policies. This integration provides an added layer of security for Azure Active Directory logins, with the added convenience of Duo's inline self-service enrollment.
To learn more about utilizing this feature, visit the Duo Two-Factor Authentication for Microsoft Azure Active Directory site (https://duo.com/docs/azure-ca#about-azure-conditional-access) for detailed documentation and guides on setting up, configuring, and using the service.