• Print
  • Share
  • Dark
    Light

Azure AD Configuration

  • Updated on 16 Nov 2018
  • 4 minutes to read
  • Contributors

Azure Active Directory (Azure AD) is Microsoft’s directory and identity management service. Azure AD combines core directory services, advanced identity governance, and application access management. For IT Admins, Azure AD provides an affordable, easy to use solution to give employees and business partners single sign-on (SSO) access to various applications.

Serverless360 uses Azure AD authentication for user management, basically for any application that outsources authentication to Azure AD must be registered in a directory. Therefore it is necessary to register the Serverless360 application with your Azure AD, including the URL where it’s located, the URL to send replies after authentication, the URI to identify your application, and more. To leverage Azure AD for Serverless360 you will need the following details:

  1. Admin Azure AD UPN
  2. Admin Azure AD Id
  3. Azure AD Registered Application Id
  4. Azure AD Registered Application Password
  5. Azure AD Domain Name
  6. Azure AD Domain Tenant Id

Get Admin Azure AD UPN and Id

Azure AD user configured here will be the first user of Serverless360, with Administrator rights. This user can add other users to the application. It is recommended to choose a user with Global Admin rights on the Azure AD as the Serverless360 admin. However, any valid Azure AD user who performs the Serverless360 installation/ sign up can be configured as Serverless360 Administrator.

On- Premise Serverless360 expects Administrator to be a native user in the configured domain
The active directory user being configured as a Serverless360 Administrator should belong to the domain for license validation to pass. Say 'mktgsb360.onmicrosoft.com' is the Active Directory domain a native AD user is 'username@mktgsb360.onmicrosoft.com'. Guest user cannot be added as an Administrator in On-Premise installation of Serverless360. However SaaS version of Serverless360 permits Guest user too to be an Administrator.

Steps to get the Azure Admin AD Id and UPN from the Azure portal:

  1. Select Azure Active Directory > Users > select the Admin user
  2. User name is the Admin Azure AD UPN and Object ID is the Admin Azure AD Id

Admin-id.png

Application Registration

To register the Serverless360 Application:

  1. Log in to your Azure Account
  2. Select the Azure Active Directory from the left side navigation panel
  3. Select App registrations option under the Manage section in the Azure Active Directory screen
  4. Select New application registration button to register a new App
  5. In the Create blade, enter the App name, Application type and URL for the application. Select Web app / API for Serverless360 and Sign-on URL as http://<yourVMDNSName>/Serverless360/ in case of on-premise installation. While configuring for the SaaS version of Serverless360 the reply URL should be https://portal.serverless360.com/login
  6. Click Create to create the application

App-registration.gif

Get Application ID and Password

The next step is to get the application ID and authentication key,

  1. Click App registrations in Azure Active Directory and select the created application
  2. Copy the Application ID and store it in your application code. Serverless360 refers this value as the Client ID.
  3. To generate an authentication key, click Settings and select the Keys option
  4. Enter a Description of the key and the Expiry date, Click Save to generate the Key (Copy the Key value. You won't be able to retrieve the key when you close this blade).

Auth-keys.gif

Get Tenant ID

Tenant ID is required to pass the authentication.

  1. Select the Azure Active Directory from the left side navigation panel
  2. Select Properties option under the Manage section in the Azure Active Directory screen
  3. Copy the Directory ID, this value is your Tenant ID

Tanent ID.png

Microsoft Graph API Authentication

Once, you get all the basic Azure AD configuration information, the next step is to get the users listed in the Azure AD through the Microsoft Graph API. This step is required to provide authentication to Serverless360 to:

  1. Read Directory data
  2. Read and write directory data
  3. Read all users' full profiles
  4. Read and write all users' full profiles
  5. Sign in and read user profile

To authorize Azure AD application through Microsoft Graph API:

  1. Log in to your Azure Account
  2. Click App registrations in Azure Active Directory and select the created application
  3. Click Required permissions tab under the API Access section
  4. Click the Add button and choose Microsoft Graph option from the list
  5. Click the checkbox inline with the option Add and enable access to Read Directory data

Graph_api_permission.PNG

  1. However for the permissions to take effect, Admin consent is required which can be acquired by Global Admin logging on

    • to Serverless360 hosted application (provided the Global Admin is configured as Serverless360 admin in the configuration page)

        or
      
    • to the URL constructed as below,

https://login.microsoftonline.com/{DomainName}/adminconsent?client_id={AppId}&state=654321&redirect_uri={RegisterdReplyURL}

and accepting the application to hold the necessary permissions.

In the above URL, replace the DomainName, AppId, and RegisteredReplyURL values in the placeholder.

SB360-PH-Microsoft-Graph-API-access.png

Incase of recieving an error like 'The reply url specified in the request does not match the reply urls configured in the application: ', ignore this error and just ensure the application is listed under the 'Enterprise Applications' of the configured Azure active directory. Please find below to the screen shot for reference

enterpriseapps.PNG

For more clarifications, please reach us at support@serverless360.com

We'd love to hear your thoughts
Please visit our feedback system to suggest new Features or Enhancements. You can also take a look at our Roadmap

Was this article helpful?