Configure Azure AD for User Management and More

Author

Reads 626

Computer server in data center room
Credit: pexels.com, Computer server in data center room

To configure Azure AD for user management, you'll first need to sign in to the Azure portal and navigate to the Azure Active Directory section. This is where you'll manage your organization's users, groups, and applications.

Azure AD offers a feature called self-service password reset, which allows users to reset their own passwords without needing to contact the IT department. This can be a huge time-saver for both users and administrators.

To enable self-service password reset, you'll need to create a password reset policy and assign it to a group of users. This policy will determine the conditions under which a user can reset their password.

By configuring Azure AD, you can also manage user licenses, which determine what features and services users have access to. This includes features like Microsoft 365 and Azure services.

See what others are reading: Azure Ad User

Azure AD Configuration

To configure Azure Active Directory (Azure AD), you'll need to log in to your Azure account through the Azure portal. Select Azure Active Directory from the menu.

Check this out: Azure Ad Directory Roles

Credit: youtube.com, Learn Microsoft Azure Active Directory in Just 30 Mins (May 2023)

First, you'll need to create a new application registration. To do this, select App registrations, then click Add. In the Create section, set the name for the new application and choose Native as the application type.

Set the Redirect URI to the Fully Qualified Domain Name (FQDN) of the Identity Platform appliance, followed by the realm to which Azure AD is integrated. For example, https://idp.company.com/secureauth2. This is crucial for the authentication process.

After clicking Create, copy the Application ID, which you'll need later. Then, select the new application and click Settings > Required Permissions. In the Required Permissions section, click Windows Azure Active Directory.

In the Enable Access section, delegate the permissions to be granted. Click Save, then click Grant Permissions to complete this step.

You'll also need to copy the .onmicrosoft.com domain name from the Azure Active Directory menu, which will be required in the Identity Platform configuration.

A different take: Azure Ad Approval Required

User Management

To manage users in Azure Active Directory, you can use PowerShell commands to get user properties. Installing Azure PowerShell is the first step, which can be done by following the instructions on the Microsoft website.

Credit: youtube.com, Microsoft Entra ID Beginner's Tutorial (Azure Active Directory)

To ensure the PowerShell commands function properly, the SetExecutionPolicy must be set to Unrestricted. Once installed, you can use the Get-Credential command to obtain a credential for the onmicrosoft account associated with the Azure tenant.

You can then use the Connect-AzureAD command to connect to the Azure Active Directory, and the Get-AzureADUser command to retrieve a user's profile. The user's profile should resemble the screenshot shown in the documentation, which displays the AzureAD profile.

To verify that the user properties match the profile fields configured on the Data tab in the Identity Platform, you can use the Get-AzureADUser command with the ObjectID parameter. This will display the user's properties in a format similar to the screenshot.

To create a new user in Azure Active Directory, you can follow these steps:

  • User name: A unique identifier in Azure portal.
  • Name: The display name of user in Azure portal.
  • Password: You can either create your own password or choose the auto-generate password option.

User Creation

Creating a new user in Azure Active Directory is a straightforward process that can be completed in just a few steps.

Credit: youtube.com, User Management - User Creation

First, navigate to the Azure portal and click on the "Create a Resource" option. Then, type "Azure Active Directory" or "AAD" in the search bar and select it from the options.

To create a new user, you'll need to click on the "Users" option under the "Manage" category. From there, click on the "New User" option and then select "Create new user."

You'll be prompted to fill in the details about the new user, including their username, name, and password. You can either create your own password or choose the auto-generate password option.

Here's a breakdown of the required fields:

  • User name: A unique identifier in Azure portal.
  • Name: The display name of user in Azure portal.
  • Password: You can either create your own password or choose the auto-generate password option.

Remember to note down the password you create or the auto-generated one, as you'll need it to sign in to the new user later.

Once you've filled in the details, click on "Create" to create the new user. After that, you can sign in to the newly created user by selecting their name and copying the username, which is given under their name. Then, sign in to Microsoft Azure using this username and password.

A unique perspective: Azure Ad Username

Creating a Directory

Credit: youtube.com, Create User Accounts with Active Directory - The Easy Way!

To set up a new Azure Active Directory, you need to start by searching for it in the Azure portal. Type Azure Active Directory in the search bar and then choose Azure Active Directory.

You'll then need to fill in some details about the new tenant, including the organization name, which should be a unique name for the organization.

The initial domain name should be a global unique name for all Azure AD resources.

You'll also need to specify the country or region where the tenant will reside.

Here are the specific details you'll need to fill in:

  • Organization name: A unique name for the organization.
  • Initial domain name: Global Unique name for all Azure AD Resources.
  • Country or region: The region where the tenant will reside.

Once you've filled in these details, click on Review+Create and then Create to set up the new tenant.

A unique perspective: How to Create a Group in Azure Ad

Enterprise Integration

Enterprise integration is a crucial step in configuring Azure AD. It allows you to connect your on-premises directories with Azure AD, enabling single sign-on and seamless authentication across all your applications.

To achieve this, you can use Azure AD Connect, which synchronizes user identities from your on-premises directories to Azure AD. This process is also known as directory synchronization.

The benefits of enterprise integration are numerous, including improved security and reduced complexity in managing user identities.

Curious to learn more? Check out: Azure Ad Integration

Register Enterprise IDP for Portal

Credit: youtube.com, Ubyon: IdP broker - Single Sign-On integration for applications with Enterprise IdPs

Registering an enterprise IDP for your portal is a straightforward process, and I'm here to walk you through it.

You'll need to sign in to the portal website as a member of the default administrator role in your organization and click Organization > Edit Settings > Security.

In the Enterprise Logins via SAML section, select the One Identity Provider option and click the Set Enterprise Login button, entering your organization's name in the process.

This text will display as part of the SAML sign-in option, making it easy for users to identify the correct login option.

To enable automatic account registration, simply select the Automatically option, and users will be able to sign in to the organization without any administrator intervention.

However, if you prefer to register accounts manually, choose the After you add the accounts to the portal option and use a command line utility or sample Python script to register the necessary accounts.

Credit: youtube.com, Authentication fundamentals: The basics | Microsoft Entra ID

It's recommended to designate at least one enterprise account as an administrator of your portal and demote or delete the initial administrator account.

To complete the registration process, provide metadata information for the IDP using one of the available options and configure any advanced settings as needed.

Once finished, click Update Identity Provider, and you'll be ready to proceed with the next step.

Here's a quick rundown of the steps to register an enterprise IDP for your portal:

  1. Sign in to the portal website as a member of the default administrator role.
  2. Click Organization > Edit Settings > Security and select the One Identity Provider option.
  3. Enter your organization's name and select the desired account registration option.
  4. Provide metadata information for the IDP and configure advanced settings as needed.
  5. Click Update Identity Provider to complete the process.

Qlik Sense Enterprise SaaS IdP

Configuring Qlik Sense Enterprise SaaS IdP can be a straightforward process if you have the right information.

You'll need to open the tenant's management console and click on the Identity provider menu item on the left side of the screen.

To create a new identity provider, click the Create new button on the upper right side of the main panel.

Select OIDC from the Type drop-down menu item, and choose Microsoft Entra ID (Azure AD) from the Provider drop-down menu item.

Credit: youtube.com, Qlik Cloud: Configure Azure Active Directory as an IdP

In the Application credentials section, you'll need to enter specific information, but scope does not have to be supplied.

The Post logout redirect URI is not required for Azure AD because users will be sent to the Azure log out page after logging out.

You'll also need to slide the Email verified override option ON in the Advanced options to ensure Azure AD validation works correctly.

After saving the configuration, a validation procedure will begin, redirecting you to the login page for the IdP.

If the validation succeeds, you'll be able to map the user's email address and verify groups resolve properly by creating a space and adding members.

Here's a quick summary of the steps:

  • Open the tenant's management console and click on the Identity provider menu item.
  • Create a new identity provider by clicking the Create new button.
  • Select OIDC and Microsoft Entra ID (Azure AD) as the provider.
  • Enter application credentials and slide the Email verified override option ON.
  • Save the configuration and initiate the validation procedure.
  • Map the user's email address and verify groups resolve properly.

Qlik Sense Enterprise SaaS Considerations

Qlik Sense Enterprise SaaS allows customers to bring their own identity provider for authentication to the tenant using the Open ID Connect (OIDC) specification.

OIDC is a specification, not a standard, so vendors like Microsoft may implement it in non-standard ways. This is the case with Microsoft Azure AD OIDC configurations, which don't send standard OIDC claims like email_verified.

A businessman uses a secure card reader access system against a concrete wall.
Credit: pexels.com, A businessman uses a secure card reader access system against a concrete wall.

To work around this, Qlik Sense Enterprise SaaS includes an advanced option to set email_verified to true for all users logging into the tenant.

The Azure AD configuration in Qlik Sense Enterprise SaaS includes special logic for contacting Microsoft Graph API to obtain friendly group names.

Whether these groups originate from an on-premises instance of Active Directory and sync to Azure AD through Azure AD Connect or from creation within Azure AD, the friendly group name will be returned from the Graph API and added to Qlik Sense Enterprise SaaS.

Here are the key considerations to keep in mind when using Azure AD with Qlik Sense Enterprise SaaS:

  • Qlik Sense Enterprise SaaS uses Open ID Connect (OIDC) for authentication.
  • Azure AD OIDC configurations don't send standard OIDC claims like email_verified.
  • Qlik Sense Enterprise SaaS includes an advanced option to set email_verified to true for all users logging into the tenant.
  • The Azure AD configuration in Qlik Sense Enterprise SaaS includes special logic for contacting Microsoft Graph API to obtain friendly group names.

Token Configuration

To configure token configuration in Azure AD, you'll need to click on the Token configuration menu item on the left side of the screen. This will open the Optional claims window, where you can add optional claims to the token configuration.

For optional claims, select the ID token type and choose the claims to include in the token, such as ctry, email, tenant_ctry, upn, and verified_primary_email. You can also enable OpenId Connect scopes from Microsoft Graph to the application configuration by clicking the check mark.

See what others are reading: Azure Ad Token Exchange

Credit: youtube.com, Microsoft Entra ID | Azure Active Directory Token Type | id_token | Access Token | Refresh_Token

Some optional claims may require adding OpenId Connect scopes, so be sure to check the box to enable them and click Add. The claims will appear in the window, and you can manage them as needed.

To add API permissions, click on the API permissions menu item on the left side of the screen. You'll see the configured permissions set during adding optional claims, and you can add new permissions by clicking the Add a permission button.

Select the Microsoft Graph option in the Request API permissions box, and then click on the Microsoft Graph banner. In the OpenID permissions section, check email, openid, and profile, and in the Users section, check user.read. You'll also need to select GroupMember.Read.All to grant users logging into Qlik Sense Enterprise SaaS through Azure AD to read the group memberships they are assigned.

After making your selections, click the Add permissions button, and the added permissions will appear in the list. However, the GroupMember.Read.All permission requires admin consent to work with the app registration, so be sure to click the Grant button and accept the message that appears.

Here's a summary of the required permissions:

Danny Orlandini

Writer

Danny Orlandini is a passionate writer, known for his engaging and thought-provoking blog posts. He has been writing for several years and has developed a unique voice that resonates with readers from all walks of life. Danny's love for words and storytelling is evident in every piece he creates.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.