Implement an Azure Active Directory

Objective 5.2: Configure the Application Access Panel

The Azure Active Directory application access capabilities support integrating a directory with well-known software as a service (SaaS) applications that many organizations rely on for their day-to-day business needs. By integrating with these applications using Azure Active Directory, IT professionals are able to centrally manage access to the applications for users and groups in the organization. As applications are added to the directory, users are able to see and start the applications they have been assigned access to using the Access Panel.

Adding SaaS applications to Azure Active Directory

The Applications page of an Azure Active Directory is where you can see and manage applications that have been added to your directory. At the bottom of this page is an Add button that will open an intuitive interface you can use to add a new SaaS application. Choose the option to Add An Application From The Gallery, and you will be able to select from the many applications available, as shown in Figure 5-15.

Configuring access to SaaS applications

Configuring user access to a SaaS application will vary depending on the sign in capabilities of the application. Azure Active Directory supports single sign-on and automatic user provisioning for third-party SaaS applications. Applications from the gallery will support one or both.

After an application has been added to the directory, the management portal provides a quick start guide on the steps needed to integrate it with your directory, as shown in Figure 5-16.

Single sign-on

Azure Active Directory supports two modes for single sign-on, which are federation-based and password-based. Both modes provide a single sign-on experience for the user but differ on the credentials used to sign in to the SaaS application.

Federation-based single sign-on requires that users authenticate to Azure Active Directory using their organizational account credentials to access the application. In other words, a federated trust exists between Azure Active Directory and the SaaS application. In this mode, the SaaS application redirects users to sign in using an application (protocol) endpoint from your Azure Active Directory. The application endpoint used will depend on the protocol supported by the SaaS application. Azure Active Directory supports the WS-Federation, SAML-P, and OAuth protocols and therefore provides the expected sign-in and sign-out endpoints for each. This mode also requires that a certificate be uploaded to the third-party SaaS application that it will use to validate authentication tokens issued by Azure Active Directory. The management portal provides the application endpoint URL and certificate during the configuration process, both of which will be needed when configuring the SaaS application for single sign-on.

Password-based single sign-on uses the username and password from the third-party SaaS application to sign in the user. In this mode, the user authenticates to the SaaS application using his or her credentials for the application, not Azure Active Directory. The credentials for the user are encrypted and securely stored in Azure AD, such that an authenticated user is able to get a single sign-on experience through a browser extension that retrieves the credentials from Azure AD and presents them to the application for the user.

Automatic user provisioning

Some applications enable you to configure automatic user provisioning whereby user accounts for the application are automatically added or removed as users are added or removed from the Azure Active Directory. The setup experience for this feature varies by application, but it generally involves signing in to the third-party application using administrative credentials and granting permission to Azure AD to provision user accounts in the application.

Assigning user access to applications

After configuring the application for single sign-on or user provisioning, you can proceed to the final step, which is to assign user access to the application. Managing access to the application is done in the Users page for the application, as shown in Figure 5-17, where access can be assigned for a user, removed for a user, and the user’s account settings can be edited, such as in the case of password-based single sign-on.

Accessing applications from the Access Panel

SaaS applications added to Azure Active Directory are available to users in the directory through the Access Panel. The Access Panel is a portal, separate from the management portal, where users can see and launch the applications they have been assigned access to. Users can sign in to the Access Panel at https://myapps.microsoft.com using their organizational account credentials. They can launch applications that they have access to from the Applications page in the management portal, as shown in Figure 5-18.

Customizing the Access Panel and sign-in page

The Access Panel and the sign-in page users use to authenticate are generalized such that they can be used by all Azure Active Directory tenants. In the Premium edition of Azure Active Directory, you can apply customized branding to the sign-in page and Access Panel for your users to display your organization’s logo, custom messaging, and colors. These customization features are available in the Configure page of the directory under the Directory Properties section. In Customize Branding, you can apply the desired customizations, as shown in Figure 5-19.

The customization options that are applicable to the Access Panel are limited to the banner logo. The banner logo and the other settings apply to the sign-in page.

Configuring Multi-Factor Authentication

Multi-Factor Authentication (MFA) is an effective way to add additional security to applications and resources. Multi-Factor Authentication in Azure AD works by first challenging the user for a valid username and password during sign in. If successfully authenticated, the second leg of authentication begins by challenging the user to verify he or she using a mobile app, phone call, or text message. This layered approach to authentication increases security by challenging you during sign in for something known, such as a password, and something you have, such as a mobile device. Having one without the other is not sufficient to gain access to a system protected by MFA.

MFA for administrators of an Azure subscription is available at no additional cost. However, to extend MFA to users of the directory and to be able to run reports from the MFA portal requires that you create a new MFA provider and configure it for your directory. You can choose from two billing options when creating a MFA provider, which are per user and per authentication.

The per user option is ideal in scenarios where you want MFA for a fixed number of users that authenticate regularly. The per authentication option is ideal for larger groups of users that authenticate less frequently. After a billing option is chosen and the MFA provider has been created, it cannot be changed. Therefore, it’s a good idea to review the pricing details for each option at http://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/. If you do need to change the billing option, you must create a new MFA provider to replace the existing one.

Create a Multi-Factor Authentication provider

To create a new MFA provider using the management portal, select the Multi-Factor Auth Provider option under Application Services when creating a new resource, as shown in Figure 5-20.

Configuring a Multi-Factor Authentication provider

The Azure Multi-Factor Authentication service is configurable through a separate portal that you can reach from the management portal. To access the Azure MFA portal, highlight the directory in the management portal and click the Multi-Factor Auth Providers tab at the top of the page. Select the MFA provider, and then click Manage .

The Azure MFA portal is where you can run MFA usage reports and configure settings for how the Azure MFA service will be used for your organization, as shown in Figure 5-21.

In the Configure section, the following options are available:

• Settings Configure the number of attempts to allow during a MFA call, the phone number to be used for caller ID, the ability to empower users to submit fraud alerts, and whether to block a user’s account after submitting a fraud report.

• Caching Set up a cache such that, after a user has successfully authenticated, subsequent authentication attempts within the time period specified for the cache will automatically succeed. A cache can be defined as one of three types as follows and multiple caches can be configured for a MFA provider:

  • User A user who has previously authenticated will be automatically authenticated on subsequent authentication attempts within the cache seconds specified.
  • User, authentication type, application name A user who has previously authenticated will be automatically authenticated on subsequent authentication attempts within the cache seconds specified if the user is using the same type of authentication and accessing the same application.
  • User, authentication type, application name, IP address A user who has previously authenticated will be automatically authenticated on subsequent authentication attempts within the cache seconds specified if the user is using the same type of authentication, accessing the same application, and is from the same IP address. This type of cache is only applicable for on-premises MFA servers and line of business applications developed using the MFA SDK.
• Voice Messages Replace the standard messages used during MFA calls with your own custom messages. The voice message can be used to replace message types such as greeting, retry, fraud greeting, and more. The voice message can also be applicable to a specific application.
• Notifications Specify email addresses that should receive notifications when a fraud alert is reported, a user account is locked, or a one-time bypass is used.

Enabling Multi-Factor Authentication for users

Multi-Factor Authentication can be enabled for users using a separate Multi-Factor Authentication portal. You can access this portal from the management portal by going to the Users page for your directory, and clicking Manage Multi-Factor Auth.

To enable Multi-Factor Authentication for a user, click the check mark button next to the user. Next, click the Enable link under the Quick Steps section, as shown in Figure 5-22.

After enabling Multi-Factor Authentication for a user, the user’s MFA status is updated to Enabled. It is a subtle but important distinction to note that MFA for the user is not being enforced yet. At this stage, the service has only been enabled for the user. To be enforced requires that user configuration for additional security verification be completed, which is the topic of the next section.

User configuration for additional security verification

A user that has been enabled for MFA will be prompted at the next sign in that an administrator has required the user to set up the account for additional security verification to be used during Multi-Factor Authentication. During this process, the user is able to select the contact method to be used during Multi-Factor Authentication, which can be one of the following:

• Mobile phone
• Office phone
• Mobile application

Depending on the method selected, the user will then be able to provide the additional information needed. For example, when choosing the mobile phone method, the user is then prompted to provide the phone number and whether to be contacted via text message or phone call from the Multi-Factor Authentication service, as shown in Figure 5-23.

After the user has verified the settings in step two, the Multi-Factor Authentication status for the account is updated to Enforced, and the user will start getting prompted for MFA during sign in.

Federating with Facebook and Google ID

When adding users to Azure Active Directory, you typically add users to your organization. As an example, if the organization is Contoso, as a user is added you assign a username, such as jayhamlin@contoso.com.

It’s also possible to add a user to the directory using their identity with a social identity provider such as Facebook, Google, and others. These are referred to as federated identity providers and are the authority for that user’s identity. To add an external user to your directory, set the type of user to User With An Existing Microsoft Account, and then enter the email address associated with the user’s Microsoft account.

Adding a user to a directory using a Microsoft account is useful in situations where you want to grant access to applications for users who are not part of the organization but may be contracted to work on short-term project assignments. This has the benefit of these users being able to use existing credentials to access applications rather than being given new credentials to keep up with. When the user no longer needs access to the applications, you can remove the user’s account from Azure Active Directory. The user’s Microsoft account continues to work as it always has for other online applications and services.

Objective summary

• Azure Active Directory is the identity provider for users added to a directory as a new user in the organization. In this scenario, the organization owns and manages the user’s identity. For users added to a directory using a Microsoft account, the user and the federated identity provider where the account was created own and manage the user’s identity.
• A user added to a directory using a Microsoft account will not be able to use the Access Panel to see and launch applications assigned to him or her. Instead, the user must access the application URL and sign in using credentials associated with the account.
• A multi-factor authentication provider is available as either a per user or per authentication billing plan.
• SaaS applications added to a directory support single sign-on or automatic user provisioning configurations. For single sign-on, options may include password-based, federation-based, and existing single sign-on.
• The sign-in page and Access Panel can be custom branded for Azure Active Directory Premium users. You can apply localized branding settings for all or selected settings to support users in different locales.

Objective review

Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

1. How can Azure Active Directory users see, and launch, the applications they have been granted access to? (Choose all that apply.)

   1. management portal
   2. Active Directory Portal
   3. Access Panel
   4. “My Apps” from the Apple App Store

2. Which of the following are valid contact methods for Multi-Factor Authentication users? (Choose all that apply.)

   1. Mobile phone
   2. Office phone
   3. Email
   4. Mobile application

3. Which two single sign-on modes does Azure Active Directory support for SaaS applications?

   1. Automatic user provisioning
   2. Password-based
   3. Active Directory Federation Service (AD FS)
   4. Federation-based

4. What is the URL where users can access the Access Panel?

   1. https://myapps.microsoft.com
   2. https://portal.azure.com
   3. http://azure.microsoft.com/en-us/marketplace/active-directory
   4. http://account.windowsazure.com/organization