Microsoft Conditional Access Custom Controls integration guide
Microsoft has a feature in their Azure stack called Conditional Access. This feature allows Azure customers to apply policies to either the login process to Office 365 or specific apps and tiles within Office 365/Azure. Using this feature, Azure customers can restrict access to applications, such as Outlook, SharePoint, and others, based on several different factors.
Recently, Microsoft added a function to Conditional Access called custom controls. Custom controls allow third-party integration into Conditional Access. This process involves having a registered application by the third party to be allowed globally by Microsoft and then providing OpenID Connect (OIDC) endpoints for use by the Azure customer to call out to the third party's authorization process.
Audience
This guide is intended for administrators who need to install and configure Microsoft Conditional Access for use with SecureAuth® Identity Platform.
Prerequisites
You must ensure that you have the following items:
Install Identity Platform release 9.2 or later and configure one or more realms for that appliance
Configure the following tabs in Advanced Settings (formerly Classic Experience) of the SecureAuth Web Admin console before configuring any other tabs:
Overview: Define the description of the realm and SMTP connections.
Data: An enterprise directory must be integrated with SecureAuth Identity Platform.
Workflow: Define how users access the target.
Multi-Factor Methods: Define the Multi-Factor Authentication methods that are used to access the target, if any.
Gain administrative access for Microsoft Azure.
Install and configure Internet Information Services (IIS) for Windows Server.
Set up Modern Authentication in your server environment. For more information, see the Hybrid Modern Authentication overview and prerequisites for using it with on-premises Skype for Business and Exchange servers article on the Microsoft website.
Contact Support, and open a support ticket titled "Tailoring - Conditional Access." Request the following items so you have them on hand during the configuration:
ASPX and code-behind pages. You will need this in the task for Configure Internet Information Server (IIS) for Windows Server
Import rules. You will need this for the task in Configure Internet Information Server (IIS) for Windows Server
JSON file. You will need to provide the Client ID, to be created on the Post Authentication tab section and the public URL of the OpenID Connect Post-Auth realm to SecureAuth Support
JSON file. You will need this for the task in Configure Microsoft Custom Control
SecureAuth Identity Platform configuration steps
In Advanced Settings, create a realm and configure it for use with Microsoft Conditional Access.
Configure Internet Information Server (IIS) for Windows Server
Log in to your SecureAuth Identity Platform Admin console.
Create a new OIDC realm for conditional access configuration.
Add the client and save your configuration.
Once saved, the server will generate the Client ID and Client Secret.
Copy the Client ID to include in the support ticket.
Open a ticket with Support. In this ticket, provide the following information:
Email subject line/title of ticketTitle: Tailoring Request – Configure Conditional Access
Provide the full URL for the new Conditional Access realm
Provide the Client ID captured above.
When you receive the JSON file from Support in the ticket, copy the ASPX and code-behind pages under the root of the newly-defined realm. This is located in
D:\SecureAuth\SecureAuth Realm_number. For example,D:\SecureAuth\SecureAuth5.A custom pre-authentication page is used to retrieve the user ID from Microsoft for this request. Microsoft sends a HTTP POST with the OIDC parameters and an additional parameter called
id_token_hint. This parameter includes a JSON web token (JWT) and a number of claims, including the unique ID for the user and their user principal name (UPN). SecureAuth Identity Platform must obtain that information and validate the JWT.
Create an inbound rule for Conditional Access
Using the IIS Manager, create an inbound rule for Conditional Access in this new realm.
On the Start menu, click Run.
In the Open dialog box, type inetmgr, and click OK.
In IIS, select Default Web Site, expand the list, and select the newly created Conditional Access realm.
In the Features View, click URL Rewrite.
Set an inbound rewrite rule under the realm folder. For example, SecureAuth3.
The URL rewrite rule, shown in the following image, captures requests and places them on the custom page to decode the JWT that Microsoft sends over VIA POST.
Note
For more information about the URL rewrite rule, see the Creating Rewrite Rules for the URL Rewrite Module article on the Microsoft website.
Change the query string setting
Using the IIS Manager, change the query string setting for the SecureAuth realm number. For example, SecureAuth3.
In the IIS Manager, focus on the appropriate realm.
Right-click Request Filtering and select Open Feature.
Select the Query Strings tab.
On the right side of the page, click Edit Feature Settings.
In the Request Limits section, set the following:
Maximum URL length (Bytes)
Set to 6144.
Maximum query string (Bytes)
Set to 4096.
Click OK to save the changes.
Ensure that
https://login.microsoftonline.com/common/discovery/keysis accessible from the SecureAuth server.
Data tab settings
Select the Data tab.
Create a connection based on the data store type, such as Active Directory or SQL Server.
In the Profile Fields section, set the following auxiliary values:
Aux ID 2
Set to otherLoginWorkstations.
Aux ID 5
Set to otherIpPhone and select the writable checkbox.
This field is set from the custom pre-authentication page – MSConditionalAccess.aspx.vb.
In the Global Aux Fields section, set Global Aux ID 1 to Validated.
Workflow tab settings
Select the Workflow tab.
In the Login Screen Options section, set the following values:
Default Workflow
Set to Username | Second Factor.
Public/Private Mode
Set to Public Mode Only.
In the Customer Identity Consumer section, set Receive Token to Token.
Leave all other fields set to the default.
Multi-Factor Methods tab settings
Select the Multi-Factor Methods tab.
In the Phone Settings section, configure the Multi-Factor Authentication methods that you want enabled.
The following example shows how to set the email and text (SMS) methods:
Phone Field 1
Set to One-Time Passcode via Phone Call and SMS.
Phone Field 2
Set to One-Time Passcode via Phone Call and SMS.
In the Email Settings section, set Email Field 1 to One-Time Passcode via HTML Email.
Post Authentication tab settings
Select the Post Authentication tab.
In the Post Authentication section, set Authenticated User Redirect to OpenID Connect/OAuth2.
In the User ID Mapping section, set the following values:
User ID Mapping
Set to Authenticated User ID.
Map other parameters, if needed.
Name ID Format
Set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
Encode to Base64
Set to False.
In the OpenID Connect/OAuth 2.0 – Settings section, set the following values:
Enabled
Set to True.
Issuer
Set to the fully qualified domain name (FQDN)/Hostname of the IdP appliance. For example, idp.company.com.
This must be publicly facing and have a valid SSL certificate.
Signing Algorithm
Set to one of:
- RSA SHA256 (RS256)
An asymmetric algorithm, which means it uses a public/private key pair. SecureAuth uses the private key for signing and provides you with the public key to use to validate the signature.
- HMAC SHA256 (HS256)
A symmetric algorithm, which means one secret key is shared between SecureAuth and the end-user. The same key is used to create the signature and to validate it. This key must be kept secret at all times.
Signing Cert
Set to any certificate that is a private key readable by SecureAuth Identity Platform.
Do not use wild cards in a certificate.
Auto Accept User Consent
Set to True to provide a clean user experience.
Enable User Consent Storage
Set to True to provide a clean user experience and to enable check session endpoints.
Consent Storage Attribute
Set to the AUX ID 2 value that was mapped to a string attribute. For example, otherLoginWorkstations.
Authorization Code Lifetime
Access Token Lifetime
Refresh Token Lifetime
Leave set to the default.
In the OpenID Connect/OAuth 2.0 – Scopes section, select the Discoverable check box for the openid scope.
In the OpenID Connect/OAuth 2.0 – Clients section, click Add Client and set the following values:
Name
Set to ConditionalAccess or another appropriate name.
Client ID
Set to the appropriate client ID for this client.
Enabled/Disabled
Select the check box.
In the OpenID Connect/OAuth 2.0 - Client Details section, set the following values:
Enabled
Set to True.
Name
Set to ConditionalAccess or another appropriate name.
JSON Web Encryption
Set to Disabled.
JSON Web Key URI
Clear the text box and leave blank.
In the Allowed Flows section, set the following values:
Authorization Code
Set to True.
Implicit
Set to True.
Hybrid
Set to False.
Client Credentials
Set to False.
Resource Owner
Set to False.
Refresh Token
Set to True.
Introspection
Set to True.
Revocation
Set to True.
In the OpenID Connect/OAuth 2.0 - Client Redirect URIs section, click Add Redirect URI then set the Client Redirect URI to:
https://login.microsoftonline.com/common/federation/OAuth2ClaimsProvider
In the OpenID Connect/OAuth 2.0 – Claims section, set the following values:
Sub
Set to AUX ID 5, which was mapped to the otherIpPhone value on the Data tab.
Discoverable
Select the check box.
In the OpenID Connect/OAuth 2.0 – Custom Claims section, click Add Custom Claim and set the following values:
Claim
Set to SecureAuthMFA.
Profile Property
Set to Global Aux ID 1.
Discoverable
Select the check box.
System Info tab settings
Select the System Info tab.
In the Links section at the bottom of the screen, click Click to edit Web Config file to edit the web.config file.
Add the following key(s) to the <appSettings> section:
<add key="MSConditionalAccess-ProfileField" value="AuxID5" />
Note
The following keys are required only if user profile data is using samAccountName as uniqueidentifier. The keys are required to create a separate API realm. (Do not use an OpenID Connect realm as an API realm because you cannot have two different settings for an OpenID Connect realm.) After adding the following keys, see Optional API realm configuration.
<add key="MSConditionalAccess-EnableUPNsamAccountNameConversion" value="True" /> <add key="MSConditionalAccess-UPNsamAccountNameConversionUsingAPI" value="False" /> <add key="MSConditionalAccess-API-SecureAuthRealmUrl" value="https://<domain or localhost>/SecureAuthXX" /> <add key="MSConditionalAccess-API-AppId" value="XXXXXXXXXXXX" /> <add key="MSConditionalAccess-API-AppKey" value="XXXXXXXXXXXXXXXXXXXXX" /> <add key="MSConditionalAccess-API-samAccountNameField" value="AuxID6" />
Save all changes made to this configuration and exit.
Optional API realm configuration
The following steps are required if user profile data is using samAccountName as uniqueidentifier and you set the additional keys in the System Info tab setting section.
System Info tab settings
Select the System Info tab.
In the Links section at the bottom of the screen, click Click to edit Web Config file to edit the web.config file.
In the <appSettings> section, change the value of the following key to
"True":<add key="MSConditionalAccess-UPNsamAccountNameConversionUsingAPI" value="True" />
Data Tab settings
Select the Data tab.
Create a connection based on the data store type, such as Active Directory or SQL Server.
In the Search Filter section, set the following:
Search Attribute
Set to userPrincipalName,
searchFilter
Set to (&(userPrincipalName=%v)(objectclass=*)) .
In the Profile Fields section, set Aux ID 6 to sAMAccountName.
This field is set to match the MSConditionalAccess key you set in the System Info tab setting section.
Save your changes.
Enable the API
Select the API tab.
In the API Key section, select the Enable API for this realm check box.
In the API Permissions > Authentication section, select the Enable Authentication API check box.
In the Identity Management section, select the User Management - add / update / retrieve users and their properties. check box.
Save your changes.
Configure Microsoft Custom Control
Create and configure a new custom control for Microsoft Conditional Access.
Log in to Microsoft Azure.
Select Azure Active Directory in the left pane.
In the Security section, click Conditional access.
In the Manage section, click Custom controls (Preview).
Click New custom control.
Enter the JSON for customized controls in the fill-in field.
Enter the JSON provided by SecureAuth Support, then click Save. Contact SecureAuth Support per the Prerequisites steps, if you did not already request this information.
In the JSON file, set the following configurations:
AppId
Set to the data application referenced by Microsoft.
ClientId
Set to the designated realm located in the OpenID Connect/OAuth 2.0 - Clients section of the Post Authentication tab.
DiscoveryUrl
Set to the OpenID configuration for the designated realm.
For your convenience, copy the following code snippet into the JSON file and change values appropriately:
{ "Name": "Name for SecureAuth MFA", "AppId": "Microsoft data App ID", "ClientId": "SecureAuth ClientID", "DiscoveryUrl": " https://SecureAuthURL/secureauthXX/.well-known/openid-configuration ", "Controls": [ { "Id": "SecureAuthIdP", "Name": "SecureAuthIdP", "ClaimsRequested": [ { "Type": "SecureAuthMFA", "Value": "Validated", "Values": null } ] } ] }
Create a Policy
Create a Microsoft Conditional Access policy.
Log in to Microsoft Azure.
Select Azure Active Directory in the left pane.
In the Security section, click Conditional access.
Select Policies in the left pane.
Click New Policy.
Specify the users, apps, and controls that you want to assign the policy to.
Save your changes.
Test Microsoft Conditional Access with SecureAuth Identity Platform
Test that Microsoft Conditional Access works with the Identity Platform. In this scenario, you will test with Microsoft Teams, but you could also test with Outlook or Skype for Business.
Log in to Microsoft Teams.
Enter your email address.
Enter your password.
Select the two-factor authentication method to use to log in to Microsoft Teams. The following example shows the text message (SMS) method.
On the authentication page, enter the passcode that you received.
The following image is an example.
The following Microsoft Teams page is displayed if the configuration between Microsoft Conditional Access and SecureAuth Identity Platform is successful.
If you do not see this page or if you receive an error message, contact SecureAuth Support.