Skip to main content

Add Azure Active Directory data store

In the SecureAuth® Identity Platform, you can add an Azure Active Directory (AD) data store to assert or manage user identity information. This requires registering the Identity Platform in Azure portal to communicate with Azure AD.

Note

The SecureAuth Connector is not required for Azure AD data store in the Identity Platform.

Prerequisites

  • Identity Platform release 22.12, cloud or hybrid deployment

  • Identity Platform is registered in Azure portal with application read/write permissions to Azure AD. For more information, see Azure Active Directory configuration. You will need to capture the connection IDs and client secret key from the Azure portal.

Data store limitations

Note the following issues with Azure AD data stores:

  • Login workflows that include a password is not supported for guest accounts on Azure AD. Use passwordless login workflow.

    The username and password login workflow is not compatible with conditional access and MFA. For more information, see this Microsoft article.

  • You can only use Azure AD in applications created in the New Experience.

  • Password complexity rules set up in the Identity Platform cannot be applied to Azure AD.

Process

There are two parts to adding a data store in the Identity Platform — (1) adding the data store and (2) mapping the data store properties.

Step 1 of 2: Add Azure AD data store

The first part of adding an Azure Active Directory data store is configuring the data store name, connections, credentials, and search attributes.

  1. On the left side of the Identity Platform page, select Data Stores.

  2. Select the Data Stores tab.

  3. Click Add a Data Store.

  4. Set the Data Store Name and select the Connection Type as Azure AD.

    60561051.png
  5. In the Connection Settings section, enter the connection information for your configured Azure AD data store.

    Note

    For information about how to get the connection settings for the Azure AD, see Azure Active Directory configuration.

    Azure Tenant Domain

    The domain of the Azure AD directory.

    For example, company.onmicrosoft.com

    Directory Tenant ID

    The Directory (tenant) ID value copied from the Azure portal for the registered Identity Platform application.

    Client ID

    The Application (client) ID value copied from the Azure portal for the registered Identity Platform application.

    Client Secret

    The client secret copied from the Azure portal for the registered Identity Platform application.

    Use National Cloud Deployment

    Select check box and set to the regional instance for your Azure AD data store. Options are:

    • Public (default)

    • China

    • Germany

    • US Government

    Test Credentials

    Test the data store connection by clicking Test Credentials. (This button is available only in hybrid deployments of Identity Platform 22.02 and 22.12.)

    AzureAD_test.png
  6. In the SecureAuth IWA Service Settings section, define the settings to use Windows SSO for your resources.

    Note

    This option is available only in cloud deployments.

    For more information about Windows SSO integration, see Windows SSO integration with Azure AD.

    Allow Windows SSO integration

    You can use Windows SSO to allow secure access to your resources. Move the slider:

    • On – Allow Windows SSO integration.

      The Identity Platform connects with the SecureAuth IWA service to validate user credentials and allow Windows SSO access to resources.

    • Off – Do not allow Windows SSO integration.

      The Identity Platform uses the authentication policy login workflow to allow access to resources.

    Azure AD Domain Services (AADDS) Domain

    The Azure AD Domain Services domain for this service account.

    Service Account Password

    Password for the SPN-assigned service account in Azure AD Domain Services.

    Note

    If the password changes for this SPN-assigned service account in Azure AD Domain Services, you must update the password in this field.

    The password must be in sync in both places to maintain a Windows SSO connection between the Azure AD Domain Services and SecureAuth IWA service.

    Service Account Name

    Name of the service account in Azure AD Domain Services used to establish a connection with the SecureAuth IWA service.

    The service account must have an assigned Service Provider Name (SPN). For more information, see Configure Azure AD Domain Services for SecureAuth IWA service.

    It is recommended to use a service account with least privilege access for Windows SSO and SecureAuth IWA service.

    This optional field is not validated in the Identity Platform. Use this field to help you remember the name of the service account used for the Windows SSO integration with the Identity Platform.

    SecureAuth IWA Service Settings section
  7. Click Continue.

    The Map Data Store Properties page opens.

    azure_ad_properties_editable.png

Step 2 of 2: Map the Azure AD data store properties

The second part of adding an Azure AD data store is mapping the data store properties.

Each user is uniquely identified by profile data that is read from or stored in your directories and databases.

The Identity Platform does not store user profiles, so your Azure AD attributes must be mapped to the Identity Platform profile properties to be read and updated in the directory by the Identity Platform. The Azure AD attribute mapped to the property is retrieved only when required for authentication or assertion purposes.

For more information about how data store profile properties are stored for on-premises, hybrid, or cloud Identity Platform deployments, see List of stored profile field properties.

Note

Each mapped profile property needs to have its own directory attribute. You cannot map the same directory attribute to more than one property.

For example, you cannot map the mobilePhone attribute in Phone 3 because that attribute is already mapped to Phone 2.

  1. On the Map Data Stores Properties page, define the required attributes in the Directory Field that corresponds to each Azure AD property required by your environment and the Identity Platform. The required attributes are:

    • First Name

    • Last Name

    • Groups

    • Email 1 (Work)

  2. Define any other applicable attributes in the Directory Field that correspond to each Azure AD property.

  3. In the Writable column, define whether a profile property can be writable (select check box) or not writable (cleared check box) according to your Azure AD directory configuration.

    For example, if you want to allow users to update their personal email address on the self-services page, select the Writable check box.

  4. For the mapped Aux ID 1 through Aux ID 10 fields, specify the Data Format to define how data is encrypted and stored in the directory.

    For cloud deployments, certain profile properties (for example, push tokens, behavioral biometrics, and device profiles) are generated and used by SecureAuth, and stored in the SecureAuth cloud database.

    The selection options are:

    • plain text – store data as regular, readable text (default)

    • standard encryption – store and encrypt data using RSA encryption

    • advanced encryption – store and encrypt data using AES encryption

    • standard hash – store and encrypt data using SHA-256 hash

  5. Click Save Data Store.

    The Azure AD data store you just added appears in the User Data Stores list.