The Microsoft Cloud Solution Provider (CSP) program was released in July 2014 t to provide a scalable, flexible partner program. Designed to deepen customer relationships and expand business opportunities, the CSP program allows partners to:
To achieve those capabilities, CSP partners need to integrate their backend systems and business processes with various Microsoft cloud services and processes. Once integration has taken place, CSP partners then have the ability to directly provision, manage and support clients within the Microsoft Office 365, Microsoft Azure, Dynamics CRM, and Enterprise Mobility Suite (EMS) product offerings.
There are two goals with this document. The first is to help CSP Partners to configure and deploy the Cloud App Discovery service for their end customers. This enables the end customers to discover cloud (SaaS) applications that are used by the employees within the organization.
The second goal is to help CSP Partners to quickly implement federated identity with Azure Active Directory, enabling the single sign-on solution for their customers.
This document provides guidance to support the setup and implementation of the Cloud App Discovery service, and enabling single sign-on with Microsoft Online Services.
The scope of this document is the implementation guidelines for implementing Azure Active Directory Premium features and services, such as:
Term | Description |
CSP | Cloud Solution Provider |
AD | Active Directory |
AAD | Azure Active Directory |
ADFS | Active Directory Federation Services |
Partner Center | Portal for CSP Partners to administer their CSP offerings http://partnercenter.microsoft.com |
End Customer | Organization that is managed by the CSP Partner |
Azure Co-Administrator | Represents an administrator who can log in to the Azure Portal and deploy or create new resources against a subscription |
SSO | Single sign-on |
IdP | Identity provider |
This document assumes that the following conditions have been met:
For more information on the planning for AD FS, refer to the document Plan your AD FS deployment.
For more information on the requirements that must be conformed to when deploying AD FS, refer to the document AD FS Requirements.
Cloud App Discovery is a premium feature of Azure Active Directory that is provided as part of EMS. It enables organizations to discover business and consumer cloud (SaaS) applications that are used by employees within the organization.
Once the applications are discovered, a strategy can be developed to take the identified applications into direct management. This enables the IT department to configure single sign-on for the SaaS applications and publish these in the user's MyApps access panel.
There are number of elements to the Cloud App Discovery service that need to be agreed upon with the end customer.
The following table outlines these elements that, once they are agreed to by the end customer, will allow the CSP Partner to proceed with the configuration and deployment of the Cloud App Discovery agent.
CSP Partners can leverage this table to provide the end customer with best practices for their managed service.
For more information, refer to the document, Cloud App Discovery Security and Privacy Considerations. to fit the organization's needs.
Cloud App Discovery Service Setting | Description | End Customer Setting |
Manage Agent | | |
User consent option | Administrators can use the Cloud App Discovery portal to choose whether to notify users of the data collection by the agent, and whether to require user consent before the agent starts collecting user data. | User Consent Options:
|
Deep inspection | Deep inspection allows the agent to inspect SSL encrypted connections. | On/Off |
Automatic updates | All installed agents will be updated automatically when there is a new version of the Microsoft Cloud App Discovery Endpoint Agent available. | On/Off |
Data collection | By default, only businesscategorized apps are selected. You can edit the cloud apps if you choose the selected apps option. The 'All Apps' option will collect data from all web traffic and cannot be edited. | Selected Apps/All Apps |
Store data | Cloud App Discovery data can be exported to Azure Blob storage for further analysis. | On/Off If On is selected, the following information is required:
|
Manage access | This specifies which users or groups have administrative access to the Cloud App Discovery service. By default, all Global Administrators of the end customers Azure AD Tenant have these permissions assigned. | On/Off |
Notifications | This specifies whether weekly email notifications will be sent, and to whom. By default, notifications will be sent to all Tenant Administrators and the account used to sign up for the Cloud App Discovery service. | On/Off Tenant Admins Yes/No Sign-Up User Yes/No |
NOTE: In this example, All Apps in use within the end customers environment will be captured:
In this example, the exporting of the Cloud App Discovery data to Azure Blob storage for further analysis is not configured.
For more information on advanced data analysis of the exported Cloud App Discovery data, refer to the document Cloud App Discovery: Now with Excel and PowerBI Support.
Deployment of the Cloud App Discovery agent for the end customer can be achieved by utilizing one of the following options:
For installation via AD Group Policy, refer to the document Cloud App Discovery Group Policy Deployment Guide.
For installation via System Center Configuration Manager, refer to the document Cloud App Discovery System Center Deployment Guide.
If the end customer also has an environment with a proxy server that utilizes custom ports, i.e.
ports other than 80 or port 443, a registry change is also required to allow the Cloud App Discovery agent to communicate over this port.
For the custom proxy port customization required, refer to the document Cloud App Discovery Registry Settings for Proxy Services.
NOTE: Some proxy services (such as Websense for example) can cause interference with traffic from the Cloud App Discovery endpoint. This interference may cause the Cloud App Discovery agent installation to fail (Error 0x80070643). Adding *.azure.com to the proxy whitelist solves the problem.
Cloud App Discovery reporting allows the CSP Partner and the end customer to identify the business and consumer applications used within the organization's environment.
This reporting data makes it easier than ever to discover shadow IT in the end customer's organization, including details on the usage patterns and any users accessing the cloud applications.
For more advanced reporting, Cloud App Discovery data can be exported to an Azure Blob Store setup in the end customer's Azure subscription. This allows for the use of Excel or Power BI to further analyze the captured information.
Refer to Cloud App Discovery: Now with Excel and PowerBI Support for further information.
SaaS application BambooHR from the gallery according to the steps documented in the
"Getting Started with Azure Active Directory Premium for Microsoft Cloud Solution Providers" document:
When accessing cloud-based applications and services, federated identity, which is commonly referred to as single sign-on (SSO), means being able to access all of the applications and resources that end customer organizations need to do business, by signing in only once using a single user account. Once signed in, users can access all of the applications they need without being required to authenticate (e.g. type a password) a second time.
Single sign-on is achieved with the federation of the end customer's Active Directory Federation Services (AD FS) infrastructure with their Azure Active Directory tenant.
The following steps must be completed on the AD FS primary server.
In this example, SSO is being enabled on the AD FS server for the domain cspdemoems.com that has been previously added and verified to the Azure AD tenant.
$UserCredential = Get-Credential
Connect-MsolService -Credential $UserCredential
Convert- MsolDomainToFederated -DomainName <Domain Name>
Example:
Convert- MsolDomainToFederated -DomainName cspdemoems.com
In this example, SSO federation with the Azure AD tenant is configured for the domain cspdemoems.com:
Run the following command to verify the end customer federation status:
Get-MsolDomain
This will detail all of the domains in the end customers Azure AD tenant and the authentication model associated with each domain. Refer to the document, Understanding Office 365 Identity and Azure Active Directory, for more information on the identity models.
Authentication Model | Description |
Managed | Managed authentication covers both "cloud-only identities" and "synchronized identities" models. Cloud-only identities are user accounts set up in Azure AD only, while synchronized identities are the on-premises directory objects synchronized into Azure AD. |
Federated | Federated identity is similar to synchronized identity. The on-premises directory objects (or a subset) are synchronized to Azure AD, but the authentication is now verified by the on-premises identity provider (IdP). Optional passwords synchronization may be configured so that synchronized identity can be used as a backup in case ADFS fails. |
In the example, the domain cspdemoems.com has now had SSO enabled as shown by its federated authentication status.
All users logging into Microsoft online services with a @cspdemoems.com username will now be required to authenticate against the on-premises AD FS infrastructure:
Once the federated identity model has been established, the solution needs to be tested to verify that all SSO authentication scenarios are working as expected.
To test the SSO functionality in the various usage scenarios, follow the instructions at outlined in the Verify and manage single sign-on with AD FS documentation.