Getting Started with Azure Active Directory with Single Sign-On for Cloud Solution Providers

Introduction

The Microsoft Cloud Solution Provider (CSP) program was released in July 2014 t to provide a scalable, flexible partner program. Designed to deepen customer relationships and expand business opportunities, the CSP program allows partners to:

  • Own and control billing
  • Sell combined offers and services
  • Deliver direct provisioning, management and support

To achieve those capabilities, CSP partners need to integrate their backend systems and business processes with various Microsoft cloud services and processes. Once integration has taken place, CSP partners then have the ability to directly provision, manage and support clients within the Microsoft Office 365, Microsoft Azure, Dynamics CRM, and Enterprise Mobility Suite (EMS) product offerings.

There are two goals with this document. The first is to help CSP Partners to configure and deploy the Cloud App Discovery service for their end customers. This enables the end customers to discover cloud (SaaS) applications that are used by the employees within the organization.

The second goal is to help CSP Partners to quickly implement federated identity with Azure Active Directory, enabling the single sign-on solution for their customers.

This document provides guidance to support the setup and implementation of the Cloud App Discovery service, and enabling single sign-on with Microsoft Online Services.

Scope

The scope of this document is the implementation guidelines for implementing Azure Active Directory Premium features and services, such as:

  • Configuring the Cloud App Discovery service
  • Configuring the Active Directory Federation Services (AD FS)

Terminology

Term

Description

CSP

Cloud Solution Provider

AD

Active Directory

AAD

Azure Active Directory

ADFS

Active Directory Federation Services

Partner Center

Portal for CSP Partners to administer their CSP offerings http://partnercenter.microsoft.com

End Customer

Organization that is managed by the CSP Partner

Azure Co-Administrator

Represents an administrator who can log in to the Azure Portal and deploy or create new resources against a subscription

SSO

Single sign-on

IdP

Identity provider

Before you start

This document assumes that the following conditions have been met:

  • The steps in the document "Getting Started with the Office 365 and EMS for Microsoft
  • Cloud Solution Providers" have been completed
  • The end customer has an on-premises Active Directory with a single forest and single domain model
  • The end customer has a single Azure Active Directory (AAD) Connect server installed and configured
  • The administrator completing these steps has co-administrator access to the Azure tenant
  • Windows Azure Active Directory Module for Windows PowerShell is installed and available for use
  • The end customer already has the Active Directory Federation Services (AD FS) infrastructure installed and configured on-premises

For more information on the planning for AD FS, refer to the document Plan your AD FS deployment.

For more information on the requirements that must be conformed to when deploying AD FS, refer to the document AD FS Requirements.

Configuring the Cloud App Discovery service

Cloud App Discovery is a premium feature of Azure Active Directory that is provided as part of EMS. It enables organizations to discover business and consumer cloud (SaaS) applications that are used by employees within the organization.

Once the applications are discovered, a strategy can be developed to take the identified applications into direct management. This enables the IT department to configure single sign-on for the SaaS applications and publish these in the user's MyApps access panel.

There are number of elements to the Cloud App Discovery service that need to be agreed upon with the end customer.

The following table outlines these elements that, once they are agreed to by the end customer, will allow the CSP Partner to proceed with the configuration and deployment of the Cloud App Discovery agent.

CSP Partners can leverage this table to provide the end customer with best practices for their managed service.

For more information, refer to the document, Cloud App Discovery Security and Privacy Considerations. to fit the organization's needs.

Cloud App Discovery Service Setting

Description

End Customer Setting

Manage Agent



User consent option

Administrators can use the Cloud App Discovery portal to choose whether to notify users of the data collection by the agent, and whether to require user consent before the agent starts collecting user data.

User Consent Options:

  • No notification or consent required
  • Require notification
  • Require user consent

Deep inspection

Deep inspection allows the agent to inspect SSL encrypted connections.

On/Off

Automatic updates

All installed agents will be updated automatically when there is a new version of the Microsoft Cloud App Discovery Endpoint Agent available.

On/Off

Data collection

By default, only businesscategorized apps are selected. You can edit the cloud apps if you choose the selected apps option. The 'All Apps' option will collect data from all web traffic and cannot be edited.

Selected Apps/All Apps

Store data

Cloud App Discovery data can be exported to Azure Blob storage for further analysis.

On/Off

If On is selected, the following information is required:

  • Azure Storage Account Name
  • Azure Storage Account Key


Manage access

This specifies which users or groups have administrative access to the Cloud App Discovery service.

By default, all Global Administrators of the end customers Azure AD Tenant have these permissions assigned.

On/Off

Notifications

This specifies whether weekly email notifications will be sent, and to whom.

By default, notifications will be sent to all Tenant Administrators and the account used to sign up for the Cloud App Discovery service.

On/Off

Tenant Admins Yes/No

Sign-Up User Yes/No

  1. When the above information has been gathered, sign in to the Azure Portal as a coadministrator for the end customer tenant:

  1. Select Browse from the left-hand side:

  1. Scroll down and select Marketplace from the available list:

  1. Once the Marketplace loads, select the search pane and type in Azure AD Cloud App Discovery, and then click on the link when the search term autocompletes:

  1. Once clicked, select Azure AD Cloud App Discovery from the search results:

  1. This will detail the service. Click on Create:

  1. When the Azure AD and licensing is verified, select Create:

  1. On the Azure portal dashboard, a pinned link will be created for Azure AD Cloud App Discovery. Select this:

  1. This will load the Cloud App Discovery service pane.
  2. Select Settings:

  1. Select Manage Agent:


  1. Select User consent option:

  1. Enter the settings as agreed upon with the end customer and then select Update:

  1. Select the Download link. This will download a compressed file containing the Cloud App Discovery agent installer and the associated Azure AD tenant certificate:

  1. Select Data Collection from the settings list.
  2. Select the option for Data Collection as agreed upon with the end customer.

    NOTE: In this example, All Apps in use within the end customers environment will be captured:

  1. Select Save.
  2. Select Store Data.

In this example, the exporting of the Cloud App Discovery data to Azure Blob storage for further analysis is not configured.

For more information on advanced data analysis of the exported Cloud App Discovery data, refer to the document Cloud App Discovery: Now with Excel and PowerBI Support.

  1. Configure the options for Manage Access and Notifications as agreed upon with the end customer.

Deployment of the Cloud App Discovery agent

Deployment of the Cloud App Discovery agent for the end customer can be achieved by utilizing one of the following options:

  • Manual installation
  • Active Directory Group Policies
  • System Center Configuration Manager

For installation via AD Group Policy, refer to the document Cloud App Discovery Group Policy Deployment Guide.

For installation via System Center Configuration Manager, refer to the document Cloud App Discovery System Center Deployment Guide.

If the end customer also has an environment with a proxy server that utilizes custom ports, i.e.

ports other than 80 or port 443, a registry change is also required to allow the Cloud App Discovery agent to communicate over this port.

For the custom proxy port customization required, refer to the document Cloud App Discovery Registry Settings for Proxy Services.

NOTE: Some proxy services (such as Websense for example) can cause interference with traffic from the Cloud App Discovery endpoint. This interference may cause the Cloud App Discovery agent installation to fail (Error 0x80070643). Adding *.azure.com to the proxy whitelist solves the problem.

Cloud App Discovery reporting and management

Cloud App Discovery reporting allows the CSP Partner and the end customer to identify the business and consumer applications used within the organization's environment.

This reporting data makes it easier than ever to discover shadow IT in the end customer's organization, including details on the usage patterns and any users accessing the cloud applications.

  1. To access Cloud App Discovery reporting, sign in to the Azure Administration Portal as a co-administrator for the end customer tenant.
  2. On the Azure portal dashboard, select Azure AD Cloud App Discovery:

  1. The Cloud App Discovery pane will open and display the captured application count, users, and the Cloud App Discovery agents deployed.
  2. Select the Applications tile:

  1. The discovered applications are displayed with additional information, covering:
  • Application Name
  • Application Category
  • Status
  • Users
  • Web Requests
  • Data Volume
  • Files Uploaded
  • Files Downloaded
  • Last Access (UTC)
  1. As an example, we will use the application, BambooHR:

  1. From the applications list, select BambooHR.
  2. This will display the information captured for the BambooHR application, the users accessing the application, the data usage, web requests, the file uploads and downloads, and when the application was last accessed.
  3. Select the Users tile:

  1. This displays further information about the application and its usage:

  1. Select the Download report link. This downloads a CSV file containing the report information displayed in the Azure Portal:

For more advanced reporting, Cloud App Discovery data can be exported to an Azure Blob Store setup in the end customer's Azure subscription. This allows for the use of Excel or Power BI to further analyze the captured information.

Refer to Cloud App Discovery: Now with Excel and PowerBI Support for further information.

  1. BambooHR is currently an unmanaged application as detailed in the Status column. To bring this into the IT department's management, this needs to be made into a managed application.
  2. Navigate to the Cloud App Discovery application list.
  3. Select BambooHR:

  1. Select the tile Recommendation Manage BambooHR with Azure AD:

  1. This will open the Azure Management Portal on the SaaS applications page. Add the

SaaS application BambooHR from the gallery according to the steps documented in the

"Getting Started with Azure Active Directory Premium for Microsoft Cloud Solution Providers" document:

Configuring single sign-on

When accessing cloud-based applications and services, federated identity, which is commonly referred to as single sign-on (SSO), means being able to access all of the applications and resources that end customer organizations need to do business, by signing in only once using a single user account. Once signed in, users can access all of the applications they need without being required to authenticate (e.g. type a password) a second time.

Single sign-on is achieved with the federation of the end customer's Active Directory Federation Services (AD FS) infrastructure with their Azure Active Directory tenant.

Implementing single sign-on

The following steps must be completed on the AD FS primary server.

In this example, SSO is being enabled on the AD FS server for the domain cspdemoems.com that has been previously added and verified to the Azure AD tenant.

  1. Open Windows Azure Active Directory Module for Windows PowerShell.
  2. Enter the following command:

    $UserCredential = Get-Credential

  3. When prompted, enter the credentials with Office 365 Global Administrator permissions to the end customer's subscription:


  1. Select OK.
  2. Enter the following command:

    Connect-MsolService -Credential $UserCredential

  3. PowerShell will now initiate a connection to the Office 365 subscription:

  1. Run the following command to convert the specified domain from managed authentication to federated authentication:

    Convert- MsolDomainToFederated -DomainName <Domain Name>
    Example:
    Convert- MsolDomainToFederated -DomainName cspdemoems.com

In this example, SSO federation with the Azure AD tenant is configured for the domain cspdemoems.com:

Run the following command to verify the end customer federation status:

Get-MsolDomain

This will detail all of the domains in the end customers Azure AD tenant and the authentication model associated with each domain. Refer to the document, Understanding Office 365 Identity and Azure Active Directory, for more information on the identity models.

Authentication Model

Description

Managed

Managed authentication covers both "cloud-only identities" and "synchronized identities" models.

Cloud-only identities are user accounts set up in Azure AD only, while synchronized identities are the on-premises directory objects synchronized into Azure AD.

Federated

Federated identity is similar to synchronized identity. The on-premises directory objects (or a subset) are synchronized to Azure AD, but the authentication is now verified by the on-premises identity provider (IdP). Optional passwords synchronization may be configured so that synchronized identity can be used as a backup in case ADFS fails.

In the example, the domain cspdemoems.com has now had SSO enabled as shown by its federated authentication status.

All users logging into Microsoft online services with a @cspdemoems.com username will now be required to authenticate against the on-premises AD FS infrastructure:

Testing single sign-on

Once the federated identity model has been established, the solution needs to be tested to verify that all SSO authentication scenarios are working as expected.

To test the SSO functionality in the various usage scenarios, follow the instructions at outlined in the Verify and manage single sign-on with AD FS documentation.

Reference links