Limitations:
- SAFEQ Cloud Azure AD authentication does not support multi-factor authentication “MFA”.
Note: If MFA is used, SAFEQ Cloud can access Azure AD by disabling MFA on the one user set up in Authentication, and whitelist the public IP-address of the gateway in Azure.
To configure Azure AD authentication:
- Under “Azure Active Directory” click on ‘App registrations’ option
- Click on “New registration” button
- Provide “Name” for it
- Select one of the supported account types
- Fill in “Redirect URI” field
- Click on “Register” button
- Click on “API permissions” option
- Click on “Microsoft Graph (1)” and delete the permission “User.Read”
- Click on “Add a permission” button
- Select “Microsoft Graph” from Commonly used Microsoft APIs
- Click on “Delegated permissions”
- Search for the permissions required, and then click “Add Permissions”
Minimum Permissions Required are:
- Directory.Read.All – Allows the app to read data in your organization’s directory, such as users, groups, and apps
- Group.Read.All – Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user
- User.ReadBasic.All – Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user
- Grant the admin permissions by clicking the “Grant admin consent for…” button, and then click “Yes” to approve.
- Your App Registration should now show the following.
- At “APP Registration” under “Authentication”, change “Allow public client flows” to “Yes”
- Go to SAFEQ Cloud UI and add a new Azure auth provider in the SAFEQ Cloud authentication settings, and enter the following details:
| Domains | Add the Azure AD domain names as configured in the Azure portal |
| Application ID | the application ID which was registered on step 1 |
| User name | name of the user who has permissions to lookup the directory (Not a user with the Directory Role ´Global Administrator´) |
| Password | password for that user |
| Cache expiration in seconds | Time to keep authentication information in the internal cache to reduce the calls from SAFEQ Cloud to Azure AD. Recommended to have at least 2 minutes |
Name
An internal name used for identifying the particular authentication provider configuration
Domains
The domain names of the authenticating users. Domain aliases that the users can use to login can be added here, together with the Azure AD domain names as configured in the Azure portal.
At least one domain in the list should match the domain part of the fully qualified user name passed for authentication. If not strict domain, SAFEQ Cloud will attempt to authenticate the user with all domains in the list regardless of the domain entered in the credentials, in the order defined in the list. If strict domain, SAFEQ Cloud will attempt to authenticate only with the domain in the credentials.
Priority
A number that determines the order in which authentication providers will be called until one succeeds. Higher-priority providers will be called first.
Active
Toggle if the authentication provider should be used for authentication or not. If unchecked, this authentication provider will not be searched.
Application ID
The ID of the application configured in the Azure directory which is used to access Azure resources.
Username
Username used to connect and search in the Azure.
Password
Password used to connect and search in the Azure.
Custom attributes
Expand custom attributes to change the Azure attributes in which username, card ID’s, ShortID’s and similar are stored.
Service
Which Authentication Service will communicate to this Azure server. In case no service is already created, it can be added using the Add button.
Post your comment on this topic.