This topic contains procedures to configure Microsoft Azure Portal for Single Sign-On (SSO) in CyberArk Identity using WS-Fed..
With CyberArk Identity, you can choose single-sign-on (SSO) access to the Microsoft Azure Portal web application with IdP-initiated WS-Fed SSO (for SSO access through the CyberArk Identity User Portal) or SP-initiated WS-Fed SSO (for SSO access through the Microsoft Azure Portal web application), or both. Providing both methods gives you and your users maximum flexibility.
Microsoft Azure Portal SSO supported features
This application template supports the following features:
Microsoft WS-Fed user provisioning
Role-to-Microsoft 365 License Mapping
Prerequisites for Microsoft Azure Portal SSO
Before you configure the Microsoft Azure Portal application for SSO, you need the following:
Create a Microsoft 365 account.
Create and verify a domain in Microsoft 365.
Prepare Microsoft 365 for single sign-on
This section applies to you if you are creating a new Microsoft 365 account, or if your Microsoft 365 accounts aren’t already federated using ADFS or another identity provider
Before you configure Microsoft 365 for SSO, you need to add your custom domain, get the domain verified, and add your Microsoft 365 user accounts. Use the Microsoft 365 administrative portal to perform these tasks.
Step 1: Create and verify a custom domain for use with Microsoft 365.
In order to use SSO with Microsoft 365, you need a unique Microsoft 365 domain. This domain must be an externally accessible domain that resolves to an IP address that belongs to your organization. The IP address must be routable to the server where the you’ve installed the connectors (and the Microsoft Directory Synchronization tool, if you’re still using it). Your Microsoft 365 domain must also be different than the one provided by Microsoft with the
Expect that the process of creating and verifying a domain may take anywhere from a day to a week or so to complete, depending on the time it takes to register a domain with a domain provider, editing the DNS entries to verify ownership, and having Microsoft verify the domain ownership. See the following Microsoft documentation for instructions.
Add and verify your domain:
Get DNS text records from Microsoft 365 for domain verification:
Set a default domain:
Set up directory synchronization:
Configure the Microsoft Azure Portal application template in the CyberArk Identity Admin Portal
The following procedure describes the steps in the CyberArk Identity Admin Portal needed to configure the Microsoft Azure Portal application template for SSO.
Step 1: Add the Microsoft Azure Portal web application template.
In the Admin Portal, select Apps & Widgets > Web Apps, then click Add Web Apps.
On the Search tab, enter the application name in the Search field and click the search icon.
Next to the application name, click Add.
On the Add Web App page, click Yes to confirm.
Click Close to exit the Application Catalog.
The application opens to the Settings page.
Step 2: Configure the Settings page.
Enter Microsoft 365 Admin credentials for Basic Authentication or select Token Based Authentication.
Though CyberArk continues to support basic authentication with Microsoft Azure Portal, for various security reasons listed in the Microsoft article https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online,CyberArk strongly recommends that you migrate to the more modern and secure token-based authentication.
The domain that the administrator uses for basic authentication in the Application Settings does not appear in the Microsoft 365 domains list. For basic authentication, use a domain that is different from the one being enabled for SSO with Microsoft Azure Portal.
You can view all available domains under the Microsoft 365 account.
Select the Allow authentication by certificate check box.
Select the domain for which you want to enable SSO, right-click, and select Federate.
The administrative user domain that you are currently signed into does not appear in the list of federated domains. After federation, you cannot sign in with your username and password. If you want to federate a domain, do not sign in to the User Portal with the same administrative domain.
Step 3: Configure the Permissions page to grant Microsoft Azure Portal users SSO access.
Grant SSO access to Microsoft Azure Portal by assigning permissions to users, groups, or roles.
On the Permissions page, click Add.
The Select User, Group, or Role window appears.
Select the user(s), group(s), or role(s) that you want to give permissions to, then click Add.
The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.
Select the permissions you want and click Save.
Default permissions automatically deploy the application to the User Portal if the Show in user app list option is selected on the Settings page. Change the permissions if you want to add additional control or you prefer not to automatically deploy the application.
Step 4: Configure the Provisioning page.
Select Enable provisioning for this application..
Under Objects to provision, select Enable Hybrid Exchange Support if required.
UnderSync Options, specify how to handle duplicate accounts.
Duplicate accounts are identified when a user account in CyberArk Identity and in the target application have the same email address or Active Directory userPrincipalName.
Sync (overwrite): Update account information in the target application (this includes removing data if the target account has a value for a user attribute that is not available from the CyberArk Identity).
Do not sync (no overwrite): Keeps the target user account as it is; CyberArk Identity skips and does not update duplicate user accounts in the target application.
Do not de-provision (deactivate or delete): The user's account in the target application is not de-provisioned when a role membership change that would trigger a de-provisioning event occurs.
- Select Deprovision users in this application when they are disabled in source directory to enable the feature.
If checked, a user will be deprovisioned when they are marked as disabled in the source directory. Deprovisioning behavior and available deprovisioning options depend on what the target application supports.
Provide necessary role mappings as shown in the image below.
Microsoft License provisioning might take some time to reflect at the Microsoft 365 portal. SP and IDP authentication will work once the provision is successful and the user has proper licenses.
You can select Role and ignore license as you can access Microsoft Azure without Microsoft 365 license.
Step 5: Review and save.
Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click Save when you are satisfied.