Microsoft Azure Portal Single Sign-On (SSO) integration

This topic contains procedures to configure Microsoft Azure Portal for Single Sign-On (SSO) in CyberArk Identity using WS-Fed.

With CyberArk Identity, you can choose single-sign-on (SSO) access to the Microsoft Azure Portal web application with IdP-initiated WS-Fed SSO (for SSO access through the Identity User Portal) or SP-initiated WS-Fed SSO (for SSO access through the Microsoft Azure Portal web application), or both. Providing both methods gives you and your users maximum flexibility.

Supported features

This application template supports the following features:

  • SP-initiated SSO

  • IdP-initiated SSO

  • Microsoft WS-Fed user provisioning

  • Role-to-Microsoft 365 License Mapping

Configure the Microsoft Azure Portal application template in the Identity Administration portal

The following procedure describes the steps in the Identity Administration portal needed to configure the Microsoft Azure Portal application template for SSO.

Step 1: Add the Microsoft Azure Portal web application template

  1. In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

    Add a web app screen

  2. On the Search page, enter Azure in the Search field and click the search button.

  3. Next to the WS-FED+Provisioning version of Microsoft Azure Portal, click Add.

  4. On the Add Web App page, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The application opens to the Application Settings page.

Step 2: Configure the Settings page

Support for basic authentication ends on October 1, 2023. CyberArk strongly recommends that you migrate to the more modern and secure token-based authentication.

The domain that the administrator uses for basic authentication in the Application Settings does not appear in the Azure Active Directory domains list. For basic authentication, use a domain that is different from the one being enabled for SSO with the Microsoft Azure Portal.

  1. Select Token Based Authentication. Copy the following values from the overview page of your registered app in the Microsoft Azure Portal and paste them into the Azure Active Directory Service window in the Identity Administration portal:

    • Application (client) ID
    • Directory (tenant) ID
    • Client Secret

  2. Enter the client secret that you saved previously.

  3. Click Verify.

Configure app registration in the Microsoft Azure Portal

To find the Client ID and secret of your Azure tenant, perform these steps:
  1. Go to https://portal.azure.com/#home and sign in to the Microsoft Azure Portal using administrator credentials.

  2. If your account can access more than one tenant, select your account in the upper right corner. Set your portal session to the Azure AD tenant that you want. From the left navigation menu, select Azure Active Directory.

  3. In Azure Active Directory, select App registrations from the left navigation menu.

  4. On the App registrations page, select New registration. On the Register an application page, in the Name field, enter a meaningful application name to display to users.

  5. Under Who can use this application or access this API? select who can use this application based on your environment, then click Register to register the application.

  6. Click API permissions. On the Configured permissions page, select Add a permission.

  7. On the Request API permissions page, select Microsoft Graph. Select Application permissions. Use the Search field to provide the following permissions:

    • Application.ReadWrite.All

    • Directory.ReadWrite.All

    • Domain.ReadWrite.All

    • Group.Read.All

    • Group.ReadWrite.All

    • User.Read.All

    • User.ReadWrite.All

  8. Click Add permissions. The permissions you selected should appear in a list.

  9. Click Grant admin consent for MSFT, then click Yes.

  10. Click Certificates & secrets from the left navigation menu, then click +New client secret. Enter a description for the client secret, the duration for which the client secret will be valid, and click Add.

  11. Copy the string in the Value column by clicking the Copy icon. You won't be able to retrieve this value after you perform another operation or leave this page.

  12. Click Overview in the left navigation menu, then copy the Application (client) ID and Directory (tenant) ID.

  13. In the Identity Administration portal, return to the Application Settings page and paste the Client ID, Directory ID, and Client Secret into their respective fields. Click Verify.

  14. Click Close and Save.

  1. Select Basic Authentication, then enter the username and password for your Azure AD administrator account of the default domain <MyCompany>.onmicrosoft.com and click Verify.

  2. CyberArk Identity verifies the credentials and connects to your account.

    Once the verification succeeds, the Application Settings page displays the Azure AD domains section.

Step 3: Federate your Azure Active Directory domain

If you federated with a subdomain (for example, sub.domain) and configured O365 federation with CyberArk Identity prior to version 23.10, then you need to unfederate and federate to AD with sub.domain.com. In previous versions, only the root domain was processed for authentication.

A PowerShell script (O365FederationScript.ps1) is available to view, federate, or unfederate your domain if you are using token-based authentication.

See https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide to make sure that your PowerShell environment is properly configured to connect to Azure Portal.

  1. Select the domain that you want to federate, then click Actions > Download Powershell Script.

  2. Run the downloaded PowerShell script O365FederationScript.ps1, entering R at the security warning to confirm that you want to run the script.

  3. Enter your Azure AD administrator credentials.

    The script presents options to view, federate, or unfederate the domain.

  4. Enter F to federate the domain you selected in the Identity Administration portal.

  5. Run the script again, this time entering V to view the federation settings, confirming success.

  1. Select the domain that you want to federate or take ownership of Azure AD, then click Actions.

    If the domain is in Managed state, you federate it. If the domain is already federated, you take ownership of it and federate it with Azure AD. If you change the security certificate used with Azure AD, you will need to refederate the domain. Refer to Choose a certificate file for more information about changing the certificate file.

    Taking ownership of a domain is useful in cases where you’ve already federated your account using another system or another instance of the Azure AD + Provisioning application.

    If you have multiple Azure AD domains, you create a separate application in the Identity Administration portal for each domain.

    In the pop-up menu that displays:

    • If you selected a managed domain, click Federate Domain.

    • If you selected a federated domain, click Take Ownership.

    • If you changed the security certificate on the Application Settings page, click Refederate Domain.

      The domain must be owned by Azure AD to refederate the domain.

      A message displays that prompts you for confirmation.

  2. Click Yes to continue.

    • If you selected to federate a managed domain, CyberArk Identity changes the selected domain in Azure AD to federated status.
    • If you selected to take ownership of a federated domain, CyberArk Identity changes the selected domain in Azure AD to use your current CyberArk Identity tenant as the identity provider.

    Future logins will be handled by CyberArk Identity.

Step 4: Configure the Permissions page to grant Microsoft Azure Portal users SSO access

Grant SSO access to Microsoft Azure Portal by assigning permissions to users, groups, or roles.

  1. On the Permissions page, click Add.

  2. Select the user(s), group(s), or role(s) that you want to grant permissions to, then click Add.

    The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.

  3. Select the permissions you want and click Save.

    Default permissions automatically deploy the application to the User Portal if the Show in user app list option is selected on the Settings page. Do not select this option if you intend to use only SP-initiated SSO.

    Change the permissions if you want to add additional control or if you prefer not to automatically deploy the application.

Step 5: Configure the Provisioning page

  1. Select Enable provisioning for this application.

  2. Under Objects to provision, select Enable Hybrid Exchange Support if required.

Under Sync Options, specify how to handle duplicate accounts.

Duplicate accounts are identified when a user account in CyberArk Identity and in the target application have the same email address or Active Directory userPrincipalName.

 

  • Sync (overwrite): Update account information in the target application (this includes removing data if the target account has a value for a user attribute that is not available from CyberArk Identity).

  • Do not sync (no overwrite): Keeps the target user account as it is; CyberArk Identity skips and does not update duplicate user accounts in the target application.

  • Do not de-provision (deactivate or delete): The user's account in the target application is not de-provisioned when a role membership change that would trigger a de-provisioning event occurs.

  • Select Deprovision users in this application when they are disabled in source directory to enable the feature.

    If checked, a user will be deprovisioned when they are marked as disabled in the source directory. Deprovisioning behavior and available deprovisioning options depend on what the target application supports.

  1. Provide necessary role mappings as shown in the image below. Choose events based on your requirements.


    Microsoft License provisioning might take some time to reflect at the Azure AD portal. SP and IdP authentication works after provisioning is successful and the user has proper licenses.
    You can select Role and ignore license as you can access Microsoft Azure without Microsoft 365 license.

Step 6: Review and save

Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click Save when you are satisfied.