The Office 365 directory option allows for Access Manager to connect to a Windows Azure Active Directory, or Office 365 database.
The configuration process consists of two parts, configuring the Azure AD domain to accept connections from Nervepoint Access Manager and configuring Access Manager to connect to your Azure AD both steps are detailed below.
Create an Azure Application
Access Manager's Office365 connector communicates with your Azure AD through an application configured against the Azure AD domain. The first stage of the configuration process is to create an application.
1. To go to the Windows Azure login portal at https://manage.windowsazure.com/azure.com and login with your Windows Azure account
2. Once you have successfully logged in select the directory you wish to allow Access Manager to have access to, e.g. Default Directory
3. Select the Applications tab and then create a new application by clicking icon/button Add at the bottom of the page.
4. You will be prompted to choose a type of application select, Add an application my organization is developing
5. The next page asks what type of application is being configured, select Web Application and give the application a name for reference.
6. Provide a Sign-On URL and App ID URI. These can be set as any identifying address and changed later if required, you might want to use the URL of your Access Manager system however. This is the last step in application creation.
Configure Access Keys
Now that the Application has been created you will be taken to a screen as shown below, from here we need to create a client key which will be used to get the access token required for the application to work.
1. Select Enable your app to read or write directory data and then select Configure Key, you will be taken to the application configuration screen.
2. Go to the Keys section, select a duration for the key and then click Save at the bottom of the page. After some processing the field will display a key which will be used by the application for authentication. Save the key securely as it will be not be displayed again after you leave this page.
Get the Client ID
In the configuration go to the Properties section and locate the option Client ID, copy this entry as it is required for the Connector configuration in Access Manager.
Set Reply URLs for OAuth 2.0 authentication
Go to the Single Sign-On section and add the following entries to the Reply URL section
The NAMURL entry should be use the actual address of your Access Manager server. Save these additions to allow Access Manager permission to use the account authentication pages.
Setting permissions to other applications
Go to the Permissions to other applications section, there should be an entry in place for Windows Azure Active Directory. In the Application Permissions list assign:
Read and write directory data
And in the Delegated Permissions list assign:
Access the directory as the signed-in user
Read and Write directory data
Read and Write all groups
Read all users' full profiles
Sign in and read user profile
These will account for all functions that Access Manager can be set to perform with the directory accounts.
Assign the administrator user to the application
To confirm that an administrator user is assigned to the application select the Users page and ensure that an administrator is listed as Assigned
Delegating User Control Permissions
The full user control permissions cannot be delegated from within the Azure web UI, to assign these permissions you must use some Powershell cmdlets. The following article provides an explanation and instructions to complete this configuration step.
Obtain the Directory Obejct ID
The final step in the Azure configuration is to obtain the Object ID of the application, this can be found through the Azure Graph Explorer using the URL https://graphexplorer.cloudapp.net/, login in with a user from the organization's Azure domain.
NOTE: This process is best performed from a second web browser that does not have session logged in to the Azure database.
Log in with a user that has access to your company domain, below I have used email@example.com
This opens up the Azure graph explorer.
1. Add the path /servicePrincipals to the end of the Resource. This will list all applications that have been created in the directory
Use the web browser Find function to search for the name you set for the application, this will locate the application at the Display Name value, from here you should be able to see the ObjectId value, copy this as Access Manager will require it:
"objectType": "ServicePrincipal", "objectId": "xxxxxxxxxx65c0", "accountEnabled": true,
This completes the Azure configuration process.
Configure the Office365 Connector in Access Manager
Using the information that has been created and gathered during the Azure phase it is now possible to configure an Office 365 connector in Access Manager.
Login to Access Manager as an admin user and go to the the Directories page. From here select the Add New Connector option.
In the Directory Discovery page select the Configure Manually option and then select the Office365 option. Select Next to move to the configuration page.
On the Directory Configuration page enter the required details as extracted from Azure during application configuration.
- Tenant Domain: the Azure AD domain e.g. Nervepoint.onmicrosoft.com
- Client ID: The Client ID value identified in the Azure application configuration settings
- Key: The secure key created for the application
- Object ID: The Object ID value identified from the Azure Graph Explorer
Once all details have been provided select Next. A check will be performed so that Access Manager can verify the connection, if successful you will be able to complete the directory configuration.
When the directory is completed successfully Access Manager and the Azure AD will be connected. You will now be able to view, access, and link the Office 365 accounts.