Azure Active Directory

You can add one (or more) Azure Active Directory systems as Upstream Identity Providers. Doing this will allow your team to sign in with their Active Directory username/password. If you work with more than one corporation, you may add multiple Upstream Identity Providers.

CONTACT

Azure Active Directory

Note: you can consider using the shared ‘Sign in with Microsoft’ Identity provider, which has zero-config. See considerations and the fully-worked out example.

Agilicus Front-End Create Upstream Issuer

The setup is very simple and takes less than 2 minutes to acomplish. There is a ‘stepper’ that walks you through the tasks.

First, open the admin user interface (https://admin.__MYDOMAIN__). Login as your (initial) administrative user. Nagivate to ‘Organisation’/’Authentication Issuer’. From here you may select ‘Add Provider’, adding a new identity provider.

Azure Active Directory (Azure AD) Integration Guide for AnyX: Securely connect and manage user access to AnyX applications with Azure AD. Streamline authentication, enforce multi-factor authentication (MFA), and enhance security with seamless integration. See the AnyX Azure AD configuration diagram for a visual overview of the setup process.

At this stage, you will enter a Stepper which will walk you through the steps graphically. First select Azure Active Directory as the type:

Azure Active Directory (Azure AD) explained with AnyX: Securely connect and manage access to your applications and resources using Azure AD. Streamline identity management and enhance security with AnyX and Azure AD integration. Learn how to configure and leverage Azure AD for seamless authentication and authorization.

Azure Application Registration

The Stepper will show screen shots of how to configure Azure, they are also here. First, select ‘Azure Active Directory’ in your Azure console:

Now create a new Application. This will be for all logins to the Agilicus platform.

Select a name. This will be shown to the user on the Login select page, we recommend making it related to your organisation. E.g. “My Company Active Directory”. In the Application stepper you are given a “Redirect URI”, paste it here.

Azure Active Directory (Azure AD) Integration Guide for AnyX: Securely connect AnyX to Azure AD for streamlined user authentication and access management. This comprehensive guide provides step-by-step instructions and best practices for integrating AnyX with Azure AD, enhancing security and simplifying user management. Learn how to configure single sign-on (SSO), manage user permissions, and leverage Azure AD's advanced security features for your AnyX deployment.

You will now be given 3 pieces of information. A ‘Display Name’, an ‘Application (Client) ID’, and a ‘Directory (Tenant) ID’. Enter these in the appropriate spots in the Stepper.

Here you can see where this information is placed in the Agilicus Admin Stepper, from the Azure screen we have:

On the Agilicus Stepper we have:

Azure Active Directory (Azure AD) architecture diagram illustrating AnyX integration for secure access and identity management. The diagram showcases the flow of authentication and authorization between users, applications, AnyX, and Azure AD, emphasizing enhanced security and simplified access control within the Azure cloud environment.

Now we create a ‘Client Secret’. This is a shared secret between the two systems. Create this in the Azure Portal:

As a description we recommend using the same name as for the Application. If you select an Expiry (e.g. something other than Never) you must remember to update the Admin user interface at a later date.

Azure Active Directory (Azure AD) Single Sign-On (SSO) Configuration in AnyX: This diagram illustrates the process of configuring Azure AD for SSO with AnyX, highlighting the trust relationship, user authentication flow, and secure access to AnyX resources.

In the Admin stepper paste the secret you received. You are now done!

NOTE: Secret Expiry

❗

If your secret has an expiry, you must update it prior to this time. You may create a new secret in Azure and then update the existing config in the Agilicus admin interface.

Azure Active Directory (Azure AD) - Securely connect AnyX to Azure AD for single sign-on (SSO) and enhanced access control. Agilicus AnyX Guide: Azure AD Integration.

NOTE: Multiple Azure tenant with same email address

❗

If your Active Directory login name is the same as the email address you provided through your Apple ID / Google ID / LinkedIn ID, you may have an issue. Please contact Agilicus (info @ agilicus.com) and we can join these accounts for you. E.g. if your Apple ID email is foo@mycompany, and your Active DIrectory is foo@mycompany, let us know and we can join these two together.

Azure Claims

This section is optional. If you wish to synchronise groups, or use UPN as welll as email, you should configure a set of additional claims. Agilicus recommends:

email — this gives access to the user ’email’ which may differ from the UPN
onprem_sid — this is used if you will do passthrough authentication (e.g. using SAML with Citrix), or fine-grained access control on a Share
upn — this gives access to the user principal name
sid — this can be used to allow per session sign-out
preferred_username — this controls how the user might interact with the system as a name

Azure Entra ID Setup Example: Agilicus AnyX Zero Trust Access. Diagram illustrates configuring Azure Entra ID (formerly Azure AD) with Agilicus AnyX for secure, zero trust access to applications. Shows user authentication flow, conditional access policies, and integration points for enhanced security.

(Optional) Azure Groups

You may wish to directly import your Azure groups into Agilicus for role-based access control. To do so, enable the groups claim in Azure.

Azure Entra ID Setup Example: Agilicus AnyX Conditional Access Configuration. Diagram illustrating the steps to configure Conditional Access policies in Azure Entra ID for secure access using Agilicus AnyX.

On your Azure Upstream Identity Issuer, enable the group mapping as below. You may need to use the GUUID and map to names.

At this stage you may try a login. You can keep the Admin portal logged in and use https://profile.MYDOMAIN to try. You should see a new Sign-In option, which is named as you have above.

Azure Active Directory (Azure AD) single sign-on (SSO) configuration with AnyX. Diagram illustrates the steps for secure access and authentication, enhancing cloud security and user experience. Agilicus AnyX integration with Azure AD for seamless identity management.

The first (and only) time you select this new Sign in option, you will be presented with a question as to whether you consent to the information shared. The Information shared is your Name, and your Email. No permission is being granted to access any Azure or Office 365 information.

Azure Active Directory (Azure AD) explained with AnyX: Securely connect and manage access to your applications with Azure AD. Simplified diagram showcasing AnyX integration with Azure AD for enhanced security and access control. Learn how to leverage Azure AD for seamless user authentication and authorization.

You are now complete. All users can now Sign in with their corporate login, no additional passwords to remember.

Advanced Grant Workflow

NOTE: If you use advanced grant workflow

❗

If you do not do this, you may find that users who use the ‘offline_access’ workflow (also known as the refresh token) may be confused by constantly being requested to grant access.