As the successor to Chapter 7, Deploying Solutions on Azure AD and ADFS, we dig further into the different features of Azure AD and ADFS. We already published the Kerberos on-premises application to external users. We'll do this with another application in this chapter. Furthermore, we will dive into the functionality of the Azure AD app proxy. Additionally, the first usage examples and the basic functionality of conditional access will be shown in this chapter. We do some more claims operation and task customization in Chapter 10, Exploring Azure AD Identity Services, and provide examples in the code package for the book. With this chapter, you will get all the information for managing the application integration into Azure AD and ADFS. You will also learn to publish applications with the Azure AD or the Web Application Proxy. Additionally, you will be enabled to use conditional access for securing your application access...
You're reading from Mastering Identity and Access Management with Microsoft Azure - Second Edition
We will continue the deployment and configuration of more business apps to allow you to test the different authentication mechanisms. For our support, we configure ServiceNow
with SAML
and active user provisioning from Azure AD to ServiceNow
:
- Navigate to
Azure Active Directory
|Enterprise Applications
and add aNew Application
:
Adding a new Enterprise application
- Choose
ServiceNow
and add the app from the gallery:
Adding ServiceNow
Using SAML as an authentication method
- In the
Basic SAML Configuration
, we add ourServiceNow
instance information, as shown in the following screenshot:
Configuring the SAML options
The following URIs need to be used:
https://.service-now.com/navpage.do https://.service-now.com
The Azure AD Application Proxy is similar to the on-premises Web Application Proxy role, starting in Windows Server 2012 R2. With this service, you can enable external access for on-premises applications. Azure AD Application Proxy requires an Azure AD Basic or an Azure AD Premium subscription. The connection is made directly with Azure and done through a proxy into the private network, with an application proxy agent installed on the on-premises web application server.
Let's run a very common use case to include a Kerberos on-premises application into our Azure AD Access UI, https://myapps.microsoft.com. We use our existing application to configure the scenario:
- Log in to https://portal.azure.com and choose the Azure Active Directory blade.
- Under Application proxy, we first need to download and install the application proxy agent on our YD1APP01 server.
You don't need to install the agent directly on the application server. It...
In our first conditional access scenario, we will use the Azure AD functionality to secure Salesforce
access with Azure MFA:
- Navigate to https://portal.azure.com and the Azure AD pane |
Conditional Access
. - Click
New policy
:
Creating a Conditional Access policy
- Under assignments, go to
Include
|All users
:
User assignment options
- Under
Cloud apps
|Select apps
, chooseSalesforce
:
Selecting the Salesforce app
- Under
Conditions
| chooseLocations
|Yes
and Any location:
Choosing the location attributes
Note
As you can see, you have many conditions that can be set when you want to fulfill security requirements in the case of additional authentication or access control mechanisms. You can find more information at the following source: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/.
- Under Access controls, go to
Grant
.
- Choose
Grant access
|Require multi-factor authentication
:
Using MFA for granting the access
- Enable...
In this chapter, you have learned to configure different authentication scenarios using Azure AD and ADFS capabilities. There are many possible combinations, and we can't provide all of them in one chapter. We gave you an introduction and some of our practical tips to get started and guide you in your upcoming journey through this technology. Don't worry; we jump more and more into some different scenarios in the next chapters of this book to give you as much help as possible. Also, look at the code package for the book; you will find additional practical examples from our projects.
In the next chapter, we will explore more Azure AD identity services, such as Azure AD B2B and B2C.