Azure AD Join
Introduction
This document provides instructions on how configure Azure AD join using IBM® Security Verify as the Identity Provider.
You need following Prerequisites:
- Azure AD with administrator access
- Windows device with Powershell and Microsoft Online Services Module installed.
- IBM Security Verify domain with administrator access.
Complete the following tasks:
- Azure Active Directory
- Enable device joining
- Configure a federated Azure AD Domain
- Provision user to Azure AD with Powershell commands
- IBM Security Verify
- Configure Microsoft 365 application (WS-Federation)
Enabling device joining and configuring a federated Azure AD domain
Enabling device joining
- Login to the Azure portal https://aad.portal.azure.com/.
- Configure the device settings as shown below to allow user to join device to Azure AD, disable the MFA settings at Azure AD side to avoid double MFA.
![f0f6ba0-configure-azure-ad-join-AzureDeviceSettings.png 1536](https://files.readme.io/f0f6ba0-configure-azure-ad-join-AzureDeviceSettings.png)
- [Optional] Enable automatic Intune enrollment. During Azure AD join, the computer is automatically enrolled to Intune with the following configurations.
- From the Azure portal, click Mobility (MDM and MAM) > Microsoft Intune
![d9b3eff-configure-azure-ad-join-AADJoinIntune.png 1536](https://files.readme.io/d9b3eff-configure-azure-ad-join-AADJoinIntune.png)
- Set All for MDM user scope and save the settings.
![1235a69-configure-azure-ad-join-AADJoinIntuneEnabled.png 1536](https://files.readme.io/1235a69-configure-azure-ad-join-AADJoinIntuneEnabled.png)
Configuring a federated Azure AD domain
- In the Azure portal, create a custom domain. For example,
ibm.icu
. Ensure that it is verified. The custom domain is required to set up a federated Azure domain with a third party federation service. The main domain withonmicrosoft.com
suffix does not support federated domain configuration.
![6f51dbc-configure-azure-ad-join-AzureCustomDomain.png 1536](https://files.readme.io/6f51dbc-configure-azure-ad-join-AzureCustomDomain.png)
-
Install Windows Powershell and Microsoft Online Services Module on the Windows machine.
-
Execute the following command in the Powershell command console:
Connect-MsolService
It prompts a login.
- Specify the Azure admin user credential. This is the admin user upn with the
onmicrosoft.com
suffix. - After a successful login, execute the following command in the Powershell command console to create a federated domain with the ISV tenant:
(Please update the tenant hostname to your tenanthost accordingly, -DomainName ibm.icu is the custom domain created in step 1; -SigningCertificate is the public cert of the default cert of your tenant:
Set-MsolDomainAuthentication -Authentication federated -DomainName ibm.icu -FederationBrandName IbmSecurityVerify -IssuerUri https://dune.verify.ibm.com/wsf/sps/wsfedip/wsf -PassiveLogOnUri https://dune.verify.ibm.com/wsf/sps/wsfedip/wsf -ActiveLogOnUri https://dune.verify.ibm.com/wst/SecurityTokenService13 -MetadataExchangeUri https://dune.verify.ibm.com/wsf/sps/mex -LogOffUri https://dune.verify.ibm.com/idaas/mtfim/sps/idaas/logout -SigningCertificate MIIDYDCCAkigAwIBAgIEJDZp0DANBgkqhkiG9w0BAQsFADByMQkwBwYDVQQGEwAxCTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAxCTAHBgNVBAsTADE5MDcGA1UEAxMwc2FtbC1kZXYzLWNoZW55bS5kZXYudmVyaWZ5LmlibWNsb3Vkc2VjdXJpdHkuY29tMB4XDTIxMDMwODA1NTg0M1oXDTMxMDMwNjA1NTg0M1owcjEJMAcGA1UEBhMAMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEJMAcGA1UEChMAMQkwBwYDVQQLEwAxOTA3BgNVBAMTMHNhbWwtZGV2My1jaGVueW0uZGV2LnZlcmlmeS5pYm1jbG91ZHNlY3VyaXR5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIR0RqRWk9ii2hhfHQ1mSo83HowKdwlfsSjTEuctyfgvij/hHgTLjh6ZgqOxREycmtmdvABv2W7F+6Dzp+i/KvEMDgp5yNXzf0e5LY0x9pr8Vn0WKCROnq+w047CES2v5hsZ+6zJnHK5ZZA88NJmE2F0Q3/rRS6AUzrEhVknXryUm17HViTYT6tThXmAIBbbes3pNAP2XDKPNt0fQJuUTVMzUG82rtx2KR13Am0UwjmWcs85kBM9upUc4Y8jGFVp71ljsM59rHhQlrBkQIAmHGzm/KXdpa3th6GFP/k6g+qPfoaD4fsND7pNA0DBQP0r4S6Pc5+KqXTcRQznEoNBJ+cCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAWyDFxjm3dzLye2DbF09/S+97iLBYumsmrsl5cAHzdYqcUBURGhplyEseBog0NHdD3ygd2e0WAmIu1jhz+JuUleDgmaxbECnrO8KcGgM9g+/6cc9v/W3VkdOmweajQn/AuC9DxqGnoiKA5PzO9Fz+3ooTj3PkO1UbYXUwWk+zO4+w0Z0sMKuUpKVL/dOXT/phUp4vFWikc2C5KPG9FKNq4rUj2PHnhBKiXgjRgt3hDJKMcaEC12N4eUlmbwxIeNkda1m4yzhisPOwKFwy0aw/pECwUfdlZsxu523o0GX4MpaWS6DgpRpfysUuVODzPdGm7AZXXqoWhIgBLTMJ6AUEDQ==
- After successfully executing the command, type
Get-MsolDomainFederationSettings -DomainName ibm.icu
PS C:\Users\Scott> Get-MsolDomainFederationSettings -DomainName ibm.icu
ActiveLogOnUri : https://dune.verify.ibm.com/wst/SecurityTokenService13
DefaultInteractiveAuthenticationMethod :
FederationBrandName : IbmSecurityVerify
IssuerUri : https://dune.verify.ibm.com/wsf/sps/wsfedip/wsf
LogOffUri : https://dune.verify.ibm.com/idaas/mtfim/sps/idaas/logout
MetadataExchangeUri : https://dune.verify.ibm.com/wsf/sps/mex
NextSigningCertificate :
OpenIdConnectDiscoveryEndpoint :
PassiveLogOnUri : https://dune.verify.ibm.com/wsf/sps/wsfedip/wsf
SigningCertificate : MIIDYDCCAkigAwIBAgIEJDZp0DANBgkqhkiG9w0BAQsFADByMQkwBwYDVQQGEwAxCTAHBgNVBAgTAD
EJMAcGA1UEBxMAMQkwBwYDVQQKEwAxCTAHBgNVBAsTADE5MDcGA1UEAxMwc2FtbC1kZXYzLWNoZW55
bS5kZXYudmVyaWZ5LmlibWNsb3Vkc2VjdXJpdHkuY29tMB4XDTIxMDMwODA1NTg0M1oXDTMxMDMwNj
A1NTg0M1owcjEJMAcGA1UEBhMAMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEJMAcGA1UEChMAMQkwBwYD
VQQLEwAxOTA3BgNVBAMTMHNhbWwtZGV2My1jaGVueW0uZGV2LnZlcmlmeS5pYm1jbG91ZHNlY3VyaX
R5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIR0RqRWk9ii2hhfHQ1mSo83HowK
dwlfsSjTEuctyfgvij/hHgTLjh6ZgqOxREycmtmdvABv2W7F+6Dzp+i/KvEMDgp5yNXzf0e5LY0x9p
r8Vn0WKCROnq+w047CES2v5hsZ+6zJnHK5ZZA88NJmE2F0Q3/rRS6AUzrEhVknXryUm17HViTYT6tT
hXmAIBbbes3pNAP2XDKPNt0fQJuUTVMzUG82rtx2KR13Am0UwjmWcs85kBM9upUc4Y8jGFVp71ljsM
59rHhQlrBkQIAmHGzm/KXdpa3th6GFP/k6g+qPfoaD4fsND7pNA0DBQP0r4S6Pc5+KqXTcRQznEoNB
J+cCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAWyDFxjm3dzLye2DbF09/S+97iLBYumsmrsl5cAHzdY
qcUBURGhplyEseBog0NHdD3ygd2e0WAmIu1jhz+JuUleDgmaxbECnrO8KcGgM9g+/6cc9v/W3VkdOm
weajQn/AuC9DxqGnoiKA5PzO9Fz+3ooTj3PkO1UbYXUwWk+zO4+w0Z0sMKuUpKVL/dOXT/phUp4vFW
ikc2C5KPG9FKNq4rUj2PHnhBKiXgjRgt3hDJKMcaEC12N4eUlmbwxIeNkda1m4yzhisPOwKFwy0aw/
pECwUfdlZsxu523o0GX4MpaWS6DgpRpfysUuVODzPdGm7AZXXqoWhIgBLTMJ6AUEDQ==
SupportsMfa :
It shows the federated domain settings.
- Verify all fields are correct.
Provisioning user to Azure AD with Powershell commands
-
Provision the user in Azure AD. Decide which user attribute from the ISV user will be used as the
immutabeid
andupn
in the Azure AD. -
Execute the following command in the Powershell command console:
New-MsolUser -userprincipalname [email protected] -immutableID testuserimmutableid -lastname test -firstname user -Displayname "test user" -LicenseAssignment "isvsts:DEVELOPERPACK_E5" -usageLocation SG
This provisions a user with upn: [email protected]
and immutableID: testuserimmutableid
.
- Run following command to verify that the
immutableid
was created correctly.
Get-MsolUser -UserPrincipalName "[email protected]" | Select ImmutableID
Configuring Microsoft 365 application (WS-Federation)
From ISV tenant Administrative Console
- Create Microsoft 365 application.
- Select Applications > Applications.
- Click Add application.
- In the Select Application Type pop-up, add the Microsoft365 application.
- In the Sign-on tab, select WS-Federation as the Sign-on method. Use the default settings except for SAML subject Name identifier.
- Select an attribute source for UPN and ImmutableID. The UPN and ImmutableID value must match the UPN and ImmutableID in the Azure AD user registry.
- Save the application.
- In the Applications page, select the Microsoft365 application and click Settings.
Click on the 'Entitlements' tab, select an Access type and select the Approvers check-box accordingly.
Run the flow
- Join the Windows 10 computer to Azure AD.
- From Settings > Accounts > Access work or school.
- Click Connect.
![6b8ebe0-configure-azure-ad-join-AADJoinConnect.png 805](https://files.readme.io/6b8ebe0-configure-azure-ad-join-AADJoinConnect.png)
- Click Join this device to Azure Active Directory.
![9f14357-configure-azure-ad-join-AADJoin.png 660](https://files.readme.io/9f14357-configure-azure-ad-join-AADJoin.png)
- Specify the upn with the custom domain. For example,
[email protected]
. - Click Connect. It redirects to ISV to authenticate. After successful authentication, the following prompt is shown. Click Join to proceed.
![590878e-configure-azure-ad-join-SettingsMFA.png 922](https://files.readme.io/752a611-configure-azure-ad-join-SettingsMFA.png)
![5f126b3-configure-azure-ad-join-AADJoinFinish.png 820](https://files.readme.io/5f126b3-configure-azure-ad-join-AADJoinFinish.png)
- From the Azure portal devices, verify that the device is Azure AD joined.
![246cc3b-configure-azure-ad-join-AADJoinCheckDevice.png 1536](https://files.readme.io/246cc3b-configure-azure-ad-join-AADJoinCheckDevice.png)
-
Login to the Azure AD joined computer with the ISV user account.7.
-
Switch to login with Work or School account
![9b51acc-configure-azure-ad-join-AADJoinSwitchUser.png 764](https://files.readme.io/9b51acc-configure-azure-ad-join-AADJoinSwitchUser.png)
- Specify the username and password of the ISV user to log in.
![80a35fb-configure-azure-ad-join-AADJoinLoginDomainUser.png 821](https://files.readme.io/80a35fb-configure-azure-ad-join-AADJoinLoginDomainUser.png)
OOBE (Azure AD join for fresh Windows installation)
User can also join Windows 10 to Azure AD during the Windows installation process. Follow the screen prompts.
![96df311-configure-azure-ad-join-oobe1.png 823](https://files.readme.io/16b80d2-configure-azure-ad-join-oobe1.png)
![3fc8a24-configure-azure-ad-join-oobe2.png 824](https://files.readme.io/506d4a1-configure-azure-ad-join-oobe2.png)
![0fcdd83-configure-azure-ad-join-oobe3.png 825](https://files.readme.io/2e2ea9f-configure-azure-ad-join-oobe3.png)
Updated 9 months ago