Azure AD Join

Introduction

This document provides instructions on how configure Azure AD join using IBM® Security Verify as the Identity Provider.

Complete the following tasks:

  • Azure Active Directory
    • Enable device joining
    • Configure a federated Azure AD Domain
    • Provision user to Azure AD with Powershell commands
  • IBM Security Verify
    • Configure Microsoft 365 application (WS-Federation)

Enabling device joining and configuring a federated Azure AD domain

Enabling device joining

  1. Login to the Azure portal https://aad.portal.azure.com/.
  2. Configure the device settings as shown below to allow user to join device to Azure AD, disable the MFA settings at Azure AD side to avoid double MFA.
  1. [Optional] Enable automatic Intune enrollment. During Azure AD join, the computer is automatically enrolled to Intune with the following configurations.
  • From the Azure portal, click Mobility (MDM and MAM) > Microsoft Intune
  • Set All for MDM user scope and save the settings.

Configuring a federated Azure AD domain

  1. In the Azure portal, create a custom domain. For example, ibm.icu. Ensure that it is verified. The custom domain is required to set up a federated Azure domain with a third party federation service. The main domain with onmicrosoft.com suffix does not support federated domain configuration.
  1. Install Windows Powershell and Microsoft Online Services Module on the Windows machine.

  2. Execute the following command in the Powershell command console:

Connect-MsolService

It prompts a login.

  1. Specify the Azure admin user credential. This is the admin user upn with the onmicrosoft.com suffix.
  2. After a successful login, execute the following command in the Powershell command console to create a federated domain with the ISV tenant:
    (Please update the tenant hostname to your tenanthost accordingly, -DomainName ibm.icu is the custom domain created in step 1; -SigningCertificate is the public cert of the default cert of your tenant:
Set-MsolDomainAuthentication -Authentication federated -DomainName ibm.icu -FederationBrandName IbmSecurityVerify -IssuerUri https://saml-dev3-chenym.dev.verify.ibmcloudsecurity.com/wsf/sps/wsfedip/wsf -PassiveLogOnUri https://saml-dev3-chenym.dev.vanitytst.cloudidentity.ibm.com/wsf/sps/wsfedip/wsf -ActiveLogOnUri https://saml-dev3-chenym.dev.vanitytst.cloudidentity.ibm.com/wst/SecurityTokenService13 -MetadataExchangeUri https://saml-dev3-chenym.dev.vanitytst.cloudidentity.ibm.com/wsf/sps/mex -LogOffUri https://saml-dev3-chenym.dev.vanitytst.cloudidentity.ibm.com/wsf/sps/signout -SigningCertificate MIIDYDCCAkigAwIBAgIEJDZp0DANBgkqhkiG9w0BAQsFADByMQkwBwYDVQQGEwAxCTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAxCTAHBgNVBAsTADE5MDcGA1UEAxMwc2FtbC1kZXYzLWNoZW55bS5kZXYudmVyaWZ5LmlibWNsb3Vkc2VjdXJpdHkuY29tMB4XDTIxMDMwODA1NTg0M1oXDTMxMDMwNjA1NTg0M1owcjEJMAcGA1UEBhMAMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEJMAcGA1UEChMAMQkwBwYDVQQLEwAxOTA3BgNVBAMTMHNhbWwtZGV2My1jaGVueW0uZGV2LnZlcmlmeS5pYm1jbG91ZHNlY3VyaXR5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIR0RqRWk9ii2hhfHQ1mSo83HowKdwlfsSjTEuctyfgvij/hHgTLjh6ZgqOxREycmtmdvABv2W7F+6Dzp+i/KvEMDgp5yNXzf0e5LY0x9pr8Vn0WKCROnq+w047CES2v5hsZ+6zJnHK5ZZA88NJmE2F0Q3/rRS6AUzrEhVknXryUm17HViTYT6tThXmAIBbbes3pNAP2XDKPNt0fQJuUTVMzUG82rtx2KR13Am0UwjmWcs85kBM9upUc4Y8jGFVp71ljsM59rHhQlrBkQIAmHGzm/KXdpa3th6GFP/k6g+qPfoaD4fsND7pNA0DBQP0r4S6Pc5+KqXTcRQznEoNBJ+cCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAWyDFxjm3dzLye2DbF09/S+97iLBYumsmrsl5cAHzdYqcUBURGhplyEseBog0NHdD3ygd2e0WAmIu1jhz+JuUleDgmaxbECnrO8KcGgM9g+/6cc9v/W3VkdOmweajQn/AuC9DxqGnoiKA5PzO9Fz+3ooTj3PkO1UbYXUwWk+zO4+w0Z0sMKuUpKVL/dOXT/phUp4vFWikc2C5KPG9FKNq4rUj2PHnhBKiXgjRgt3hDJKMcaEC12N4eUlmbwxIeNkda1m4yzhisPOwKFwy0aw/pECwUfdlZsxu523o0GX4MpaWS6DgpRpfysUuVODzPdGm7AZXXqoWhIgBLTMJ6AUEDQ==
  1. After successfully executing the command, type
Get-MsolDomainFederationSettings -DomainName ibm.icu

PS C:\Users\YongmingChen> Get-MsolDomainFederationSettings -DomainName ibm.icu

ActiveLogOnUri                         : https://saml-dev3-chenym.dev.wst.cloudidentity.ibm.com/wst/SecurityTokenService13
DefaultInteractiveAuthenticationMethod :
FederationBrandName                    : IbmSecurityVerify
IssuerUri                              : https://saml-dev3-chenym.dev.verify.ibmcloudsecurity.com/wsf/sps/wsfedip/wsf
LogOffUri                              : https://saml-dev3-chenym.dev.verify.ibmcloudsecurity.com/idaas/mtfim/sps/idaas/logout
MetadataExchangeUri                    : https://saml-dev3-chenym.dev.wst.cloudidentity.ibm.com/wsf/sps/mex
NextSigningCertificate                 :
OpenIdConnectDiscoveryEndpoint         :
PassiveLogOnUri                        : https://saml-dev3-chenym.dev.verify.ibmcloudsecurity.com/wsf/sps/wsfedip/wsf
SigningCertificate                     : MIIDYDCCAkigAwIBAgIEJDZp0DANBgkqhkiG9w0BAQsFADByMQkwBwYDVQQGEwAxCTAHBgNVBAgTAD
                                         EJMAcGA1UEBxMAMQkwBwYDVQQKEwAxCTAHBgNVBAsTADE5MDcGA1UEAxMwc2FtbC1kZXYzLWNoZW55
                                         bS5kZXYudmVyaWZ5LmlibWNsb3Vkc2VjdXJpdHkuY29tMB4XDTIxMDMwODA1NTg0M1oXDTMxMDMwNj
                                         A1NTg0M1owcjEJMAcGA1UEBhMAMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEJMAcGA1UEChMAMQkwBwYD
                                         VQQLEwAxOTA3BgNVBAMTMHNhbWwtZGV2My1jaGVueW0uZGV2LnZlcmlmeS5pYm1jbG91ZHNlY3VyaX
                                         R5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIR0RqRWk9ii2hhfHQ1mSo83HowK
                                         dwlfsSjTEuctyfgvij/hHgTLjh6ZgqOxREycmtmdvABv2W7F+6Dzp+i/KvEMDgp5yNXzf0e5LY0x9p
                                         r8Vn0WKCROnq+w047CES2v5hsZ+6zJnHK5ZZA88NJmE2F0Q3/rRS6AUzrEhVknXryUm17HViTYT6tT
                                         hXmAIBbbes3pNAP2XDKPNt0fQJuUTVMzUG82rtx2KR13Am0UwjmWcs85kBM9upUc4Y8jGFVp71ljsM
                                         59rHhQlrBkQIAmHGzm/KXdpa3th6GFP/k6g+qPfoaD4fsND7pNA0DBQP0r4S6Pc5+KqXTcRQznEoNB
                                         J+cCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAWyDFxjm3dzLye2DbF09/S+97iLBYumsmrsl5cAHzdY
                                         qcUBURGhplyEseBog0NHdD3ygd2e0WAmIu1jhz+JuUleDgmaxbECnrO8KcGgM9g+/6cc9v/W3VkdOm
                                         weajQn/AuC9DxqGnoiKA5PzO9Fz+3ooTj3PkO1UbYXUwWk+zO4+w0Z0sMKuUpKVL/dOXT/phUp4vFW
                                         ikc2C5KPG9FKNq4rUj2PHnhBKiXgjRgt3hDJKMcaEC12N4eUlmbwxIeNkda1m4yzhisPOwKFwy0aw/
                                         pECwUfdlZsxu523o0GX4MpaWS6DgpRpfysUuVODzPdGm7AZXXqoWhIgBLTMJ6AUEDQ==
SupportsMfa                            :

It shows the federated domain settings.

  1. Verify all fields are correct.

Provisioning user to Azure AD with Powershell commands

  1. Provision the user in Azure AD. Decide which user attribute from the ISV user will be used as the immutabeid and upn in the Azure AD.

  2. Execute the following command in the Powershell command console:

New-MsolUser -userprincipalname [email protected] -immutableID testuserimmutableid -lastname test -firstname user -Displayname "test user" -LicenseAssignment "isvsts:DEVELOPERPACK_E5" -usageLocation SG

This provisions a user with upn: [email protected] and immutableID: testuserimmutableid.

  1. Run following command to verify that the immutableid was created correctly.
Get-MsolUser -UserPrincipalName "[email protected]" | Select ImmutableID

Configuring Microsoft 365 application (WS-Federation)

From ISV tenant Administrative Console

  1. Create Microsoft 365 application.
    1. Select Applications > Applications.
    2. Click Add application.
    3. In the Select Application Type pop-up, add the Microsoft365 application.
  2. In the Sign-on tab, select WS-Federation as the Sign-on method. Use the default settings except for SAML subject Name identifier.
  3. Select an attribute source for UPN and ImmutableID. The UPN and ImmutableID value must match the UPN and ImmutableID in the Azure AD user registry.
  4. Save the application.
  5. In the Applications page, select the Microsoft365 application and click Settings.
    Click on the 'Entitlements' tab, select an Access type and select the Approvers check-box accordingly.

Creating a new Microsoft 365 application with curl

  1. Obtain the API access token and use it in the authorization header.
  2. Use the following CURL command as a template to create the application:
curl --location --request POST 'https://<isv_tenant>/v1.0/applications' \
--header 'accept: application/json' \
--header 'authorization: Bearer <access token>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "name": "<Microsoft 365 application name>",
    "templateId": "41",
    "applicationRefId": "",
    "providers": {
        "saml": {
            "properties": {
                "validateAuthnRequest": "false",
                "generateUniqueID": false,
                "companyName": "Microsoft 365"
            },
            "justInTimeProvisioning": "false"
        },
        "sso": {
            "userOptions": "wsfed"
        },
        "wsfed": {
            "properties": {
                "callbackURL": "https://login.microsoftonline.com/login.srf",
                "providerId": "urn:federation:MicrosoftOnline",
                "multipleDomainsEnabled": "false",
                "activeProfile": {
                    "defaultRealm": "cloudIdentityRealm"
                },
                "signingSettings": {
                    "signSamlAssertion": "true",
                    "signatureAlgorithm": "RSA-SHA256"
                },
                "ici_reserved_subjectNameID": "1",
                "additionalProperties": [
                    {
                        "name": "activeProfileRequestRule",
                        "value": "{\"p\": {\"username\": [requestContext.username[0].split('@')[0]] }}"
                    }
                ]
            }
        }
    },
    "attributeMappings": [
        {
            "targetName": "UPN",
            "sourceId": "<upn_attr_id>",
            "targetAttrFormat": "http://schemas.xmlsoap.org/claims"
        },
        {
            "targetName": "ImmutableID",
            "sourceId": "<ImmutableID_attr_id>",
            "targetAttrFormat": "http://schemas.microsoft.com/LiveID/Federation/2008/05"
        }
    ],
    "applicationState": true,
    "approvalRequired": false,
    "description": "An online version of Microsoft Office",
    "signonState": true,
    "provisioningMode": "",
    "identitySources": [],
    "visibleOnLaunchpad": true,
    "provisioning": {
        "authentication": {},
        "attributeMappings": [],
        "reverseAttributeMappings": [],
        "policies": {
            "provPolicy": "disabled",
            "deProvPolicy": "disabled",
            "deProvAction": "delete",
            "passwordSync": "disabled",
            "adoptionPolicy": {
                "matchingAttributes": [],
                "remediationPolicy": {}
            },
            "gracePeriod": 30
        },
        "extension": {},
        "provisioningState": "disabled",
        "sendNotifications": false,
        "generatePassword": false,
        "generatePasswordOnRestore": false
    },
    "apiAccessClients": [],
    "adaptiveAuthentication": {},
    "target": {
        "connectedApp_Yammer": "false",
        "connectedApp_OneDrive": "false",
        "connectedApp_Parature": "false",
        "connectedApp_SharePointOnline": "false",
        "connectedApp_MicrosoftPowerPointOnline": "false",
        "connectedApp_MicrosoftWordOnline": "false",
        "connectedApp_MicrosoftExcelOnline": "false",
        "connectedApp_SkypeforBiz": "false",
        "connectedApp_MicrosoftOneNote": "false",
        "connectedApp_Outlook": "false",
        "connectedApp_OneDriveforBusiness": "false",
        "connectedApp_MicrosoftPlanner": "false",
        "connectedApp_MicrosoftSharePointNewsfeed": "false",
        "connectedApp_MicrosoftDelve": "false",
        "connectedApp_OfficeSway": "false",
        "connectedApp_MicrosoftPowerApps": "false",
        "connectedApp_MicrosoftBookings": "false",
        "connectedApp_MicrosoftFlow": "false",
        "connectedApp_MicrosoftTeams": "false",
        "connectedApp_Dynamics365": "false",
        "connectedApp_MicrosoftOfficeOnlineAdmin": "false",
        "connectedApp_MicrosoftSecurityandCompliance": "false",
        "connectedApp_MicrosoftCalendar": "false",
        "connectedApp_MicrosoftPeople": "false",
        "connectedApp_MicrosoftTasks": "false"
    },
    "customIcon": ""
}'

POST to /v1.0/owner/applications/{applicationId}/entitlements end point to add user entitlement to the created application.

{
    "birthRightAccess": true,
    "requestAccess": false,
    "additions": [],
    "deletions": []
}
  1. Update the ISV tenant hostname in the URL.
  2. Update the access token in the authorization header.
  3. Update the JSON payload name for the application name.
  4. Update the JSON payload providers.wsfed.properties.additionalProperties[] for the activeProfileRequestRule.
    • activeProfileRequestRule is optional. Remove it from the payload if it is not required.
  5. Update the JSON payload attributeMappings with the desired UPN and ImmutableID. The UPN and ImmutableID value must matchthe UPN and ImmutableID in the Azure AD user registry.
  6. Verify the JSON payload and ensure that all fields have the desired values.
  7. Run the updated curl command.

Run the flow

  1. Join the Windows 10 computer to Azure AD.
    1. From Settings > Accounts > Access work or school.
    2. Click Connect.
  1. Click Join this device to Azure Active Directory.
  1. Specify the upn with the custom domain. For example, [email protected].
  2. Click Connect. It redirects to ISV to authenticate. After successful authentication, the following prompt is shown. Click Join to proceed.
  1. From the Azure portal devices, verify that the device is Azure AD joined.
  1. Login to the Azure AD joined computer with the ISV user account.7.

  2. Switch to login with Work or School account

  1. Specify the username and password of the ISV user to log in.

OOBE (Azure AD join for fresh Windows installation)

User can also join Windows 10 to Azure AD during the Windows installation process. Follow the screen prompts.


Did this page help you?