Azure AD Join
Introduction
This document provides instructions on how configure Azure AD join using IBM® Security Verify as the Identity Provider.
You need following Prerequisites:
- Azure AD with administrator access
- Windows device with Powershell and Microsoft Online Services Module installed.
- IBM Security Verify domain with administrator access.
Complete the following tasks:
- Azure Active Directory
- Enable device joining
- Configure a federated Azure AD Domain
- Provision user to Azure AD with Powershell commands
- IBM Security Verify
- Configure Microsoft 365 application (WS-Federation)
Enabling device joining and configuring a federated Azure AD domain
Enabling device joining
- Login to the Azure portal https://aad.portal.azure.com/.
- Configure the device settings as shown below to allow user to join device to Azure AD, disable the MFA settings at Azure AD side to avoid double MFA.
![6769f55-configure-azure-ad-join-AzureDeviceSettings.png 1536](https://files.readme.io/6769f55-configure-azure-ad-join-AzureDeviceSettings.png)
- [Optional] Enable automatic Intune enrollment. During Azure AD join, the computer is automatically enrolled to Intune with the following configurations.
- From the Azure portal, click Mobility (MDM and MAM) > Microsoft Intune
![f32b4df-configure-azure-ad-join-AADJoinIntune.png 1536](https://files.readme.io/f32b4df-configure-azure-ad-join-AADJoinIntune.png)
- Set All for MDM user scope and save the settings.
![cf10427-configure-azure-ad-join-AADJoinIntuneEnabled.png 1536](https://files.readme.io/cf10427-configure-azure-ad-join-AADJoinIntuneEnabled.png)
Configuring a federated Azure AD domain
- In the Azure portal, create a custom domain. For example,
ibm.icu
. Ensure that it is verified. The custom domain is required to set up a federated Azure domain with a third party federation service. The main domain withonmicrosoft.com
suffix does not support federated domain configuration.
![162d6a5-configure-azure-ad-join-AzureCustomDomain.png 1536](https://files.readme.io/162d6a5-configure-azure-ad-join-AzureCustomDomain.png)
-
Install Windows Powershell and Microsoft Online Services Module on the Windows machine.
-
Execute the following command in the Powershell command console:
Connect-MsolService
It prompts a login.
- Specify the Azure admin user credential. This is the admin user upn with the
onmicrosoft.com
suffix. - After a successful login, execute the following command in the Powershell command console to create a federated domain with the ISV tenant:
(Please update the tenant hostname to your tenanthost accordingly, -DomainName ibm.icu is the custom domain created in step 1; -SigningCertificate is the public cert of the default cert of your tenant:
Set-MsolDomainAuthentication -Authentication federated -DomainName ibm.icu -FederationBrandName IbmSecurityVerify -IssuerUri https://dune.verify.ibm.com/wsf/sps/wsfedip/wsf -PassiveLogOnUri https://dune.verify.ibm.com/wsf/sps/wsfedip/wsf -ActiveLogOnUri https://dune.verify.ibm.com/wst/SecurityTokenService13 -MetadataExchangeUri https://dune.verify.ibm.com/wsf/sps/mex -LogOffUri https://dune.verify.ibm.com/idaas/mtfim/sps/idaas/logout -SigningCertificate MIIDYDCCAkigAwIBAgIEJDZp0DANBgkqhkiG9w0BAQsFADByMQkwBwYDVQQGEwAxCTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAxCTAHBgNVBAsTADE5MDcGA1UEAxMwc2FtbC1kZXYzLWNoZW55bS5kZXYudmVyaWZ5LmlibWNsb3Vkc2VjdXJpdHkuY29tMB4XDTIxMDMwODA1NTg0M1oXDTMxMDMwNjA1NTg0M1owcjEJMAcGA1UEBhMAMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEJMAcGA1UEChMAMQkwBwYDVQQLEwAxOTA3BgNVBAMTMHNhbWwtZGV2My1jaGVueW0uZGV2LnZlcmlmeS5pYm1jbG91ZHNlY3VyaXR5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIR0RqRWk9ii2hhfHQ1mSo83HowKdwlfsSjTEuctyfgvij/hHgTLjh6ZgqOxREycmtmdvABv2W7F+6Dzp+i/KvEMDgp5yNXzf0e5LY0x9pr8Vn0WKCROnq+w047CES2v5hsZ+6zJnHK5ZZA88NJmE2F0Q3/rRS6AUzrEhVknXryUm17HViTYT6tThXmAIBbbes3pNAP2XDKPNt0fQJuUTVMzUG82rtx2KR13Am0UwjmWcs85kBM9upUc4Y8jGFVp71ljsM59rHhQlrBkQIAmHGzm/KXdpa3th6GFP/k6g+qPfoaD4fsND7pNA0DBQP0r4S6Pc5+KqXTcRQznEoNBJ+cCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAWyDFxjm3dzLye2DbF09/S+97iLBYumsmrsl5cAHzdYqcUBURGhplyEseBog0NHdD3ygd2e0WAmIu1jhz+JuUleDgmaxbECnrO8KcGgM9g+/6cc9v/W3VkdOmweajQn/AuC9DxqGnoiKA5PzO9Fz+3ooTj3PkO1UbYXUwWk+zO4+w0Z0sMKuUpKVL/dOXT/phUp4vFWikc2C5KPG9FKNq4rUj2PHnhBKiXgjRgt3hDJKMcaEC12N4eUlmbwxIeNkda1m4yzhisPOwKFwy0aw/pECwUfdlZsxu523o0GX4MpaWS6DgpRpfysUuVODzPdGm7AZXXqoWhIgBLTMJ6AUEDQ==
- After successfully executing the command, type
Get-MsolDomainFederationSettings -DomainName ibm.icu
PS C:\Users\Scott> Get-MsolDomainFederationSettings -DomainName ibm.icu
ActiveLogOnUri : https://dune.verify.ibm.com/wst/SecurityTokenService13
DefaultInteractiveAuthenticationMethod :
FederationBrandName : IbmSecurityVerify
IssuerUri : https://dune.verify.ibm.com/wsf/sps/wsfedip/wsf
LogOffUri : https://dune.verify.ibm.com/idaas/mtfim/sps/idaas/logout
MetadataExchangeUri : https://dune.verify.ibm.com/wsf/sps/mex
NextSigningCertificate :
OpenIdConnectDiscoveryEndpoint :
PassiveLogOnUri : https://dune.verify.ibm.com/wsf/sps/wsfedip/wsf
SigningCertificate : MIIDYDCCAkigAwIBAgIEJDZp0DANBgkqhkiG9w0BAQsFADByMQkwBwYDVQQGEwAxCTAHBgNVBAgTAD
EJMAcGA1UEBxMAMQkwBwYDVQQKEwAxCTAHBgNVBAsTADE5MDcGA1UEAxMwc2FtbC1kZXYzLWNoZW55
bS5kZXYudmVyaWZ5LmlibWNsb3Vkc2VjdXJpdHkuY29tMB4XDTIxMDMwODA1NTg0M1oXDTMxMDMwNj
A1NTg0M1owcjEJMAcGA1UEBhMAMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEJMAcGA1UEChMAMQkwBwYD
VQQLEwAxOTA3BgNVBAMTMHNhbWwtZGV2My1jaGVueW0uZGV2LnZlcmlmeS5pYm1jbG91ZHNlY3VyaX
R5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIR0RqRWk9ii2hhfHQ1mSo83HowK
dwlfsSjTEuctyfgvij/hHgTLjh6ZgqOxREycmtmdvABv2W7F+6Dzp+i/KvEMDgp5yNXzf0e5LY0x9p
r8Vn0WKCROnq+w047CES2v5hsZ+6zJnHK5ZZA88NJmE2F0Q3/rRS6AUzrEhVknXryUm17HViTYT6tT
hXmAIBbbes3pNAP2XDKPNt0fQJuUTVMzUG82rtx2KR13Am0UwjmWcs85kBM9upUc4Y8jGFVp71ljsM
59rHhQlrBkQIAmHGzm/KXdpa3th6GFP/k6g+qPfoaD4fsND7pNA0DBQP0r4S6Pc5+KqXTcRQznEoNB
J+cCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAWyDFxjm3dzLye2DbF09/S+97iLBYumsmrsl5cAHzdY
qcUBURGhplyEseBog0NHdD3ygd2e0WAmIu1jhz+JuUleDgmaxbECnrO8KcGgM9g+/6cc9v/W3VkdOm
weajQn/AuC9DxqGnoiKA5PzO9Fz+3ooTj3PkO1UbYXUwWk+zO4+w0Z0sMKuUpKVL/dOXT/phUp4vFW
ikc2C5KPG9FKNq4rUj2PHnhBKiXgjRgt3hDJKMcaEC12N4eUlmbwxIeNkda1m4yzhisPOwKFwy0aw/
pECwUfdlZsxu523o0GX4MpaWS6DgpRpfysUuVODzPdGm7AZXXqoWhIgBLTMJ6AUEDQ==
SupportsMfa :
It shows the federated domain settings.
- Verify all fields are correct.
Provisioning user to Azure AD with Powershell commands
-
Provision the user in Azure AD. Decide which user attribute from the ISV user will be used as the
immutabeid
andupn
in the Azure AD. -
Execute the following command in the Powershell command console:
New-MsolUser -userprincipalname [email protected] -immutableID testuserimmutableid -lastname test -firstname user -Displayname "test user" -LicenseAssignment "isvsts:DEVELOPERPACK_E5" -usageLocation SG
This provisions a user with upn: [email protected]
and immutableID: testuserimmutableid
.
- Run following command to verify that the
immutableid
was created correctly.
Get-MsolUser -UserPrincipalName "[email protected]" | Select ImmutableID
Configuring Microsoft 365 application (WS-Federation)
From ISV tenant Administrative Console
- Create Microsoft 365 application.
- Select Applications > Applications.
- Click Add application.
- In the Select Application Type pop-up, add the Microsoft365 application.
- In the Sign-on tab, select WS-Federation as the Sign-on method. Use the default settings except for SAML subject Name identifier.
- Select an attribute source for UPN and ImmutableID. The UPN and ImmutableID value must match the UPN and ImmutableID in the Azure AD user registry.
- Save the application.
- In the Applications page, select the Microsoft365 application and click Settings.
Click on the 'Entitlements' tab, select an Access type and select the Approvers check-box accordingly.
Run the flow
- Join the Windows 10 computer to Azure AD.
- From Settings > Accounts > Access work or school.
- Click Connect.
![72b3a54-configure-azure-ad-join-AADJoinConnect.png 805](https://files.readme.io/72b3a54-configure-azure-ad-join-AADJoinConnect.png)
- Click Join this device to Azure Active Directory.
![b8a5912-configure-azure-ad-join-AADJoin.png 660](https://files.readme.io/b8a5912-configure-azure-ad-join-AADJoin.png)
- Specify the upn with the custom domain. For example,
[email protected]
. - Click Connect. It redirects to ISV to authenticate. After successful authentication, the following prompt is shown. Click Join to proceed.
![590878e-configure-azure-ad-join-SettingsMFA.png 922](https://files.readme.io/ba7be4d-configure-azure-ad-join-SettingsMFA.png)
![3807abf-configure-azure-ad-join-AADJoinFinish.png 820](https://files.readme.io/3807abf-configure-azure-ad-join-AADJoinFinish.png)
- From the Azure portal devices, verify that the device is Azure AD joined.
![c830d50-configure-azure-ad-join-AADJoinCheckDevice.png 1536](https://files.readme.io/c830d50-configure-azure-ad-join-AADJoinCheckDevice.png)
-
Login to the Azure AD joined computer with the ISV user account.7.
-
Switch to login with Work or School account
![cbb6e2d-configure-azure-ad-join-AADJoinSwitchUser.png 764](https://files.readme.io/cbb6e2d-configure-azure-ad-join-AADJoinSwitchUser.png)
- Specify the username and password of the ISV user to log in.
![799a0d6-configure-azure-ad-join-AADJoinLoginDomainUser.png 821](https://files.readme.io/799a0d6-configure-azure-ad-join-AADJoinLoginDomainUser.png)
OOBE (Azure AD join for fresh Windows installation)
User can also join Windows 10 to Azure AD during the Windows installation process. Follow the screen prompts.
![96df311-configure-azure-ad-join-oobe1.png 823](https://files.readme.io/de1a43d-configure-azure-ad-join-oobe1.png)
![3fc8a24-configure-azure-ad-join-oobe2.png 824](https://files.readme.io/e33eee8-configure-azure-ad-join-oobe2.png)
![0fcdd83-configure-azure-ad-join-oobe3.png 825](https://files.readme.io/f0790fd-configure-azure-ad-join-oobe3.png)
Updated 3 months ago