Introduction
This guide provides information on how to:
- Set up Beyond Identity as a passwordless authentication solution for your Hybrid Azure AD Environment.
- Set up Active Directory and Azure AD to use Beyond Identity as an Identity Provider.
- Set up Beyond Identity Admin Console and User Console applications in Azure AD.
- Set up SCIM based provisioning from Azure AD to Beyond Identity Cloud.
Prerequisites
Ensure that you have the following:
-
An Active Directory Admin Account with “Enterprise Administrator” privileges to:
- Configure Groups and Alternative Domain Name
-
An Azure AD Connect “Administrator” account to
- Configure Azure AD Connect
-
An Azure Active Directory Admin Account with “Global Administrator” privileges to:
- Configure “Beyond Identity Admin Console” and “Beyond Identity User Console” Applications
- Set up SCIM based provisioning from Azure AD to Beyond Identity Cloud
- Hybrid Identity Deployment with Active Directory, Azure AD Connect, and Azure AD.
- An alternative domain name to be used during the Beyond Identity test phase. The alternative domain name must be a top-level domain and not a subdomain. (e.g., for contoso.com as a primary domain, use contoso.org as an alternative domain) You will need access to that domain’s DNS settings to verify the domain in Azure AD.
-
A Windows machine with “Administrator” privileges and powershell module (MSOnline) to:
- Set up the Domain for federated authentication.
-
An Office365 “Administrator” account to:
- Setup Office365 mailbox accounts.
Beyond Identity Configuration
Information to provide to the Beyond Identity Field Team:
Your Company Name | |
Your Azure AD Instance ID | |
Beyond Identity Admin Console Application credentials (SAML SSO) SSO URL SSO Entity ID SSO X.509 Signing Certificate |
|
Beyond Identity User Console Application credentials SSO Client Id SSO Client Secret |
|
(Optional) A logo for your corporation Logo requirements: 300 x 150 pixels or less File size of 10kb or less File types accepted: SVG, PNG, JPG, or GIF |
Information you will receive from the Beyond Identity Field Team
Beyond Identity Admin Console SAML URLs: Identifier/Entity ID Reply / ACS URL |
[From Beyond Identity SE] https://admin.byndid.com/auth/saml/<Conn-ID>/sso/metadata.xml https://admin.byndid.com/auth/saml/<Conn-ID>/sso |
SCIM / Event Hook API Bearer Token | [From Beyond Identity SE] |
Beyond Identity Org ID | [From Beyond Identity SE] |
SCIM API endpoints |
Alternative Domain Configuration
Beyond Identity recommends that you use an alternative domain during the test phase.
First choose a domain to be used. If you already have a spare domain, use that. Otherwise, go to any Domain Registrar and purchase a new domain.
Follow the steps explained here to add this domain as a Custom Domain in the Azure Portal.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
Active Directory Configuration
To configure Beyond Identity as the Federated IdP in Active Directory, follow the steps below. Once these steps are taken, you will be ready to enable Beyond Identity for test users.
Section 1-A: Set up Active Directory Groups (Optional, use if groups are synced from AD to AAD)
Beyond Identity service assignment is required for IT Admin and End Users. The following steps describe how to create BI_Admins, BI_Users and BI_Push_Groups groups and assign users to those groups, if groups are synced from AD to AAD.
- Log in to Active Directory or other domain servers as Enterprise Administrator.
- Start “Server Manager” Application and click on “Tools” menu in the top right corner.
- Select “Active Directory Users and Computers”.
- In the “Active Directory Users and Computers” window, right click on “Users” and select New -> Group.
- Create a new Admins group by selecting the following parameters.
- Group Name: BI_Admins
- Group Scope: Global
- Group Type: Security
- Click on “OK” to create this group.
- Double Click on “BI_Admins” group and click on “Members” tab.
- Click on Add.
- In the “Enter the Object names to select”, enter UPN for the Admin.
- Click OK.
- In the “Active Directory Users and Computers” window, right click on “Users” and select New -> Group.
- Create a new Users group by selecting the following parameters.
- Group Name: BI_Users
- Group Scope: Global
- Group Type: Security
- Click on “OK” to create this group.
- Double Click on “BI_Users” group and click on “Members” tab.
- Click on Add.
- In the “Enter the Object names to select”, enter UPN for the Users.
- Click OK.
- In the “Active Directory Users and Computers” window, right click on “Users” and select New -> Group.
-
Create a new Users group by selecting following parameters
- Group Name: BI_Push_Groups
- Group Scope: Global
- Group Type: Security
- Click on “OK” to create this group.
-
Double Click on “BI_Push_Groups” group and click on “Members” tab.
- Click on Add.
- In the “Enter the Object names to select”, enter groups you would like to define policies for.
- Click OK.
*** Ensure that all users have FirstName, LastName, DisplayName and an email added ***
- Run delta sync command to synchronize newly created groups to AAD.
Section 1-B: Set up Azure Active Directory Groups (Optional, use if groups are managed in Azure AD)
Beyond Identity service assignment is required for IT Admin and End Users. The following steps describe how to create BI_Admins, BI_Users and BI_Push_Groups Group and assign users or groups to those groups, if groups are managed in Azure AD.
- Log in to the Azure Portal (portal.azure.com) as “Global Administrator”.
- Click on “Azure Active Directory” logo or search “Azure Active Directory” from the “Home” screen.
- Click on “Groups” from the left menu bar.
-
Click on “New group” from top menu bar with following parameters:
- Group Type: Security
- Group Name: BI_Admins
- Group Description: Beyond Identity Admins
- Membership type: Assigned
- Click on “Create” button to create this group.
- Right Click on “BI_Admins” group and click on “Members”.
- Click on “Add Members” from the top menu.
- Search members to be added using UPN and click on their names to select that user.
- Click on “Select” to add selected users.
-
From the “Azure Active Directory” home page, click on “Groups” in left menu bar and click on Click on “New group” from top menu bar with following parameters:
- Group Type: Security
- Group Name: BI_Users
- Group Description: Beyond Identity Users
- Membership type: Assigned
- Click on “Create” button to create this group.
- Right Click on “BI_Users” group and click on “Members”.
- Click on “Add Members” from the top menu.
- Search members to be added using UPN and click on their names to select the user.
- Click on “Select” to add selected users.
-
From the “Azure Active Directory” home page, click on “Groups” in left menu bar and click on Click on “New group” from top menu bar with following parameters:
- Group Type: Security
- Group Name: BI_Push_Groups
- Group Description: Groups used for policy in Beyond Identity
- Membership type: Assigned
- Click on “Create” button to create this group.
-
Right Click on “BI_Push_Groups” group and click on “Members”.
- Click on “Add Members” from the top menu.
- Search members to be added using group name and click on their names to select the group to be pushed to Beyond Identity.
- Click on “Select” to add selected groups.
*** Ensure that all users have FirstName, LastName, DisplayName and an email added ***
Section 2: Set up Alternative Domain Name for use during testing
The steps below provide an example domain configuration for the “contoso.com” configured with “contoso.org” as an alternative domain.
- Log in to Active Directory or other domain servers as “Enterprise Administrator”.
- Start “Server Manager” Application and click on “Tools” menu in the top right corner.
- Select “Active Directory Domains and Trusts”.
- In “Active Directory Domains and Trusts” window, right click on “Active Directory Domains and Trusts” and select “Properties”.
- Add alternative UPN Suffix (e.g., contoso.org) on “UPN Suffixes” tab.
- Click on “Apply” and “OK”.
- Run delta sync command to synchronize newly created Alternative UPN.
Section 3: Setup Beyond Identity Admin Console in Azure AD
- Log in to Azure Portal as “Global Administrator”.
- Click on “Azure Active Directory” logo or search “Azure Active Directory” from the “Home” screen.
- Click on “Enterprise Applications” from the left menu bar.
- Click on “New Application” from the top menu bar.
- Search for “Beyond Identity” from the top menu bar and select “Beyond Identity Admin Console” App from the App Gallery. Click on “Create” to instantiate this app.
-
From the Home -> Tenant Name -> Enterprise Applications -> “Beyond Identity Admin Console” application page.
- Click on “Owners” from the left side menu and then click on “Add” from the top menu. Search for users using UPN and click them to select the users. Click on the “Select” button to make selected users as the Owner.
- Click on “Users and groups” from the left side menu and then click on “Add user/group” and then select “BI_Admins” group. Click on “Assign”.
-
From the Home -> Tenant Name -> Enterprise Applications -> “Beyond Identity Admin Console” application page.
- Follow steps 1-4, in “Section 4: Setup Admin Portal Access Authentication using SSO” and record SAML Connection ID from Beyond Identity Admin Console and return to perform following steps.
- Click on “Single Sign-on” from the left side menu and then click on “SAML” as a single sign-on method.
-
On the “Set up Single Sign-on with SAML” page click “Edit” on “Basic SAML Configuration” and make following changes (using the values provided by the Beyond Identity SE).
- Identifier (Entity ID):* https://admin.byndid.com/auth/saml/<connection-id>/sso/metadata.xml
- Reply URL (ACS URL): https://admin.byndid.com/auth/saml/<connection-id>/sso
- Mark newly added “Entity ID” and “Reply URL” as default.
- Delete “Sample Entity ID”.
- Click on the “Save” button.
- Close the configuration dialog box by clicking X.
- On the “Set up Single Sign-on with SAML” page in the “SAML Signing Certificate” section, click on “Download” for “Certificate (Base64)”.
If the Certificate is not available for download, click on “Edit”, “New Certificate, “Save”, then click on “Download” for “Certificate (Base64)”.
-
Record following URLs from the “Set up Single Sign-on with SAML” page in “Set up Beyond Identity Admin Console” section. You will need this in the next section.
- Login URL
- Azure AD Identifier
Section 4: Setup Admin Portal Access Authentication using SSO
- Login to Beyond Identity Admin Console by visiting https://admin.byndid.com and click on “Log in with Beyond Identity”.
- Once logged into Admin Console click on Settings.
- On the Settings page, click on the Console Login tab.
- In the “Admin Console SSO Integrations” section click on “Edit SSO” for the Custom SAML SSO section and configure the following parameters.
- Record the ID field and use it in the previous section as Connection-ID.
- In the “Admin Console SSO Integrations” section click on “Edit SSO” for the Custom SAML SSO section and configure the following parameters.
- Name: Admin Console SSO - Azure
- IDP Url: https://login.microsoftonline.com/<azure-tenant-id>/saml2 (Use the value recorded in the previous step)
- IDP Entity ID: https://sts.windows.net/<azure-tenant-id>/ (Use the value recorded in the previous step)
- Name ID Format: emailAddress
- Subject User Attribute: UserName
- Request Binding: http redirect
- X509 Signing Certificate: Upload certificate file downloaded in the previous step.
- After these values are provisioned, login to Beyond Identity Admin Console using SSO and confirm that the admin (user from the BI_Admins group) has access to the Beyond Identity Admin Console.
Section 5: Setup Beyond Identity User Console in Azure AD
- Log in to the Azure Portal as “Global Administrator”.
- Click on “Azure Active Directory” logo or search “Azure Active Directory” from the “Home” screen.
- Click on “Enterprise Applications” from the left menu bar.
- Click on “New Application” from the top menu bar.
- Click on “Create your own application” from the top menu bar.
-
Enter following parameters on “Create your own application” page:
- Name: “Beyond Identity User Console”
- For “What are you looking to do with your application?”, select “Integrate any other application you don't find in the gallery (Non-gallery)”
- Click on “Create”.
- From the Home -> Tenant-Name -> Enterprise Applications -> Beyond Identity User Console -> Properties page upload the Beyond Identity logo. (Optional: This helps in Identifying BI Apps easily).
-
From the Home -> Tenant-Name -> Enterprise Applications -> Beyond Identity User Console -> Owners page
- Click on “Add” from the top menu. Search for users using UPN and click them to select the users. Click on “Select” button to make selected users as the Owner.
-
From the Home -> Tenant-Name -> Enterprise Applications -> Beyond Identity User Console application page:
- Click on “Single Sign-on” from the left side menu and then select “Linked”. In the “Sign-On URL”, add:
https://user.byndid.com/auth-user/?org_id=<BI_Tenant_Name>
-
From the Home -> Tenant-Name -> Enterprise Applications -> Beyond Identity User Console -> Provisioning page:
- Provisioning Mode: Select “Automatic”.
-
On the “Admin Credentials” Tab:
- Tenant URL: https://api.byndid.com/scim/v2
- Secret Token: <Beyond Identity SE will provide the Tenant API token>
- Click on “Test Connection”.
- After successful SCIM connection test, click on “Save”.
-
On the “Mappings” Tab
- Ensure “Provisioning Azure Active Directory Groups” is enabled.
- Ensure “Provisioning Azure Active Directory Users” is enabled.
-
On the “Settings” Tab
- Select “Send an email notification when a failure occurs” and provide a valid email address for IT admin.
- Scope: “Sync only assigned users and groups”
- Click on “Save”.
- Provisioning Status: On
-
From the Home -> Tenant-Name -> Enterprise Applications -> Beyond Identity User Console -> Provisioning page:
- Click on “Update Credentials”
- Set “Provisioning Status”: On
- Click on “Save”.
-
From the Home -> Tenant-Name -> Enterprise Applications -> Beyond Identity User Console -> Provisioning page:
- Click on “Edit Attribute Mappings”.
- Click on the “Provision Azure Active Directory Users” link.
- Ensure “Target Object Actions” has “Create”, “Update” and “Delete” enabled.
-
Select “Show Advanced Options” and click on “Edit Attribute list for customappsso” to ensure following settings:
- id: Primary key, Required Set
- active: Required
- displayName: Required
- emails (work): Required, Multi-Value
- username: Required
- name.givenName: Required
- name.familyName: Required
- externalId: Required
- Click on “Save”.
-
On the “Attribute Mappings” list, keep only the following 7 attributes and delete the rest. Also, if any of the below attributes is missing, add it manually.
- username
- active
- displayName
- emails (work)
- name.givenName
- name.familyName
- externalId
-
On the “Attribute Mappings” list, click on the entry for the externalId (click on the left hand side portion of the entry) and update as following:
- Mapping Type: Expression
- Expression: Switch(IsPresent([immutableId]),[userPrincipalName], "True", [immutableId])
- Leave other fields as default and click on “OK”.
- On the “Provisioning” page, click on “Save”.
-
From the Home -> Tenant-Name -> Enterprise Applications -> Beyond Identity User Console application page.
- Click on “Users and groups” from the left side menu and then click on “Add user/group” and then select “BI_Users” and “BI_Push_Groups” group. Click on “Assign”.
-
In the top search bar, search for “App registrations”, then click on “All Applications”, then select “Beyond Identity User Console”.
- From the “Overview” page, note down “Application (client) ID”. This will be required in later steps.
- From the “Overview” page, note down “Directory (tenant) ID”. This will be required in later steps.
-
From the “Authentication” page under Platform Configuration -> Add a platform and Select “Web” and enter:
- Redirect URI: https://user.byndid.com/auth-user/callback
- Implicit grant and hybrid flows: Select “ID Tokens”
- Support Account Type: “Accounts in this organizational directory only (Single Tenant)”
- Under “Advanced Settings” for “Allow public client flows” select “No”.
- Click on “Save”.
- Navigate to the “Beyond Identity User Console” App page under “App Registrations” and
click on “Certificates and Secrets”.
- Under the “Client Secrets” section click on “New client secret”.
- On the “Add a client secret” page, update the “Description” field with “Beyond Identity User Console” and set the “Expires” field to “24 Months”.
- Copy the Client Secret from the “Value” column. This will be required in later steps.
- No changes required to the “Token Configuration” page.
-
Navigate to the “Beyond Identity user Console” App page under App Registrations and click on “API permissions”.
- Click on “Add a Permission”.
- Select “Microsoft Graph APIs”.
- Select “Delegated Permissions”.
- Select OpendID permissions and then select “email”, “offline_access”, “openid”, and “profile”.
- Click on “Add Permissions”.
- Click on “Grant admin Consent for <Tenant Name>” and then click on “Yes” to grant consent.
- No changes required to “Expose an API” page.
- No changes required to “App Roles” page.
Section 6: Setup Beyond Identity User Console:
- Once logged into Beyond Identity Admin Console, click on Account Settings.
- Click on “User Portal” tab and click on “Edit SSO” for OIDC SSO.
-
Edit SSO fields according to following steps and as explained diagram:
- Name: <Name of the SSO>
- Client ID: <Use the value recorded in the previous step>
- Client Secret: <Use the value recorded in the previous step>
- Issuer: https://sts.windows.net/<Azure-AD-Tenant-ID>/ (Remember to add the trailing slash)
- Token Field: upn
- Token Field Lookup: user name
- After these values are provisioned, login and confirm that the user has access to Beyond Identity User Console. (If this step fails, use “provision on demand” steps to provision the user in Beyond Identity first)
Section 7: Setup Beyond Identity Console for User Authentication (WS-FED federation):
- Once logged into Beyond Identity Admin Console UI, click on the “Integrations” tab and then click on “WS-FED” tab.
-
Click on “Add WS-FED Connection” and update the fields as following:
- Name: Azure WS-FED
- SP Single Sign on URL: https://login.microsoftonline.com/login.srf
- SP Audience URI: https://login.microsoftonline.com/<Azure-AD-Tenant-ID>/
- Name ID Format: Unspecified
- Subject User Attribute: ExternalID
- Authentication Context Class: X509
- Attribute Claims: Name: ImmutableID, Name format: unspecified, Value: {{ExternalID}}, Name space: http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID
- Attribute Claims: Name: emailaddress, Name format: unspecified, Value: {{Email}}, Name space: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Attribute Claims: Name: UPN, Name format: unspecified, Value: {{UserName}}, Name space: http://schemas.xmlsoap.org/claims
- Attribute Claims:
Name: authnmethodsreferences, Name format: unspecified,
Value (custom string): http://schemas.microsoft.com/claims/multipleauthn
Namespace: http://schemas.microsoft.com/claims
http://schemas.microsoft.com/claims
- Click on “Save Changes”.
-
Note down the following fields from the recently created WS-FED Connection. This will be required in the next step.
- IdP Id (Beyond Identity Connection ID)
- IdP Passive Logon URL: https://auth.byndid.com/wsfed/v1/<BI-Connection-ID>/sso
- IdP Issuer: https://auth.byndid.com/wsfed/v1/<BI-Connection-ID>
- IdP Metadata URL: https://auth.byndid.com/wsfed/v1/<BI-Connection-ID>/sso/metadata.xml
- Download IdP Signature Certificate.
Section 8: Configure Beyond Identity as the Identity Provider (WS-FED Federation)
Use the commands below to configure Beyond Identity as the Identity Provider. Alternatively, refer to the Appendix to run a batch script provided by the Beyond Identity field team.
- Login to any Windows machine and start a power shell as an administrator.
- Issue following PowerShell commands.
- Connect-MsolService (Login as Azure AD Global Administrator, you may be required to Install MSOnline PowerShell module using “install-module MSOnline” command)
- $domain=”contoso.org” (Replace with customer’s alternative domain configured in Section 2)
- $BrandName = "Beyond Identity WS-FED"
- $Issuer = “https://auth.byndid.com/wsfed/v1/<BI-Connection-ID>”
- $LogOnUrl = “https://auth.byndid.com/wsfed/v1/<BI-Connection-ID/sso”
- $mex = “”
- $LogOffUrl = “https://portal.azure.com” (or Company website)
- $SigningCert = "[BI WSFED X.509 certificate in string format]”
(Please make sure the customer downloads the certificate from BI Admin Console or SE should share the certificate by email. Do not send BI certificate via zoom/slack chat).
- $Protocol = "WSFED"
- Set-MsolDomainAuthentication -DomainName $domain -Authentication “managed”
- Set-MsolDomainAuthentication -DomainName $domain -Authentication federated -FederationBrandName $BrandName -IssuerUri $Issuer -PassiveLogOnUri $LogOnUrl -MetadataExchangeUri $mex -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol -SigningCertificate $SigningCert -SupportsMfa $True
Setting up test users
User Enrollment
- To enroll a user in the Beyond Identity experience, assign the user to the “BI_Users” Group in Active Directory.
- Right Click on “BI_Users” group and click on “Members” tab.
- Click on Add.
- In the “Enter the Object names to select”, enter UPN for the user.
- Click OK.
-
Enrolled user will receive an email from Beyond Identity welcoming them to the new Identity Provider. See image below for reference:
-
Each enrolled user will be asked to follow the two steps below:
-
Step 1: Download the Beyond Identity Authenticator to their device.
- When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.
- Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.
- Step 2: Register their Credential in the Beyond Identity IdP.
- By clicking on Step 2 “Register New Credential”, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see a credentials in the Authenticator.
- See example image below:
-
Step 1: Download the Beyond Identity Authenticator to their device.
User Authentication (Signing in)
- Each enrolled user can visit their myapps.microsoft.com (or myapps.company.com or portal.azure.com) site or any application supported by Azure AD SSO to sign into their corporate applications.
- The Microsoft applications or SSO-supported application will ask the user to enter their username. (Remember to use Alternate Username during PoC for the passwordless experience)
- Once the username is submitted, a prompt to use or open the Beyond Identity app for authentication will display for the user.
-
The user should click affirmatively on the prompt to be signed into their application, without the use of a password. The Beyond Identity app along with a success notification will display.
- Note: For iOS devices, some application sign-in processes will ask the user to exit out of the Beyond Identity Authenticator to return to their app after successful authentication.
User Deprovisioning
- To deprovision a user from the Beyond Identity experience, remove user from the “BI_Users” Group in Active Directory.
- Right Click on “BI_Users” group and click on “Members” tab.
- Select User and click on Remove.
- In the confirmation dialog click “Yes”.
- Click OK.
Appendices
Appendix A: PowerShell Command example to set up Domain for Federated Mode or Managed Mode (WS-FED Specific)
PowerShell Commands to setup Azure AD as SSO and Beyond Identity as IdP
- Connect to Azure AD as Global Administrator
Connect-MsolService
- Set domain name you want to set up for authentication
$domain=”contoso.org”
- Identity IdP Name
$BrandName = "Beyond Identity WS-FED"
- Logon URL (mandatory)
$LogOnUrl = "https://auth.byndid.com/wsfed/v1/<connection-identifier>/sso"
- Logoff URL (mandatory)
$LogOffUrl = “https://portal.azure.com” (or Company website)
- The Beyond Identity WSFED IdP X509 Certificate.
$SigningCert = "[BI WSFED X509 certificate in string format]”
- Beyond Identity issuer URI
$issueruri = “https://auth.byndid.com/wsfed/v1/<connection-identitfier>”
- Beyond Identity Metadata URI
$mex = “”
- Authentication Protocol
$Protocol = “WSFED”
- Set up domain for “Federated” Authentication (first set to “managed”)
Set-MsolDomainAuthentication -DomainName $domain -Authentication “managed”
Set-MsolDomainAuthentication -DomainName $domain -FederationBrandName $BrandName -Authentication federated -IssuerUri $issueruri -PassiveLogOnUri $LogOnUrl -MetadataExchangeUri $mex -SigningCertificate $SigningCert -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol -SupportsMfa $True
- To get Domain federation setting
Get-MsolDomainFederationSettings -domainname $domain | fl *
- To revert domain back to Managed Mode
Set-MsolDomainAuthentication -DomainName $domain -Authentication “managed”
Appendix B: PowerShell Command to help debug
- Install MSOnline Powershell Module
Install-Module MSOnline
- Check device is Hybrid joined
dsregcmd /status
-
To support Azure AD Created Users, use the following PowerShell Commands:
- Connect-MsolService
- $upn = “user@contoso.com”
- $user = Get-MsolUser -UserPrincipalName $upn
- $uuid = [system.convert]::ToBase64String(([GUID]$user.objectID.Guid).ToByteArray())
- Set-Msoluser -UserPrincipalName $upn -ImmutableID $uuid
- To support Azure AD Created Users in bulk, use the following PowerShell Command:
This command will be updated soon.
-
Check domain is in Managed or Federated mode
Get-AzureADDomain
(You need to issue Connect-AzureAD Command first to login to AzureAD as a Global Administrator, before issuing this command)
- Perform delta sync from AD Connect
- Run PowerShell as an Administrator
- If ADSync PowerShell Module is not available install this module by using command “Install-Module ADSync”
Start-ADSyncSyncCycle -PolicyType Delta
- Command to convert Immutable ID to base64 hash
$immutableId="ZY721Mo4Q0+vLVO9I/1MsQ=="
Write-Host "Convert $immutableId to guid" -NoNewline ([GUID][System.Convert]::FromBase64String($immutableId)).Guid
- Command to convert base64 hash to Immutable ID GUID
$objectid="e35a9b14-12fc-4f9d-9002-05e53ea2bda5"
[Convert]::ToBase64String([guid]::New($objectid).ToByteArray())
Appendix C: PowerShell Script to automate Commands
- Login to any Windows machine and start a power shell as an administrator.
- Install MSOnline Powershell
Install-Module MSOnline
- Set execution policy to allow the script to be run
Set-ExecutionPolicy Unrestricted
- Run the below Powershell script in interactive mode
Setup_Beyond_Identity_Auth.ps1
To run in interactive mode:
Right-click on the file name.
Click on Edit.
This will open Powershell ISE.
Review all the parameters.
Click the Green button to run the script.
Login as Azure AD Global Administrator when prompted.
Review the output of the final command to ensure that certificate was uploaded successfully.
Check the Azure Portal and make sure that the domain shows as Federated.
Appendix D: Azure B2B Integration
To enable B2B Integration in Azure AD with Beyond Identity, use following steps.
- Configure Beyond Identity to receive inbound SAML request from Partner’s Azure AD.
- Set up Beyond Identity as the external identity Provider in Partner’s Azure AD tenant.
- Invite External Users to Collaborate.
- Access partner Apps.
Beyond Identity SAML Connection Configuration for B2B Connections:
- Once logged into Beyond Identity Admin Console UI, click on the “Integrations” tab and then click on “SAML Connections”.
-
Click on “Add SAML Connection” and update the fields as follows:
- Name: Beyond Identity IdP
- SP Single on URL: https://login.microsoftonline.com/login.srf
- SP Audience URI: urn:federation: MicrosoftOnline
- Name ID Format: Persistent
- Subject User Attribute: ExternalID
- Request Binding: http-redirect
- Signed Response: Signed
- X509 (Request) Signing Certificate: Not required
- Optional Attributes: Name: IDPEmail, Nameformat: uri, Value: {{UserName}}
- Optional Attributes:
Name: http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
Nameformat: unspecified
Value (custom string): http://schemas.microsoft.com/claims/multipleauthn
- Click on Save Changes.
-
Note down the following fields from the recently created SAML Connection. This will be required in the next step.
- IdP Id (Beyond Identity Connection ID)
- IdP Single Sign-On URL: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso
- IdP Issuer: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso/metadata.xml
- Download IdP Signature Certificate
- Download Metadata file.
External Identity Provider Configuration:
- Log in to Azure Portal as “Global Administrator”.
- Click on “Azure Active Directory” logo or search “Azure Active Directory” from the “Home” screen.
- Click on “External Identities” from the left menu bar.
- Click on “All Identity Providers” from the left menu bar.
- Click on “New SAML/WS-Fed IdP” from the top menu bar.
-
Select following Parameters for the new external IdP.
- Identity Provider Protocol: SAML
- Domain name of federating IdP: <fabrikam.com> (Enter your partner’s domain name.)
- Select a method for populating metadata: Parse Metadata file (Pull down menu)
- Upload metadata file and click on Parse.
- Click on “Save”.
Create and Invite External Users to Collaborate:
- Log in to Azure Portal as “Global Administrator”.
- Click on “Azure Active Directory” logo or search “Azure Active Directory” from the “Home” screen.
- Click on “Users” from the left side menu.
- Click on “New guest user” from the top menu.
-
Update following fields before sending invite.
- Name: <John Doe>
- Email address: john.doe@fabrikam.com
- First Name: <John>
- Last name: <Doe>
- Personal Message: “Message to invite them to collaborate”.
- Groups: Add the user to appropriate groups.
- Usage Location: <United States>
- Click on “Invite”.
-
After accepting invite, user should be able to access applications by going to one of the following URLs.
- https://myapps.microsoft.com/?tenantid=<Azure-AD-Tenant-ID>
- https://myapps.microsoft.com/<your verified domain>.onmicrosoft.com
- https://portal.azure.com/<Azure-AD-Tenant-ID>
Appendix E: Azure Staged Rollout
To enable Beyond Identity passwordless login to only a subset of users without using an “alternative domain”, use the following steps.
Caveats
1. This configuration is only applicable to Hybrid Azure AD deployments.
2. If you have a Hybrid Azure AD environment, but some users are Azure AD only, then
- Those users will have to use Beyond Identity federation.
- New Azure AD users will have to be created using a special powershell script.
- If those users domain join, they should be set up with WDL or WHfB.
- Domain join has its own unique pre-requisites/nuances (TAP, InTune, etc.)
3. It is recommended that this configuration be used only during the final production deployment and not during the POC stage.
4. It is recommended that this configuration be carried out during a maintenance window and the users be notified that they may encounter authentication errors during that period.
5. Please refer to this URL for additional information on supported and unsupported scenarios: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout
Pre-requisites
Customer has already moved to one of the following authentication options:
- Password hash synchronization (sync)
- Pass-through authentication
- Azure AD Certificate-based authentication (CBA) settings
Create a New Group
We need to create a new group that will include users that need to be excluded from Beyond Identity. In the beginning, this group should contain ALL the users from this Azure tenant. Then gradually, users can be removed from this group, so they can be authenticated using Beyond Identity. The following steps describe how to create a “Password_Authenticated_Users” Group and assign users to that group.
- Log in to the Azure Portal (portal.azure.com) as “Global Administrator”.
- Click on “Azure Active Directory” logo or search “Azure Active Directory” from the “Home” screen.
- Click on “Groups” from the left menu bar.
-
Click on “New group” from top menu bar with following parameters:
- Group Type: Security
- Group Name: Password_Authenticated_Users
- Group Description: Password Authenticated Users
- Membership type: Assigned
- Click on the “Create” button to create this group.
- Right Click on the “Password_Authenticated_Users” group and click on “Members”.
- Click on “Add Members” from the top menu.
- Select ALL users one by one.
- Click on “Select” to add selected users.
Notes:
For tenants with many users, use a script instead to export all users and add them to this group.
If you have more than 200 users, the next step (Enable Staged Rollout) will error. As a workaround, don’t add any members to this group (leave it with 0 members), complete the next step first and then run the script to add all users to this group.
Enable Staged Rollout
- Log in to Azure Portal as “Global Administrator”.
- Click on “Azure Active Directory” logo or search “Azure Active Directory” from the “Home” screen.
- Click on “Azure AD Connect” from the left menu bar.
- Click on “Enable staged rollout for managed user sign-in”.
- Turn on “Password Hash Sync” and click on “Manage groups”.
- Click on “Add Groups”
- Select “Password_Authenticated_Users”
- Click “Select”
Federate the Primary Domain
Configure Beyond Identity as the federated identity provider (federate the primary domain) by referring to the steps in the main section of this guide.
Test Federation to Beyond Identity
Remove a few users from the “Password_Authenticated_Users” group. These users will get federated to Beyond Identity and will login with Beyond Identity without passwords.
Remaining users will continue to login using passwords.
Notes
Post deployment, remember to add every new user to the “Password_Authenticated_Users” group, unless you specifically want to start them with passwordless authentication.
The user NOT in the group becomes eligible for BI Rollout!
When you move the user in and out of this group, it may take some time before the new authentication mechanism becomes effective. This is due to Azure caching issues.
Comments
0 comments
Please sign in to leave a comment.