Introduction
This guide provides information on how to:
- Set up Beyond Identity as a passwordless authentication solution for your Azure AD Only Environment.
- Set up Azure AD to use Beyond Identity as an Identity Provider.
- Set up Beyond Identity Admin Console and User Console applications in Azure AD.
- Set up SCIM based provisioning from Azure AD to Beyond Identity Cloud.
Prerequisites
Ensure that you have the following:
-
An Admin Account with “Global Administrator” privileges to:
- Configure “Beyond Identity Admin Console” and “Beyond Identity User Console” Applications
- Set up SCIM based provisioning from Azure AD to Beyond Identity Cloud
- An alternative domain name to be used during the Beyond Identity test phase. The alternative domain name must be a top-level domain and not a subdomain. (e.g., for contoso.com as a primary domain, use contoso.org as an alternative domain) You will need access to your alternative domain’s DNS settings to verify the domain in Azure AD.
-
A Windows machine with “Administrator” privileges and powershell modules (MSOnline and AzureAD) to:
- Set up the Domain for federated authentication.
- Set up the immutableId for AzureAD users created before the Primary domain is federated.
- Create users in AzureAD after the Primary domain is federated. (Note: After the Primary domain is federated, users in that domain can only be created via Powershell.)
-
An Office365 “Administrator” account to:
- Setup Office365 mailbox accounts.
Share the below pre-requisite only if the devices also domain join to Azure AD.
- An InTune license is required after the Primary domain is federated, if you do “Azure AD only domain join”. InTune Web Sign-in profile enables modern authentication for the desktop which is required to domain join until BI WDL is configured.
Beyond Identity Configuration
Information to provide to the Beyond Identity Field Team:
Your Company Name | |
Your Azure AD Instance ID (tenant id) | |
Beyond Identity Admin Console Application credentials (SAML SSO) SSO URL SSO Entity ID SSO X.509 Signing Certificate |
|
Beyond Identity User Console Application credentials SSO Client Id SSO Client Secret |
|
(Optional) A logo for your corporation Logo requirements: 300 x 150 pixels or less File size of 10kb or less File types accepted: SVG, PNG, JPG, or GIF |
Information you will receive from the Beyond Identity Field Team
Beyond Identity Admin Console SAML URLs: Identifier/Entity ID Reply / ACS URL |
[From Beyond Identity SE] https://admin.byndid.com/auth/saml/<Conn-ID>/sso/metadata.xml https://admin.byndid.com/auth/saml/<Conn-ID>/sso |
SCIM / Event Hook API Bearer Token | [From Beyond Identity SE] |
Beyond Identity Org ID | [From Beyond Identity SE] |
SCIM API endpoints |
Alternative Domain Configuration
Beyond Identity recommends that you use an alternative domain during the test phase.
First choose a domain to be used. If you already have a spare domain, use that. Otherwise, go to any Domain Registrar and purchase a new domain.
Follow the steps explained here to add this domain as a Custom Domain in the Azure Portal.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
Azure Active Directory Configuration
To configure Beyond Identity as the Federated IdP in Azure Active Directory, follow the steps below. Once these steps are taken, you will be ready to enable Beyond Identity for test users.
Section 1: Set up Azure Active Directory Users
Create users in Azure Portal using the following steps.(Note: After the Primary domain is federated, users in that domain can only be created via Powershell (Refer to Appendix B5) or via Office365 Admin Center.
- Log in to the Azure Portal (portal.azure.com) as “Global Administrator”.
- Click on “Azure Active Directory” logo or search “Azure Active Directory” from the “Home” screen.
- Click on “Users” from the left menu bar.
- Click on “New user”.
- Click on “Create user”.
-
Create a new user by entering the following details:
- User name (remember to select the primary domain name from the drop down)
- Name
- First Name
- Last Name
- Password (Auto-generate or create one)
- Click Create
-
After the user is created, click the user again, and then click on Edit
- Enter Email
-
Now use the following PowerShell Commands:
- Install-Module MSOnline (Install MSOnline Powershell Module, if it is not already installed)
- Connect-MsolService
- $upn = “user@contoso.com”
- $user = Get-MsolUser -UserPrincipalName $upn
- $uuid = [system.convert]::ToBase64String(([GUID]$user.objectID.Guid).ToByteArray())
- Set-Msoluser -UserPrincipalName $upn -ImmutableID $uuid
Section 2: Set up Azure Active Directory Groups (Optional: If a customer is using Free Azure Account, then they may not be able to create groups in AAD. In that case, assignment to enterprise application can be done on a per user basis rather than group basis)
Beyond Identity service assignment is required for IT Admin and End Users. The following steps describe how to create BI_Admins, BI_Users and BI_Push_Groups Group and assign users to those groups.
- Log in to the Azure Portal (portal.azure.com) as “Global Administrator”.
- Click on “Azure Active Directory” logo or search “Azure Active Directory” from the “Home” screen.
- Click on “Groups” from the left menu bar.
-
Click on “New group” from top menu bar with following parameters:
- Group Type: Security
- Group Name: BI_Admins
- Group Description: Beyond Identity Admins
- Membership type: Assigned
- Click on “Create” button to create this group.
- Right Click on “BI_Admins” group and click on “Members”.
- Click on “Add Members” from the top menu.
- Search members to be added using UPN and click on their names to select that user.
- Click on “Select” to add selected users.
-
From the “Azure Active Directory” home page, click on “Groups” in left menu bar and click on Click on “New group” from top menu bar with following parameters:
- Group Type: Security
- Group Name: BI_Users
- Group Description: Beyond Identity Users
- Membership type: Assigned
- Click on the “Create” button to create this group.
- Right Click on the “BI_Users” group and click on “Members”.
- Click on “Add Members” from the top menu.
- Search members to be added using UPN and click on their names to select the user.
- Click on “Select” to add selected users.
-
From the “Azure Active Directory” home page, click on “Groups” in left menu bar and click on Click on “New group” from top menu bar with following parameters:
- Group Type: Security
- Group Name: BI_Push_Groups
- Group Description: Groups used for policy in Beyond Identity
- Membership type: Assigned
- Click on the “Create” button to create this group.
-
Right Click on the “BI_Push_Groups” group and click on “Members”.
- Click on “Add Members” from the top menu.
- Search members to be added using group name and click on their names to select the group to be pushed to Beyond Identity.
- Click on “Select” to add selected groups.
Section 3: Setup Beyond Identity Admin Console in Azure AD
- Log in to Azure Portal as “Global Administrator”.
- Click on “Azure Active Directory” logo or search “Azure Active Directory” from the “Home” screen.
- Click on “Enterprise Applications” from the left menu bar.
- Click on “New Application” from the top menu bar.
- Search for “Beyond Identity” from the top menu bar and select “Beyond Identity Admin Console” App from the App Gallery. Click on “Create” to instantiate this app.
-
From the Home -> Tenant Name -> Enterprise Applications -> “Beyond Identity Admin Console” application page.
- Click on “Owners” from the left side menu and then click on “Add” from the top menu. Search for users using UPN and click them to select the users. Click on “Select” button to make selected users as the Owner.
- Click on “Users and groups” from the left side menu and then click on “Add user/group” and then select “BI_Admins” group. Click on “Assign”. If the AAD license does not allow group creation then assign users to this application individually.
-
From the Home -> Tenant Name -> Enterprise Applications -> “Beyond Identity Admin Console” application page.
- Follow steps 1-4, in “Section 4: Setup Admin Portal Access Authentication using SSO” and record SAML Connection ID from Beyond Identity Admin Console and return to perform following steps.
- Click on “Single Sign-on” from the left side menu and then click on “SAML” as a single sign-on method.
-
On the “Set up Single Sign-on with SAML” page click “Edit” on “Basic SAML Configuration” and make following changes (using the values provided by the Beyond Identity SE).
- Identifier (Entity ID) https://admin.byndid.com/auth/saml/<connection-id>/sso/metadata.xml
- Reply URL (ACS URL): https://admin.byndid.com/auth/saml/<connection-id>/sso
- Mark newly added “Entity ID” and “Reply URL” as default.
- Delete “Sample Entity ID”.
- Click on the “Save” button.
- Close the configuration dialog box by clicking X.
- On the “Set up Single Sign-on with SAML” page in the “SAML Signing Certificate” section, click on “Download” for “Certificate (Base64)”.
If the Certificate is not available for download, click on “Edit”, “New Certificate, “Save”, then click on “Download” for “Certificate (Base64)”.
-
Record following URLs from the “Set up Single Sign-on with SAML” page in “Set up Beyond Identity Admin Console” section. You will need this in the next section.
- Login URL
- Azure AD Identifier
Section 4: Setup Admin Portal Access Authentication using SSO
- Login to Beyond Identity Admin Console by visiting https://admin.byndid.com and click on “Log in with Beyond Identity”.
- Once logged into Admin Console click on Settings.
- On the Settings page, click on the Console Login tab.
- In the “Admin Console SSO Integrations” section click on “Edit SSO” for the Custom SAML SSO section and configure the following parameters.
- Record the ID field and use it in the previous section as Connection-ID.
-
In the “Admin Console SSO Integrations” section click on “Edit SSO” for the Custom SAML SSO section and configure the following parameters.
- Name: Admin Console SSO - Azure
- IDP Url: https://login.microsoftonline.com/<azure-tenant-id>/saml2 (Use the value recorded in the previous step)
- IDP Entity ID: https://sts.windows.net/<azure-tenant-id>/ (Use the value recorded in the previous step)
- Name ID Format: emailAddress
- Subject User Attribute: UserName
- Request Binding: http redirect
- X509 Signing Certificate: Upload certificate file downloaded in the previous step.
- After these values are provisioned, login to Beyond Identity Admin Console using SSO and confirm that the admin (user from the BI_Admins group) has access to the Beyond Identity Admin Console.
Section 5: Setup Beyond Identity User Console in Azure AD
- Log in to the Azure Portal as “Global Administrator”.
- Click on “Azure Active Directory” logo or search “Azure Active Directory” from the “Home” screen.
- Click on “Enterprise Applications” from the left menu bar.
- Click on “New Application” from the top menu bar.
- Click on “Create your own application” from the top menu bar.
-
Enter following parameters on “Create your own application” page:
- Name: “Beyond Identity User Console”
- For “What are you looking to do with your application?”, select “Integrate any other application you don't find in the gallery (Non-gallery)”
- Click on “Create”.
- From the Home -> Tenant-Name -> Enterprise Applications -> Beyond Identity User Console -> Properties page upload the Beyond Identity logo. (Optional: This helps in Identifying BI Apps easily).
-
Navigate to the “Beyond Identity User Console” App page under App Registrations and click on “Owners” page.
- Click on “Add Owners” and Add “Application/Global Admin” as the owner of this application.
-
From the Home -> Tenant-Name -> Enterprise Applications -> Beyond Identity User Console application page:
- Click on “Single Sign-on” from the left side menu and then select “Linked”. In the “Sign-On URL”, add:
https://user.byndid.com/auth-user/?org_id=<BI_Tenant_Name>
-
From the Home -> Tenant-Name -> Enterprise Applications -> Beyond Identity User Console -> Provisioning page:
- Provisioning Mode: Select “Automatic”.
-
On the “Admin Credentials” Tab:
- Tenant URL: https://api.byndid.com/scim/v2/
- Secret Token: <Beyond Identity SE will provide the Tenant API token>
- Click on “Test Connection”.
- After successful SCIM connection test, click on “Save”.
-
On the “Mappings” Tab
- Ensure “Provisioning Azure Active Directory Groups” is enabled.
- Ensure “Provisioning Azure Active Directory Users” is enabled.
-
On the “Settings” Tab
- Select “Send an email notification when a failure occurs” and provide a valid email address for IT admin.
- Scope: “Sync only assigned users and groups”
- Click on “Save”.
- Provisioning Status: On
-
From the Home -> Tenant Name -> Enterprise Applications -> Beyond Identity User Console -> Provisioning page:
- Click on “Update Credentials”
- Set “Provisioning Status”: On
- Click on “Save”.
-
From the Home -> Tenant-Name -> Enterprise Applications -> Beyond Identity User Console -> Provisioning page:
- Click on “Edit Attribute Mappings”.
- Click on “Provision Azure Active Directory Users” link.
- Ensure “Target Object Actions” has “Create”, “Update” and “Delete” enabled.
-
Select “Show Advanced Options” and click on “Edit Attribute list for customappsso” to ensure following settings:
- id: Primary key, Required Set
- active: Required
- displayName: Required
- emails (work): Required, Multi-Value
- username: Required
- name.givenName: Required
- name.familyName: Required
- externalId: Required
- Click on “Save”.
-
On the “Attribute Mappings” list, keep only the following 7 attributes and delete the rest. Also, if any of the below attributes is missing, add it manually
- username
- active
- displayName
- emails (work)
- name.givenName
- name.familyName
- externalId
-
On the “Attribute Mappings” list, click on the entry for the externalId (click on the left hand side portion of the entry) and update as following:
- Mapping Type: Expression
- Expression: Switch(IsPresent([immutableId]),[userPrincipalName], "True", [immutableId])
- Leave other fields as default and click on “OK”.
- On the “Provisioning” page, click on “Save”.
-
From the Home -> Tenant-Name -> Enterprise Applications -> Beyond Identity User Console application page.
- Click on “Users and groups” from the left side menu and then click on “Add user/group” and then select “BI_Users” and “BI_Push_Groups” group. Click on “Assign”. If the AAD license does not allow group creation then assign users to this application individually.
-
In the top search bar, search for “App registrations”, then click on “All Applications”, then select “Beyond Identity User Console”.
- From the “Overview” page, note down “Application (client) ID”. This will be required in later steps.
- From the “Overview” page, note down “Directory (tenant) ID”. This will be required in later steps.
-
From the “Authentication” page under Platform Configuration -> Add a platform and Select “Web” and enter:
- Redirect URI: https://user.byndid.com/auth-user/callback
- Implicit grant and hybrid flows: Select “ID Tokens”
- Support Account Type: “Accounts in this organizational directory only (Single Tenant)”
- Under “Advanced Settings” for “Allow public client flows” select “No”.
- Click on “Save”.
- Navigate to the “Beyond Identity User Console” App page under “App Registrations” and
click on “Certificates and Secrets”.
- Under the “Client Secrets” section click on “New client secret”.
- On the “Add a client secret” page update “Description” field with “Beyond Identity User Console” and set “Expires” field to “24 Months”.
- Copy the Client Secret from the “Value” column. This will be required in later steps.
- No changes required to the “Token Configuration” page.
-
Navigate to the “Beyond Identity user Console” App page under App Registrations and click on “API permissions”.
- Click on “Add a Permission”.
- Select “Microsoft Graph APIs”.
- Select “Delegated Permissions”.
- Select OpendID permissions and then select “email”, “offline_access”, “openid”, and “profile”.
- Click on “Add Permissions”.
- Click on “Grant admin Consent for <Tenant Name>” and then click on “Yes” to grant consent.
- No changes required to “Expose an API” page.
- No changes required to the “App Roles” page.
Section 6: Setup Beyond Identity User Console:
- Once logged into Beyond Identity Admin UI, click on Account Settings.
- Click on “User Portal” tab and click on “Edit SSO” for OIDC SSO.
-
Edit SSO fields according to following steps and as explained diagram:
- Name: <Name of the SSO> e.g. Azure SSO
- Client ID: <Use the value recorded in the previous step>
- Client Secret: <Use the value recorded in the previous step>
- Issuer: https://sts.windows.net/<Azure-AD-Tenant-ID>/ (Remember to add the trailing slash)
- Token Field: upn
- Token Field Lookup: user name
- After these values are provisioned, login and confirm that the user has access to Beyond Identity User Console. (If this step fails, use “provision on demand” steps to provision the user in Beyond Identity first)
Section 7: Setup Beyond Identity Console for User Authentication (WS-FED federation):
- Once logged into Beyond Identity Admin Console UI, click on the “Integrations” tab and then click on “WS-FED” tab.
-
Click on “Add WS-FED Connection” and update the fields as following:
- Name: Azure WS-FED
- SP Single Sign on URL: https://login.microsoftonline.com/login.srf
- SP Audience URI: https://login.microsoftonline.com/<Azure-AD-Tenant-ID>/
- Name ID Format: Unspecified
- Subject User Attribute: ExternalID
- Authentication Context Class: X509
- Attribute Claims: Name: ImmutableID, Name format: unspecified, Value: {{ExternalID}}, Name space: http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID
- Attribute Claims: Name: emailaddress, Name format: unspecified, Value: {{Email}}, Name space: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Attribute Claims: Name: UPN, Name format: unspecified, Value: {{UserName}}, Name space: http://schemas.xmlsoap.org/claims
- Attribute Claims:
Name: authnmethodsreferences, Name format: unspecified,
Value (custom string): http://schemas.microsoft.com/claims/multipleauthn
Namespace: http://schemas.microsoft.com/claims
- Click on “Save Changes”.
-
Note down the following fields from the recently created WSFED Connection. This will be required in the next step.
- IdP Id (Beyond Identity Connection ID)
- IdP Passive Logon URL: https://auth.byndid.com/wsfed/v1/<BI-Connection-ID>/sso
- IdP Issuer: https://auth.byndid.com/wsfed/v1/<BI-Connection-ID>
- IdP Metadata URL: https://auth.byndid.com/wsfed/v1/<BI-Connection-ID>/sso/metadata.xml
- Download IdP Signature Certificate.
Section 8: Configure Beyond Identity as the Identity Provider (WS-FED Federation)
Use the commands below to configure Beyond Identity as the Identity Provider. Alternatively, refer to the Appendix to run a batch script provided by the Beyond Identity field team.
- Login to any Windows machine and start a power shell as an administrator.
- Issue following PowerShell commands.
- Connect-MsolService (Login as Azure AD Global Administrator, you may be required to Install MSOnline PowerShell module using “install-module MSOnline” command)
- $domain=”contoso.org” (Replace with customer’s alternative domain configured in Section 2)
- $BrandName = "Beyond Identity WS-FED"
- $Issuer = “https://auth.byndid.com/wsfed/v1/<BI-Connection-ID>”
- $LogOnUrl = “https://auth.byndid.com/wsfed/v1/<BI-Connection-ID/sso”
- $mex = “”
- $LogOffUrl = “https://portal.azure.com” (or Company website)
- $SigningCert = "[BI WSFED X.509 certificate in string format]”
- $Protocol = "WSFED"
- Set-MsolDomainAuthentication -DomainName $domain -Authentication “managed”
- Set-MsolDomainAuthentication -DomainName $domain -Authentication federated -FederationBrandName $BrandName -IssuerUri $Issuer -PassiveLogOnUri $LogOnUrl -MetadataExchangeUri $mex -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol -SigningCertificate $SigningCert -SupportsMfa $True
Setting up test users
User Enrollment
- To enroll a user in the Beyond Identity experience, assign the user to the “BI_Users” Group in Azure Active Directory. (Optional: This step is required if you are able to create “BI_Users” group in the Azure AD)
- Right Click on the “BI_Users” group and click on the “Members” tab.
- Click on Add.
- Select the user.
- Click OK.
- To enroll a user in the Beyond Identity experience, assign the user to the “BI_Users” Group in Azure Active Directory. (Optional: This step is required if you are NOT able to create the user using the step above.)
- From the Home -> Tenant-Name -> Enterprise Applications -> Beyond Identity User Console -> Users and groups page:
- Click on the “Add user/group”.
- Click on “None Selected” under Users and Groups.
- On the search page, select the user and click on “Select”.
- Click Assign.
-
Enrolled users will receive an email from Beyond Identity welcoming them to the new Identity Provider.
- See image below for reference:
-
Each enrolled user will be asked to follow the two steps below:
-
Step 1: Download the Beyond Identity Authenticator to their device.
- When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.
- Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.
- Step 2: Register their Credential in the Beyond Identity IdP.
- By clicking on Step 2 “Register New Credential”, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see the credentials in the Authenticator.
- See example image below:
-
Step 1: Download the Beyond Identity Authenticator to their device.
User Authentication (Signing in)
- Each enrolled user can visit their myapps.microsoft.com (or myapps.company.com or portal.azure.com) site or any application supported by Azure AD SSO to sign into their corporate applications.
- The Microsoft applications or SSO-supported application will ask the user to enter their username. (Remember to use Alternate Username during PoC for the passwordless experience)
- Once the username is submitted, a prompt to use or open the Beyond Identity app for authentication will display for the user.
-
The user should click affirmatively on the prompt to be signed into their application, without the use of a password. The Beyond Identity app along with a success notification will display.
- Note: For iOS devices, some application sign-in processes will ask the user to exit out of the Beyond Identity Authenticator to return to their app after successful authentication.
User Deprovisioning
- To deprovision a user from the Beyond Identity experience, remove user from the “BI_Users” Group in Azure Active Directory.
- Right Click on the “BI_Users” group and click on the “Members” tab.
- Select User and click on Remove.
- In the confirmation dialog click “Yes”.
- Click OK.
Appendices
Appendix A: PowerShell Command example to set up Domain for Federated Mode or Managed Mode (WS-FED Specific)
PowerShell Commands to setup Azure AD as SSO and Beyond Identity as IdP
- Connect to Azure AD as Global Administrator
Connect-MsolService
- Set domain name you want to set up for authentication
$domain=”contoso.org”
- Identity IdP Name
$BrandName = "Beyond Identity WS-FED"
- Logon URL (mandatory)
$LogOnUrl = "https://auth.byndid.com/wsfed/v1/<connection-identifier>/sso"
- Logoff URL (mandatory)
$LogOffUrl = “https://portal.azure.com” (or Company website)
- The Beyond Identity WSFED IdP X509 Certificate.
$SigningCert = "[BI WSFED X509 certificate in string format]”
- Beyond Identity issuer URI
$issueruri = “https://auth.byndid.com/wsfed/v1/<connection-identitfier>”
- Beyond Identity Metadata URI
$mex = “”
- Authentication Protocol
$Protocol = “WSFED”
- Set up domain for “Federated” Authentication (first set to “managed”)
Set-MsolDomainAuthentication -DomainName $domain -Authentication “managed”
Set-MsolDomainAuthentication -DomainName $domain -FederationBrandName $BrandName -Authentication federated -IssuerUri $issueruri -PassiveLogOnUri $LogOnUrl -MetadataExchangeUri $mex -SigningCertificate $SigningCert -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol -SupportsMfa $True
- To get Domain federation setting
Get-MsolDomainFederationSettings -domainname $domain | fl *
- To revert domain back to Managed Mode
Set-MsolDomainAuthentication -DomainName $domain -Authentication “managed”
Appendix B: PowerShell Command to help debug
- Install MSOnline Powershell Module
Install-Module MSOnline
- Install AzureAD Powershell Module
Install-Module AzureAD
- Check device is Hybrid joined
dsregcmd /status
-
To support Azure AD Created Users, use the following PowerShell Commands:
- Connect-MsolService
- $upn = “user@contoso.com”
- $user = Get-MsolUser -UserPrincipalName $upn
- $uuid = [system.convert]::ToBase64String(([GUID]$user.objectID.Guid).ToByteArray())
- Set-Msoluser -UserPrincipalName $upn -ImmutableID $uuid
-
To create Azure AD Users after the Primary domain is federated, use the following PowerShell Commands:
- Connect-AzureAD
- $domain = “contoso.com”
- $First_name = "First"
- $Last_name = "Last"
- $Display_name = $First_name + " " + $Last_name
- $UPN = $First_name + "." + $Last_name + "@" + $domain
- $Mail_nickname = $First_name + "." + $Last_name
- $guid = [guid]::NewGuid()
- $immutableid = [system.convert]::ToBase64String(($guid).ToByteArray())
- $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
- $countryCode = "US"
- New-AzureADUser -DisplayName $Display_name -PasswordProfile $PasswordProfile -UserPrincipalName $UPN -AccountEnabled $true -ImmutableId $immutableid -GivenName $First_name -SurName $Last_name -mailnickname $Mail_nickname -usageLocation $countryCode
- To support Azure AD Created Users in bulk, use the following PowerShell Command:
This command will be updated soon.
-
Check domain is in Managed or Federated mode
Get-AzureADDomain
(You need to issue Connect-AzureAD Command first to login to AzureAD as a Global Administrator, before issuing this command)
- Command to convert Immutable ID to base64 hash
$immutableId="ZY721Mo4Q0+vLVO9I/1MsQ=="
Write-Host "Convert $immutableId to guid" -NoNewline ([GUID][System.Convert]::FromBase64String($immutableId)).Guid
- Command to convert base64 hash to Immutable ID GUID
$objectid="e35a9b14-12fc-4f9d-9002-05e53ea2bda5"
[Convert]::ToBase64String([guid]::New($objectid).ToByteArray())
Appendix C: PowerShell Script to automate Commands
- Login to any Windows machine and start a power shell as an administrator.
- Install MSOnline Powershell
Install-Module MSOnline
- Set execution policy to allow the script to be run
Set-ExecutionPolicy Unrestricted
- Run the below Powershell script in interactive mode
Setup_Beyond_Identity_Auth.ps1
To run in interactive mode:
Right-click on the file name.
Click on Edit.
This will open Powershell ISE.
Review all the parameters.
Click the Green button to run the script.
Login as Azure AD Global Administrator when prompted.
Review the output of the final command to ensure that certificate was uploaded successfully.
Check the Azure Portal and make sure that the domain shows as Federated.
Appendix D: Azure B2B Integration
To enable B2B Integration in Azure AD with Beyond Identity, use the following steps.
- Configure Beyond Identity to receive inbound SAML requests from Partner’s Azure AD.
- Set up Beyond Identity as the external identity Provider in Partner’s Azure AD tenant.
- Invite External Users to Collaborate.
- Access partner Apps.
Beyond Identity SAML Connection Configuration for B2B Connections:
- Once logged into Beyond Identity Admin Console UI, click on “Integrations” tab and then click on “SAML Connections”.
-
Click on “Add SAML Connection” and update the fields as following:
- Name: Beyond Identity IdP
- SP Single on URL: https://login.microsoftonline.com/login.srf
- SP Audience URI: urn:federation:MicrosoftOnline
- Name ID Format: Persistent
- Subject User Attribute: ExternalID
- Request Binding: http-redirect
- Signed Response: Signed
- X509 (Request) Signing Certificate: Not required
- Optional Attributes: Name: IDPEmail, Nameformat: uri, Value: {{UserName}}
- Optional Attributes:
Name: http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
Nameformat: unspecified
Value (custom string): http://schemas.microsoft.com/claims/multipleauthn
- Click on “Save Changes”
-
Note down the following fields from the recently created SAML Connection. This will be required in the next step.
- IdP Id (Beyond Identity Connection ID)
- IdP Single Sign-On URL: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso
- IdP Issuer: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso/metadata.xml
- Download IdP Signature Certificate
- Download Metadata file.
External Identity Provider Configuration:
- Log in to Azure Portal as “Global Administrator”.
- Click on “Azure Active Directory” logo or search “Azure Active Directory” from the “Home” screen.
- Click on “External Identities” from the left menu bar.
- Click on “All Identity Providers” from the left menu bar.
- Click on “New SAML/WS-Fed IdP” from the top menu bar.
-
Select following Parameters for the new external IdP.
- Identity Provider Protocol: SAML
- Domain name of federating IdP: <fabrikam.com> (Enter your partner’s domain name.)
- Select a method for populating metadata: Parse Metadata file (Pull down menu)
- Upload metadata file and click on Parse.
- Click on “Save”.
Create and Invite External Users to Collaborate:
- Log in to Azure Portal as “Global Administrator”.
- Click on “Azure Active Directory” logo or search “Azure Active Directory” from the “Home” screen.
- Click on “Users” from the left side menu.
- Click on “New guest user” from the top menu.
-
Update following fields before sending an invite.
- Name: <John Doe>
- Email address: john.doe@fabrikam.com
- First Name: <John>
- Last name: <Doe>
- Personal Message: “Message to invite them to collaborate”.
- Groups: Add the user to appropriate groups. (Optional)
- Usage Location: <United States>
- Click on “Invite”.
-
After accepting an invite, a user should be able to access applications by going to one of the following URLs.
- https://myapps.microsoft.com/?tenantid=<Azure-AD-Tenant-ID>
- https://myapps.microsoft.com/<your verified domain>.onmicrosoft.com
- https://portal.azure.com/<Azure-AD-Tenant-ID>
Comments
0 comments
Please sign in to leave a comment.