Skip Ribbon Commands
Skip to main content

Using Microsoft Azure Active Directory for SharePoint 2013 Authentication

Allow Office 365 and other federated users access to on-premise SharePoint

Brian Jones

17/12/2014


​​​Summary

The blog post explains how to use the Azure access control service to authenticate your on premise SharePoint Server 2013 users with Azure Active directory.

There are several reason why this would be a convenient solution:

  • It integrates with SharePoint 2013 in the same way as any other authentication provider (claims based)
  • Users from active directory can be synced to the Azure Active directory (using DirSync) Users from other membership systems (e.g. Windows Live ID) can also be added to the same directory, so users can use those credentials if required
  • Ad-hoc users can also be added to the directory, this is for users that don't have any existing credentials.
  • Azure Active directory can federate with other directories/membership providers so users from those organizations can use their own credentials to authenticate to SharePoint.

Pre-requisites

There are several steps that need to be completed

  1. Create a new Azure AD tenant and namespace.
  2. Add a WS-Federation identity provider.
  3. Add SharePoint as a relying party application.
  4. Create a rule group for claims-based authentication.
  5. Configure the X.509 certificate.
  6. Create a claim mapping.
  7. Configure SharePoint for the new identity provider.

Step 1: Create a new Azure AD tenant and namespace

Log on to your Azure Management Portal https://manage.windowsazure.com

Click on +New which can be found in the bottom left hand corner

Click on APP SERVICES, select ACTIVE DIRECTORY, select ACCESS CONTROL and click on QUICK CREATE

In NAMESPACE enter a name for your access control namespace, choose a REGION and click CREATE

Open the Access Control Service web page by clicking on ACTIVE DIRECTORY in the left hand menu, click on ACCESS CONTROL NAMESPACES in the top menu, select your name space and click on MANAGE at the bottom of the page.

The following web page will open https://yournamespace.accesscontrol.windows.net/v2/mgmt/web

Open PowerShell as an administrator and run the following commands:

Connect-MsolService

You will be prompted for your Azure credentials, enter them and click OK

Import-Module MSOnlineExtended -Force

This will import the required PowerShell module which you installed as part of the prerequisites.

$replyUrl = New-MsolServicePrincipalAddresses -Address "https://yournamespace.accesscontrol.windows.net/"

Replace the URL with the URL of the access control service web page you opened earlier up to the first /

New-MsolServicePrincipal -ServicePrincipalNames @("https://youradazure.accesscontrol.windows.net/") -DisplayName "Your Namespace" -Addresses $replyUrl

The final output will look like this:

DisplayName           : Your Namespace

ServicePrincipalNames : {https://yournamespace.accesscontrol.windows.net/, e7f11c00-d714-4e36-8428-f7f2e6d219ca}

ObjectId              : ee826535-0e1e-4b01-ac0a-2d62653df85a

AppPrincipalId        : e7f11c00-d714-4e36-8428-f7f2e6d219ca

TrustedForDelegation  : False

AccountEnabled        : True

Addresses             : {Microsoft.Online.Administration.RedirectUri}

KeyType               : Symmetric

KeyId                 : 76e02056-d931-4fcb-bacb-77af2dd73041

StartDate             : 11/12/2014 12:02:52

EndDate               : 11/12/2015 12:02:52

Usage                 : Verify

Step 2: Add a WS-Federation identity provider

Open the access control service web page and click Identity providers and click on Add

Select WS-Federation identity provider and click Next

In Display name enter a name for your identity provider

Under WS-Federation metadata tick URL and enter:

https://accounts.accesscontrol.windows.net/[yourazureurl]/FederationMetadata/2007-06/FederationMetadata.xml

Where [yourazureurl] is the URL of your Azure tenant. To get this log into your Azure portal and the tenant name is after https://manage.windowsazure.com/

e.g. If the URL showing when you log into Azure was https://manage.windowsazure.com/fusecollaboration.com then you would enter fusecollaboration.com as [yourazureurl]

https://accounts.accesscontrol.windows.net/fusecollaboration.com/FederationMetadata/2007-06/FederationMetadata.xml

In Log link text enter the text that you want to show in the drop down list when users select an authentication method and click Save

Step 3: Add SharePoint as a relying party application

Open the access control service web page and click on Relying party applications and click Add

Enter a Name for the relying party application

In Realm enter urn:sharepoint:spvms

In Return URL enter your SharePoint web application URL followed by /_trust/

e.g. https://mywebsite.com/_trust/

In Token format select SAML 1.1

Under Identity providers select your identity provider and click Save

Step 4: Create a rule group for claims-based authentication

Click on Rule Groups and click Add

Enter a name for the rule group and click save

In Used by the following relying party applications select the application you created earlier

Click Add, in the Identity Provider drop down select the provider you created earlier

In the Input claim type section click on Select Type, click the drop down list and select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

In the Output claim type section click on Select Type and select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn from the drop down list

Click on Save

Step 5: Configure the X.509 certificate

Under Development click on Application integration

Locate WS-Federation Metadata and copy the URL to the right of it and open this address in a new browser tab/window

In the XML file that is displayed locate the line <X509Certificate>

Copy the string between <X509Certificate> and </X509Certificate>

Open a new notepad file on your SharePoint server and paste the string into the file

Save the file as c:\certificates\AcsTokenSigning.cer

Step 6: Create a claim mapping

Log onto your SharePoint WFE Server with a farm administrators account and open PowerShell

Enter the following commands:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Certificates\AcsTokenSigning.cer")

 

New-SPTrustedRootAuthority -Name "Token Signing" -Certificate $cert

$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming

 

$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "GivenName" -SameAsIncoming

 

$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "SurName" -SameAsIncoming

 

$realm = "urn:sharepoint:spvms"

 

$ap = New-SPTrustedIdentityTokenIssuer -Name "Provider" -Description "SharePoint secured by SAML in ACS" -realm $realm -ImportTrustCertificate $cert

 -ClaimsMappings $map,$map2,$map3 -SignInUrl "https://fuseadazure.accesscontrol.windows.net/v2/wsfederation" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"

​​

Step 7: Configure SharePoint for the new identity provider

Log onto your SharePoint WFE Server with a farm administrators account and open Central Administration.

Click on Application Management and click on Manage web applications

Select your web facing web application and click on Authentication Providers

Under Zone click the name of the web facing zone i.e. default

Scroll down to the Claims Authentication Types section, select Trusted identity provider, select the provider and click OK

 

Using the Solution

Once you have completed these steps you will see a new screen when you log onto SharePoint. This screen will show a drop down list for selecting the authentication type you want to use. Your provider will show in the list.


Top Blog Posts From Fuse

 

 

9 Reasons Why Cloud Computing is a No-brainerhttps://www.fusecollaboration.com/blog/9-reasons-why-cloud-computing-is-a-no-brainer9 Reasons Why Cloud Computing is a No-brainer
Simple Incoming Email with On Premises SharePoint and Exchangehttps://www.fusecollaboration.com/blog/simple-incoming-email-with-on-premises-sharepoint-and-exchangeSimple Incoming Email with On Premises SharePoint and Exchange
Recovering Workflow History after 60 dayshttps://www.fusecollaboration.com/blog/recovering-workflow-history-after-60-daysRecovering Workflow History after 60 days
Dynamic Page Layouts in SharePoint 2013 - Part 1https://www.fusecollaboration.com/blog/dynamic-page-layouts-in-sharepoint-2013-part-1Dynamic Page Layouts in SharePoint 2013 - Part 1
Using Google to Authenticate with SharePoint 2013https://www.fusecollaboration.com/blog/using-google-to-authenticate-with-sharepoint-2013Using Google to Authenticate with SharePoint 2013

Recommended Pages

 

 

About Fuse Collaborationhttps://www.fusecollaboration.com/fuse-home/aboutAbout Fuse Collaboration
Skype for Businesshttps://www.fusecollaboration.com/technologies/skype-for-businessSkype for Business
Hosted Skype for Businesshttps://www.fusecollaboration.com/technologies/skype-for-business/hosted-skype-for-businessHosted Skype for Business
SharePoint Consulting, Design and Developmenthttps://www.fusecollaboration.com/technologies/sharepointSharePoint Consulting, Design and Development
Microsoft Azure Solutionshttps://www.fusecollaboration.com/technologies/azureMicrosoft Azure Solutions

 About us

Fuse Collaboration Services is a Cloud Solution Provider and Microsoft Gold Partner specialising in delivering SharePoint, Skype for Business, and Azure cloud-based solutions. Based in Northampton, UK.

Microsoft Gold Partner Logo showing 5 competencies

Read more

 Latest Tweets

 Latest Blog

 

 

New GDPR Analysis Pricing699<p class="lead">​​​Fuse can ease the challenge you are facing with the GDPR by offering a solution that will analyse your data for you quickly and cost effectively.</p><div></div><p>​My <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=4fc45909-2b6d-48b9-bcf9-a446e9d472d6&amp;TermSetId=c98895cd-d37f-4406-9cff-5480b4f829b6&amp;TermId=2b6bb279-9fd6-44bf-b4e7-23100b1f156a">recent blogs​</a> have already mentioned the effect that GDPR is having on UK businesses. The deadline is looming but <strong>don’t panic</strong> if you feel you are running out of time as we have <strong>important news</strong>. </p><p>Our customers are reporting that they are having many calls in response to the GDPR, offering you solutions to help but what you really need is a quick, fixed price solution that you know will do what it claims to. One of our partners has responded to customer and partner feedback by changing their pricing model for their data evaluation kit to be just that. </p><p>This is in response to listening to customers who have allocated budgets for the GDPR project, and it’s amazing to see that most budgets are being spent on the staff time spent on the project and not on solutions that would be more cost effective. Discovering PII (Personal Identifiable Information) is viewed as a <strong>manual process </strong>which costs organisations time and money. </p><p>Discovering personal Identifiable Information and Sensitive Information within documents is one of the first steps you need to complete to become compliant. </p><p>All you need is the answer to one question&#58;</p><p> <strong>Do you know the amount of data your business holds as electronic documents?</strong> Hopefully you do! If not, don’t worry we can help you find out with a <strong>free evaluation </strong>of your data.</p><div>If so, look at the table below for the cost of the solution we can introduce you to. The price includes an annual subscription with unlimited document scans for the 12-month license term, regardless of the size of documents.</div><div></div><ul><li>Up to 1TB = £2,999</li><li>Up to 5TB = £7,999</li><li>Up to 20TB = £14,999</li><li>20TB plus = price on application </li></ul><div>The pricing is based on the size of data in the system where the documents are stored. This pricing includes unlimited users and full product support. This solution can be used across multiple systems which include <strong> <em>Office 365</em></strong>, <strong> <em>Dropbox</em></strong>, <strong> <em>OneDrive</em></strong>, <strong> <em>Google Drive</em></strong> and <strong> <em>SharePoint</em></strong>. The solution then reads Office documents, PDF’s, OCR photocopies etc. It will also reduce the size of your files, removing duplicates and archiving&#160;<span style="text-align&#58;left;color&#58;#302e2f;text-transform&#58;none;text-indent&#58;0px;letter-spacing&#58;normal;font-family&#58;&quot;segoe ui&quot;,tahoma,helvetica,arial,verdana,sans-serif;font-size&#58;14px;font-style&#58;normal;font-variant&#58;normal;font-weight&#58;400;text-decoration&#58;none;word-spacing&#58;0px;display&#58;inline;white-space&#58;normal;orphans&#58;2;float&#58;none;background-color&#58;transparent;">files</span> non-accessed over a period. This solution is also valuable when <strong>migrating </strong>documents from SharePoint and file shares to O365.</div><div>&#160;</div><div class="thumbnail"> <img class="img-responsive" alt="ScanR Process" src="/ourblog/Blog%20Site%20Images/ScanRProcess.png" />&#160;</div><div></div><div class="well well-lg"><h2>Features of the ScanR Solution&#58;</h2><ul class="lead"><li>​Automate the process for discovering PII and Sensitive Information.</li><li>Enable you to quickly respond to “Subject Access Requests “and the “Right to be Forgotten “regulation.</li><li>Comply with over 10 of the required articles within GDPR.</li><li>Reduce data storage requirements, remove duplicates and archive non-accessed files. </li><li>Gain an understanding of who has access to it.</li><li>Gain an understanding of how long it’s being retained.</li><li>Retain personal data for a period of time directly related to the original intended purpose.</li><li>Find risky files and take action.</li><li>Manage a Subject Access Request&#58;</li><ul><li>Request a port of the data</li><li>Request a correction to the data</li><li>Request deletion of the data​</li></ul></ul></div><p></p><div class="thumbnail"> <img class="img-responsive" alt="ScanR overview" src="/ourblog/Blog%20Site%20Images/dashboard-scanr1.png" /> <div class="caption"><h3>The Overview Dashboard</h3><p>Rich dashboards in ScanR allow you to understand where your sensitive data resides, and prioritise where to take action.​</p></div></div><p>To read my previous blogs surrounding GDPR please click on the links below&#58; </p><p><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=4fc45909-2b6d-48b9-bcf9-a446e9d472d6&amp;TermSetId=c98895cd-d37f-4406-9cff-5480b4f829b6&amp;TermId=2b6bb279-9fd6-44bf-b4e7-23100b1f156a"><img class="ms-asset-icon ms-rtePosition-4" src="/_layouts/images/icgen.gif" alt="" />How to use SaaS solutions to identify sensitive data</a></p><p>​<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=4fc45909-2b6d-48b9-bcf9-a446e9d472d6&amp;TermSetId=c98895cd-d37f-4406-9cff-5480b4f829b6&amp;TermId=38ff9d3b-d9e1-4a22-b57e-04260d2d12b3"><img class="ms-asset-icon ms-rtePosition-4" src="/_layouts/images/icgen.gif" alt="" />Clear out the ROT!​</a></p><div class="well well-lg"> <p class="lead">To <strong>request a demo and free evaluation</strong> on your documents call Fuse today on 01604 797979 or <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=4fc45909-2b6d-48b9-bcf9-a446e9d472d6&amp;TermSetId=c98895cd-d37f-4406-9cff-5480b4f829b6&amp;TermId=218eb0be-10f6-490a-82a7-a7fd47c8de90">contact us</a>. We are available to answer any queries you have and our aim is to work alongside your needs and priorities ensuring optimum efficiency of your IT infrastructure.</p></div>l.ozier@fusecollaboration.com | Louise Ozier | 693A30232E777C6675736563735C6C2E6F7A696572 i:0#.w|fusecs\l.ozier22/11/2017 00:00:002017-11-22T00:00:00ZDiscover Personal Identifiable Information & Sensitive information within Documents24/11/2017 00:16:0696htmlFalseaspx

 Contact us

Our address
12-14 Brookfield, Duncan Close
Moulton Park, Northampton
NN3 6WL
P: +44(0)1604 797979
Contact Us