Skip Ribbon Commands
Skip to main content

Using Microsoft Azure Active Directory for SharePoint 2013 Authentication

Allow Office 365 and other federated users access to on-premise SharePoint

Brian Jones

17/12/2014

​Summary

The blog post explains how to use the Azure access control service to authenticate your on premise SharePoint Server 2013 users with Azure Active directory.

There are several reason why this would be a convenient solution:

  • It integrates with SharePoint 2013 in the same way as any other authentication provider (claims based)
  • Users from active directory can be synced to the Azure Active directory (using DirSync) Users from other membership systems (e.g. Windows Live ID) can also be added to the same directory, so users can use those credentials if required
  • Ad-hoc users can also be added to the directory, this is for users that don't have any existing credentials.
  • Azure Active directory can federate with other directories/membership providers so users from those organizations can use their own credentials to authenticate to SharePoint.

Pre-requisites

There are several steps that need to be completed

  1. Create a new Azure AD tenant and namespace.
  2. Add a WS-Federation identity provider.
  3. Add SharePoint as a relying party application.
  4. Create a rule group for claims-based authentication.
  5. Configure the X.509 certificate.
  6. Create a claim mapping.
  7. Configure SharePoint for the new identity provider.

Step 1: Create a new Azure AD tenant and namespace

Log on to your Azure Management Portal https://manage.windowsazure.com

Click on +New which can be found in the bottom left hand corner

Click on APP SERVICES, select ACTIVE DIRECTORY, select ACCESS CONTROL and click on QUICK CREATE

In NAMESPACE enter a name for your access control namespace, choose a REGION and click CREATE

Open the Access Control Service web page by clicking on ACTIVE DIRECTORY in the left hand menu, click on ACCESS CONTROL NAMESPACES in the top menu, select your name space and click on MANAGE at the bottom of the page.

The following web page will open https://yournamespace.accesscontrol.windows.net/v2/mgmt/web

Open PowerShell as an administrator and run the following commands:

Connect-MsolService

 

You will be prompted for your Azure credentials, enter them and click OK

Import-Module MSOnlineExtended -Force

 

This will import the required PowerShell module which you installed as part of the prerequisites.

$replyUrl = New-MsolServicePrincipalAddresses -Address "https://yournamespace.accesscontrol.windows.net/"

 

Replace the URL with the URL of the access control service web page you opened earlier up to the first /

New-MsolServicePrincipal -ServicePrincipalNames @("https://fuseadazure.accesscontrol.windows.net/") -DisplayName "Fuse Azure AD Namespace" -Addresses $replyUrl

 

The final output will look like this:

DisplayName           : Your Namespace

ServicePrincipalNames : {https://yournamespace.accesscontrol.windows.net/, e7f11c00-d714-4e36-8428-f7f2e6d219ca}

ObjectId              : ee826535-0e1e-4b01-ac0a-2d62653df85a

AppPrincipalId        : e7f11c00-d714-4e36-8428-f7f2e6d219ca

TrustedForDelegation  : False

AccountEnabled        : True

Addresses             : {Microsoft.Online.Administration.RedirectUri}

KeyType               : Symmetric

KeyId                 : 76e02056-d931-4fcb-bacb-77af2dd73041

StartDate             : 11/12/2014 12:02:52

EndDate               : 11/12/2015 12:02:52

Usage                 : Verify

 

Step 2: Add a WS-Federation identity provider

Open the access control service web page and click Identity providers and click on Add

Select WS-Federation identity provider and click Next

In Display name enter a name for your identity provider

Under WS-Federation metadata tick URL and enter:

https://accounts.accesscontrol.windows.net/[yourazureurl]/FederationMetadata/2007-06/FederationMetadata.xml

Where [yourazureurl] is the URL of your Azure tenant. To get this log into your Azure portal and the tenant name is after https://manage.windowsazure.com/

e.g. If the URL showing when you log into Azure was https://manage.windowsazure.com/fusecollaboration.com then you would enter fusecollaboration.com as [yourazureurl]

https://accounts.accesscontrol.windows.net/fusecollaboration.com/FederationMetadata/2007-06/FederationMetadata.xml

In Log link text enter the text that you want to show in the drop down list when users select an authentication method and click Save

Step 3: Add SharePoint as a relying party application

Open the access control service web page and click on Relying party applications and click Add

Enter a Name for the relying party application

In Realm enter urn:sharepoint:spvms

In Return URL enter your SharePoint web application URL followed by /_trust/

e.g. https://mywebsite.com/_trust/

In Token format select SAML 1.1

Under Identity providers select your identity provider and click Save

Step 4: Create a rule group for claims-based authentication

Click on Rule Groups and click Add

Enter a name for the rule group and click save

In Used by the following relying party applications select the application you created earlier

Click Add, in the Identity Provider drop down select the provider you created earlier

In the Input claim type section click on Select Type, click the drop down list and select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

In the Output claim type section click on Select Type and select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn from the drop down list

Click on Save

Step 5: Configure the X.509 certificate

Under Development click on Application integration

Locate WS-Federation Metadata and copy the URL to the right of it and open this address in a new browser tab/window

In the XML file that is displayed locate the line <X509Certificate>

Copy the string between <X509Certificate> and </X509Certificate>

Open a new notepad file on your SharePoint server and paste the string into the file

Save the file as c:\certificates\AcsTokenSigning.cer

Step 6: Create a claim mapping

Log onto your SharePoint WFE Server with a farm administrators account and open PowerShell

Enter the following commands:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Certificates\AcsTokenSigning.cer")

 

New-SPTrustedRootAuthority -Name "Token Signing" -Certificate $cert

$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming

 

$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "GivenName" -SameAsIncoming

 

$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "SurName" -SameAsIncoming

 

$realm = "urn:sharepoint:spvms"

 

$ap = New-SPTrustedIdentityTokenIssuer -Name "Provider" -Description "SharePoint secured by SAML in ACS" -realm $realm -ImportTrustCertificate $cert

 -ClaimsMappings $map,$map2,$map3 -SignInUrl "https://fuseadazure.accesscontrol.windows.net/v2/wsfederation" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"

 

Step 7: Configure SharePoint for the new identity provider

Log onto your SharePoint WFE Server with a farm administrators account and open Central Administration.

Click on Application Management and click on Manage web applications

Select your web facing web application and click on Authentication Providers

Under Zone click the name of the web facing zone i.e. default

Scroll down to the Claims Authentication Types section, select Trusted identity provider, select the provider and click OK

 

Using the Solution

Once you have completed these steps you will see a new screen when you log onto SharePoint. This screen will show a drop down list for selecting the authentication type you want to use. Your provider will show in the list.


 About us

Fuse Collaboration Services is a Cloud Solution Provider and Microsoft Gold Partner specialising in delivering SharePoint, Skype for Business, and Azure cloud-based solutions. Based in Northampton, UK.

Microsoft Gold Partner Logo showing 5 competencies

Read more

 Latest Tweets

 Latest Blog

 

 

Clear out the ROT!140<p class="lead">​​They might give examples of damp rot or rotten food but ROT in the IT world is an acronym and if you apply the definition of rot to your data it's not far off what this blog is essentially about.</p><p class="lead">The acronym ROT when referring to IT stands for <strong>Redundant, Obsolete and Trivial</strong> and it's used when describing your digital data that your business keeps hold of when it has no value. Employees create ROT every day without realising how much this impacts your business.</p><p>ROT can be found on network and SharePoint servers, desktops, mobile devices such as laptops and mobile phones, on premise and in the cloud. Its impact can be huge and will become even more of a worry when the new GDPR* comes into force on May 25<sup>th</sup> 2018. </p><p>​ <strong>Reasons to clear the ROT out&#58;</strong></p><ol>​ <li> <strong>It decreases the need for extra storage.</strong><br>Funding extra storage, costs businesses money; not only having to pay for the extra storage but extra storage creates the need for a bigger IT infrastructure (and more IT support staff) and hardware which all rise costs.<br></li><li> <strong>Prevents data becoming a liability risk.</strong>​ <br>For businesses that are subject to audits, clearing out the ROT is an important part of the process. Businesses need to be able to demonstrate they are compliant within a whole range of regulations and legal guidelines dependent on the sector the business operates in.<br></li><li> <strong>Improves productivity in staff</strong>. <br>The need to quickly access the right information instead of wading through irrelevant documents will increase the delivery of projects and increase productivity on a day to day basis. This in turn increases productivity and profit margins.<br></li><li> <strong>Prevents data breaches.</strong><br>Clearing out the ROT can be viewed as time consuming and not a profitable use of time. The less information your company has that has no business or legal value reduces the chance of a data breach. If there is a data breach then you open yourselves up to costly legal action that is easily preventable.<br></li><li> <strong>GDPR is coming.</strong><br>May 25<sup>th</sup> 2018 is a date that you need to have etched in your brain if you are the owner of a business. The new regulations are replacing the outdated Data Protection Act and is a well needed reaction to the change in how data is stored, transferred and managed. Individual's now have far more rights and businesses will have to ensure that they have the legal consent to process data. All personal data that you hold, where it came from and who you share it with now needs to be documented. Getting rid of obsolete data will help to prevent any breaches of GDPR.<br></li> ​ </ol> <p class="small">*GDPR(The General Data Protection Regulation) is the European Union's new legislation to protect the personal data of all EU citizens and has evolved from the need to regulate data protection by updating the 1995 Data Protection Directive (DPD). This set of regulations is now out of date due to the increasing advances in the digital and technology world.<br>Organisations have been given a two-year lead in period to become compli​ant, ending 25th May 2018.​</p><p> <strong>How can Fuse help you clear out the ROT?</strong></p><p>Fuse is a specialist in SharePoint and has an in-house team of consultants. If you currently store terabytes of data held within an on-premise infrastructure and you are worried about GDPR because your data is unstructured and therefore unmanageable, Fuse can help. Fuse implements solutions that help to analyse the data held by your organisation; structure your data; identify unwanted and duplicated data. This is all done quickly and securely. </p><p>Once your data is in a manageable format we can provide the tools that will identify and collect GDPR personal information within documents. Workflows can be created to generate documents and automate your requests for &quot;the right to be forgotten&quot;. &#160;Not only are we good at it, it will give you peace of mind as you will be preventing any GDPR breaches. Become compliant by binning the ROT! </p><div class="well well-lg"><p class="lead">​If you have any questions or would like to speak to someone about your current system, call 01604 797979 for​ a no obligation chat!</p></div>l.ozier@fusecollaboration.com | Louise Ozier | 693A30232E777C6675736563735C6C2E6F7A696572 i:0#.w|fusecs\l.ozier24/07/2017 23:00:002017-07-24T23:00:00ZIf you were to ask most people what the definition of rot is, you are more than likely to get answers along the lines of "something that's damaged, something that you can't use anymore or something that is decaying or gone bad". 26/07/2017 10:55:54htmlFalseaspx

 Contact us

Our address
12-14 Brookfield, Duncan Close
Moulton Park, Northampton
NN3 6WL
P: +44(0)1604 797979
Contact Us