Microsoft Azure Active Directory

Introduction

Integrating Acceptto with your Microsoft Azure Active Directory allows you to add multi-factor authentication for logons. Acceptto MFA for Azure Active DirectoryTM enables strong authentication and secure access via SAML to protect your user accounts and your data without exchanging usernames and passwords.

Pre-requisites

Ensure that you have a global admin account that is configured in your managed domain outside of your primary domain. Your primary domain will be similar to example.com and your managed domain will be similar to example0.onmicrosoft.com. You can see this configuration by running the PowerShell command:

Get-MsolDomain

It should return an output similar to:

Name                      Status   Authentication
----                      ------   --------------
example.com               Verified Managed
example0.onmicrosoft.com  Verified Managed

  1. Acceptto Appliance configured to connect to your user directory (Azure Active Directory).
  2. An Acceptto Organization account, with access to an Acceptto administrative user (see Sign up for Acceptto account, download It’sMeTM mobile app and sign in with your account.)
  3. A Microsoft Azure Active Directory Account with Global Admin privileges.
  4. All the Azure Active Directory users that will be authenticated via SAML must have an ImmutableID set, to identify which users may not have an immutableID set, run the following PowerShell command:
  5. Get-MsolUser -All | Select-Object UserprincipalName,ImmutableID
    UserPrincipalName                  ImmutableId
    -----------------                  -----------
    User1@example.com	           123ABC45-67EF-90GH-12IJ-34KL56MN7890P
    User2@example.com
    
  6. Users that do not show an immutableID, such as User2@example.com, will not be able to login using SAML. To change the ImmutableID for specific users, run the following PowerShell command (replace UserPrincipalName with the affected user e.g. user1@example.com):
  7. $guid = New-Guid
    Set-MSOLUser -UserPrincipalName UserPrincipalname -ImmutableID $guid
Configure the Acceptto Identity Provider (IdP)
  1. Login to the Acceptto Admin portal with your Acceptto administrative account, and select “APPLICATIONS”.
  2. Create a new application by clicking the “New Application” button.
  3. In the Add Application dialog enter your Azure Active Directory configuration values.
  4. For example:

    App Name: Microsoft Azure Active Directory

    Issuer or EntityID: The Issuer/EntityID of the SAML application (e.g., https://sts.windows.net/yourTenantID)

    Sign in URL: The URL used to login to your Azure AD instance (e.g., https://login.microsoftonline.com/yourTenantID)

    Metadata URL: This is a URL that provides all of the SAML information about your Azure instance (e.g., https://login.microsoftonline.com/YourDomain/FederationMetadata/2007-06/FederationMetadata.xml)

  5. Click “Save”.
  6. Select the Applications control, New/Edit Applications and copy the values shown in that page.
Configure Azure Active Directory as a Service Provider (SP)

Run the following script in a PowerShell script:

# The domain you want to authenticate against SAML e.g. example.com (mandatory)
$domain=example.com
# Identify who your IdP is
$BrandName = "Acceptto SAML IDP"
# Logon URL (mandatory)
$LogOnUrl = "https://saml.acceptto.com/saml/auth"
# Logoff URL (mandatory)
$LogOffUrl = https://saml.acceptto.com/saml/logout
# The IdP Certificate, note the use of @ to make it a raw text variable. This value comes from the X509
# certificate set up in “Configure the Acceptto Identity Provider”, item 5.
$SigningCert = @"
"@
# The issuer URI, it needs to match what is specified on the IdP under EntityId, make sure this is # accurate otherwise AAD will not log you in.
$uri = "https://saml.acceptto.com/saml"
$Protocol = "SAMLP"

The whole command looks like this:

Set-MsolDomainAuthentication -DomainName $domain -FederationBrandName $domain -Authentication "federated" -PassiveLogOnUri $LogOnUrl -SigningCertificate $SigningCert -IssuerUri $uri -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol

A successful run of the command should not return any errors.

To verify if the domain is configured to use SAML the following command can be used:

Get-MsolDomainFederationSettings -domainname example.com | fl *

The output should be similar to:

ExtensionData                          : System.Runtime.Serialization.ExtensionDataObject
ActiveLogOnUri                         :
DefaultInteractiveAuthenticationMethod :
FederationBrandName                    : acceptto.com
IssuerUri                              : https://saml.acceptto.com/saml
LogOffUri                              : https://saml.acceptto.com/saml/logout
MetadataExchangeUri                    :
NextSigningCertificate                 :
OpenIdConnectDiscoveryEndpoint         :
PassiveLogOnUri                        : https://saml.acceptto.com/saml/auth
PasswordChangeUri                      :
PasswordResetUri                       :
PreferredAuthenticationProtocol        : Samlp
PromptLoginBehavior                    :
SigningCertificate                     : MII 79701424009245946274090644119698913542736738414383197137136495653488597823440743026907540474162173229890086677980241691766203566484177525691391892547529556572165857639252331212281503088199745189921112D=
SigningCertificateUpdateStatus         :
SupportsMfa                            :

The return must show the same values as used in the script variables above.

Test Azure Active Directory login using Acceptto SAML
  1. The user types their identity in the Azure portal (portal.azure.com).
  2. The user is redirected to the Acceptto SAML portal.
  3. The user is asked to authenticate using his or her Acceptto factors.
  4. The user is successfully logged in.
  5. If you receive an error page:
    1. Acceptto branded web page such as the one below, then check if your username and password are correct. If, after checking your credentials, it still fails to log you in, please contact our support.
    2. If an Azure branded error web page appears, such as below, check that the script you ran matches exactly the values you obtained from the Acceptto IdP. Correct any discrepancies and run the script again
    3. If an Azure branded error webpage stills appears, then you can revert the domain back to a managed domain by opening a Powershell console, logging into Azure as the managed domain user and typing the following command:
    4. Set-MsolDomainAuthentication -DomainName example.com -Authentication “managed”

      If the command is successful there should be no output.

Support

If you require assistance, please email us at support@acceptto.com

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.

Disclaimer

All company, product and service names used in this document are for identification purposes only. Use of these names, trademarks and brands does not constitute endorsement by the Acceptto Corporation.

MicrosoftTM, AzureTM and Active DirectoryTM are trademarks of Microsoft Corporation and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries.