To sync users from Azure Active Directory (AD), you must add an Azure AD external identity and create one or more group syncs.
In AuthPoint, the Azure AD external identity represents your external user database. It connects to Azure Active Directory to get user account information and validate passwords. The group syncs you add to an external identity specify which users to sync from Azure AD to AuthPoint.
Azure AD external identities do not require the AuthPoint Gateway. If you have an on-premise Active Directory with Azure AD Connect, you can configure an Azure AD external identity to sync and authenticate users without the AuthPoint Gateway.
Due to a Microsoft limitation, Office 365 only supports AuthPoint MFA for Azure AD users if they are synced with a local AD server (it does not support MFA for users that only exist in Azure AD). For more information, see this Knowledge Base article.
Users synced from Azure AD cannot authenticate to RADIUS client resources that use MS-CHAPv2.
Configure Azure Active Directory
Before you can configure AuthPoint, you must configure Azure AD.
To configure Azure AD:
- Log in to the Microsoft Azure Portal.
- Select the Azure Active Directory service.
- From the navigation menu, select App registrations.
- Click New Registration.
The Register an application page appears.
- Type a name for the application.
- For Supported account types, select the types of user accounts that can use this application to log in. Your selection should represent the users that you sync to AuthPoint.
- Click Register.
A page appears that shows the details for your app.
- Copy the Application (client) ID value. You need this value to create the Azure AD external identity in AuthPoint.
- From the navigation menu, select Manifest.
- In the manifest editor, set the allowPublicClient property to true.
- Click Save.
- From the navigation menu, select API permissions.
- Click Add a permission.
- Select Microsoft Graph.
- Select Application permissions.
- Select the Group.Read.All and User.Read.All application permissions.
- Select Delegated permissions.
- Select the User.Read permission.
- Click Add permissions. The permissions you add need Administrator approval. If you see the status message "Not granted for <name>", click Grant admin consent for <name>.
- From the navigation menu, select Certificates and Secrets.
- Click New client secret.
- (Optional) Type a description of the client secret.
- Select when the secret expires.
- Click Add.
Details of the new client secret. appear
- Copy the client secret. You need this value to create the Azure AD external identity in AuthPoint.
In the AuthPoint management UI, you must add an Azure AD external identity and create one or more group syncs.
Add an External Identity
To add an external identity in the AuthPoint management UI:
- From the AuthPoint menu, select External Identities.
- From the Choose an External Identity Type drop-down list, select Azure AD. Click Add.
- In the Name text box, type a descriptive name for the external identity.
- In the Application ID text box, type the Application (client) ID value from Azure AD.
- In the Domain text box, type the domain name for your Azure AD. If you have not created custom domain names, the default format is example.onmicrosoft.com.
- In the Client Secret text box, type the client secret that you copied from Azure AD.
- From the Synchronization Interval drop-down list, specify how often you want to synchronize users from Azure AD. If you select Every 24 hours, you must also specify what time the synchronization starts each day.
- Click Save.
Test the Connection to the External Identity
To test the connection to your external identity:
- From the navigation menu, select External Identities.
- Next to the external identity you added for your Azure AD database, click and select Check Connection.
A message appears at the bottom of the screen to indicate if AuthPoint can communicate with Azure AD.
Sync Your Users
After you create an external identity for your Azure AD, you must add a group sync to specify:
- The Azure AD groups to sync users from
- The AuthPoint group to add the users to
After you add a group sync to find your users, AuthPoint syncs with your Azure AD database at the next synchronization interval and creates an AuthPoint user account for each user identified by the group sync. If the group sync returns more users than you have available licenses for, the sync only creates as many users as your license supports.
Users that do not have a first name, user name, and email address are not included in the synchronization.
Before you continue, make sure that each user account has a valid email address. If the email address for a user account is not correct, the user cannot receive the email message to activate a token.
To create a group sync for Azure AD groups:
- Select External Identities.
- Next to your external identity, click and select Group Sync.
- On the Group Sync page, click Add New Azure Group to Sync.
- In the Add Azure AD Group Sync window, from the Select Azure AD Groups drop-down list, select the Azure groups you want to sync users from. You can select multiple groups.
- From the Select the AuthPoint Group drop-down list, select the AuthPoint group to add the users to.
For each group sync, all users are added to the same AuthPoint group. To add users to separate AuthPoint groups, you must create a separate group sync for each Azure AD group that has users you want in a different AuthPoint group.
- Click Save.
The Add Group Sync window closes.
AuthPoint syncs with your Azure AD database at the next synchronization interval and creates an AuthPoint user account for each user identified by the group sync.
To start a sync immediately, on the External Identities page, next to the external identity, click and select Start Synchronization.
The newly created AuthPoint user accounts appear on the Users page with a green Activated status icon next to the user name. The Activated status icon indicates that the user has been created and is currently active (not blocked). You can identify users synced from an external user database by the LDAP tags next to their names in the list of users.
Each user receives an email that they use to activate their token in the AuthPoint mobile app. When a user activates their token, you can see their token in the Token column with a green Activated status icon next to the token.