Easily Synchronize Your Network with Your Azure Active Directory Subscription



In this guide you will learn how to link Azure Active Directory user groups with NetFoundry endpoint groups to automatically create a client endpoint for each AAD group member. Then we will go over how to user the endpoint group to control access to an AppWAN:

  1. Set up an Azure Active Directory subscription;
  2. Choose the Azure Active Directory groups to synchronize;
  3. Apply an Azure Active Directory group to an AppWAN;
  4. Revoke NetFoundry access to Azure Active Directory;
  5. Azure Active Directory subscription security;

Example scenario

You have an application named Apollo, who's access is managed by AAD, and you have an AAD user group named "Apollo users" that contains the users that are authorized to access it. 

Your goal is to leverage a NetFoundry AppWAN to provide Apollo users with secure, performant access to the application, without having to manually maintain the list of authorized NetFoundry clients for every user that is added and removed from the authorized users group.

With a few minutes of set up time, you can secure your Apollo app, and use your AAD group to keep the AppWAN up-to-date with authorized clients automatically. With synchronization enabled, as you added and remove users from the AAD user group, client endpoints will be automatically added and removed from the AppWAN.

Set up an Azure Active Directory subscription

Before you can synchronize AAD with NetFoundry, you will need to create an AAD Subscription in the NetFoundry Console. This is a one-time setup is needed to authorize NetFoundry to read group information from your AAD instance. This in no way gives NetFoundry the ability to modify anything in your AAD. You will have full control over what NetFoundry is allowed to read, and you can revoke NetFoundry access at any point if you choose to.

  • Grab your 1 subscription id, 2 tenant id, and 3 secret key from your subscription. (see image below)
  • If you are using intune you can add compliant devices by checking 4 ENABLE INTUNE SYNCHRONIZATION. Note: This is an experimental feature. Two endpoint groups will be created one for INTUNE-COMPLIANT and INTUNE-NON-COMPLIANT devices. The groups will put the devices in the groups with the appropriate titles. 
  • Login into your organization console. From the left panel click Manage Subscriptions. Then click Azure Active Directory tab.
  • Copy and paste your AAD information. Click validate.
  • Enter your configuration settings.
    • You can pick an AAD group to sync from the 5 SELECT GROUPS TO SYNC FROM.
    • Click the toggle button 6 AUTOMATICALLY SYNC.
    • Then select a start time for the synchronization to kick off from by using the SYNC TIME drop down.
    • Then choose a frequency for the synchronization to repeat by using the SYNC FREQUENCY drop down. i.e. rerun the synchronization every hour, every 12 hours, every 24 hours
    • You can choose to have clients automatically deleted by toggling 7 AUTOMATIC CLIENT DELETION. This will ensure that clients that are no longer in an Azure Group are completely deleted from the network. 
    • You can set a display attribute for the auto-created clients by selecting one from the 9 SELECT AN ATTRIBUTE FOR CLIENT NAME drop down. Currently, there are only four choices.
    • Lastly, you can choose to either send each client their registration key to their AAD login email or you can have the registration keys sent to an administrator email. To do this check the box 8 EMAIL EACH USER REGISTRATION INFORMATION to send the emails to the users otherwise uncheck it and enter the admin email.
  • Click SAVE to lock in your configuration. 
  • Either grab a coffee and comeback to check on your synchronization or if you are impatient click SYNC NOW. From the left panel, click MANAGE ENDPOINTS. From here either click  the Manage clients or Manage Endpoint Groups tab. You should see your endpoint groups with the corresponding AAD group names and clients with the corresponding display attribute! 
  • Click DELETE if you no longer want to remove your subscription.

The Directory Server Authentication form has three fields: 1 Application ID, 2 Tenant ID, 3 Client Secret, which are all generated by you in Azure (see the image below). You will log into https://portal.azure.com to generate these field values, and then copy them into the subscription form. You can find them under Azure Active Directory->app registrations->{your application}.


Generate an Azure App Registration for NetFoundry

Sign into the Azure Portal, and navigate to Azure Active Directory → App Registrations. On this page, create a New Registration. Give the app registration a friendly name, such as "NetFoundry Group Sync", and click Register to save it. The next screen will display the values that you need to copy to the subscription form in the NetFoundry Console:

  1. "Application (client) ID"
  2. "Directory (tenant) ID"

Copy these two values into the NetFoundry AAD subscription form fields "Application ID" and "Tenant ID" respectively. Next you will grant NetFoundry read-only access to your Active Directory groups.


Grant NetFoundry access to read Active Directory groups and users

Now that you have created an app registration for NetFoundry, you must explicitly grant it permission to read your AAD groups and users. To do this, click View API Permissions → Add a permission → Microsoft Graph → Application Permissions.

Under Select Permissions, enter "Group.Read.All". In the search results, select "Group.Read.All" from the list, and click Add permissions.

Under Select Permissions, enter "User.Read.All". In the search results, select "User.Read.All" from the list, and click Add permissions.



Once you add those permissions, you will need to Grant Consent to them via the button on the API permissions screen.


Next you will generate a client secret, and copy this value into the subscription form.

Generate a Client Secret

To generate the client secret, navigate to Certificates & Secrets in the azure portal. On this page, create a New client secret

Give the secret a friendly name, such as "NetFoundry Group Sync", choose an expiry time, and click Add to save it. The page will refresh, and display the secret value that you need to copy to the subscription form field "Client Secret" in the NetFoundry console. This is the only time that the client secret will be visible to you. Be sure that you have successfully copied the value to the subscription form before you navigate away from the azure portal.

Once you have copied the client secret into the subscription form, you will validate that the connection settings are correct and that NetFoundry can talk to your AAD instance.


Validate your subscription values

In the NetFoundry console, click Validate to test that the azure values you've entered are correct and that NetFoundry is able to talk to your AAD instance.

Once validated, you can choose the AAD groups to sync under Directory Server Settings.

Choose the Azure Active Directory groups to synchronize

Under the Directory Server Settings section of the page, you will chose the AAD groups you want to sync with NetFoundry, and the frequency on which to sync.

When you have completed filling out the form, hit Save to complete the set up and your first AAD sync will run at the next scheduled time.


Select groups to sync from

Use this pull-down menu to select one or more AAD groups you want to sync to NetFoundry. These groups will be imported as Endpoint Groups. A client endpoint will be generated for each user within the AAD group.

Sync Time

Sync time is in UTC. Select the time each day that NetFoundry will sync endpoint groups with your AAD. Choose a time each day when your AAD is least busy. NetFoundry will pull group data in batches as to not overload your AAD server. You can use this local time to UTC conversion page to help with the translation.

Sync Frequency

Choose how often to sync AAD groups with NetFoundry. You can choose every 12 hours or every 24 hours.

Select An Attribute For Client Name

For each user in your AAD group, NetFoundry will create a client endpoint. From this menu, you will select the client endpoint naming convention, based on AAD user attributes. Options are limited to ensure a unique attribute is used, thus if one o the options is know to not be unique, do not select it. Choose from the following options:

  • Employee ID
  • Display Name - typically the user first, last name
  • Email Nickname - user email portion prior to the @ symbol
  • Email - user full email address

Email Each User Registration Info Or Enter A Default For All

When new client endpoints are created, an email is generated containing the registration key and instructions for installing the client on various operating systems. Choose where this email will be delivered. You can choose to send them to the end user directly (for instances when users install software on their own machines), or you can choose to send them to an administrative email address (for instances when user machines are managed centrally).

After the first scheduled sync

After the first scheduled sync has run, navigate to Network Settings → Manage Endpoints → Manage Endpoint Groups. Once the sync is complete, you will see a new endpoint group for each AAD group that you set up. You can distinguish regular groups from AD-linked groups with the "IAM" icon in the upper-right-hand corner of the group tile.

As the AAD group changes (add, delete), the NetFoundry endpoint group will also be updated each time sync runs.


Apply an Azure Active Directory group to an AppWAN

Once your AAD user groups have finished synchronizing to NetFoundry, you can add them to an AppWAN.

In the NetFoundry Console, navigate to Network Settings → Manage AppWANs. Click on an AppWAN row to bring up the editor. In in the editor you will find your AAD group listed amongst the Available Groups panel. Click on it and click the right arrow to move it into the Selected Endpoints panel. Hit Save when finished. See Build an AppWAN using existing components for more detailed instructions.

From now one everyone in your AAD group will be authorized to the AppWAN.

Revoke NetFoundry access to Azure Active Directory

To revoke NetFoundry access to your AAD, sign into the Azure Portal, navigate to Azure Active Directory → App Registrations, and delete the App Registration for NetFoundry that you created in step 1 above.

Azure Active Directory subscription security

When you enter the Application ID, Tenant ID, and Client Secret form values and hit Validate, these data are stored in a secured NetFoundry secrets manager as hashed and encrypted data, away from the primary backend data storage service.

NetFoundry will locally store:

  • the field name used to populate the client endpoint name.
  • a delimited list of the group ids selected to sync
  • the admin email address (but not the individual users' email address - stored in the AAD) 







Was this article helpful?
2 out of 2 found this helpful



Article is closed for comments.