Client Sync - Integration with Azure Active Directory

Introduction

In this guide, you will learn how to link Azure Active Directory user groups with NetFoundry endpoint groups to automatically create a client endpoint for each AAD group member & thereby manage the endpoint lifecycle. Then we will go over how to user the endpoint group to control access to an AppWAN:

  1. Set up an Azure Active Directory subscription;
  2. Choose the Azure Active Directory groups to synchronize;
  3. Apply an Azure Active Directory group to an AppWAN;
  4. Revoke NetFoundry access to Azure Active Directory;
  5. Azure Active Directory subscription security;
  6. Configure Active Directory Integration for v7 network.

Example scenario

You have an application named Apollo, whose access is managed by AAD, and you have an AAD user group named "Apollo users" that contains the users that are authorized to access it. 

Your goal is to leverage a NetFoundry AppWAN to provide Apollo users with secure, performant access to the application, without having to manually maintain the list of authorized NetFoundry clients for every user that is added and removed from the authorized user group.

With a few minutes of set up time, you can secure your Apollo app, and use your AAD group to keep the AppWAN up-to-date with authorized clients automatically. With synchronization enabled, as you added and remove users from the AAD user group, client endpoints will be automatically added and removed from the AppWAN.

Set up an Azure Active Directory subscription

Before you can synchronize AAD with NetFoundry, you will need to create an AAD Subscription in the NetFoundry Console. This is a one-time setup is needed to authorize NetFoundry to read group information from your AAD instance. This in no way gives NetFoundry the ability to modify anything in your AAD. You will have full control over what NetFoundry is allowed to read, and you can revoke NetFoundry access at any point if you choose to.

  • Grab your (1.) subscription id, (2.) tenant id, and (3.) secret key from your subscription. (see image below)
  • If you are using Microsoft Intune (Microsoft Endpoint Manager) you can add compliant devices by checking (4.) ENABLE INTUNE SYNCHRONIZATION. Note: This is an experimental feature. Two endpoint groups will be created one for INTUNE-COMPLIANT and INTUNE-NON-COMPLIANT devices. The groups will put the devices in the groups with the appropriate titles. 
  • Login into your organization console. From the left panel click Manage Subscriptions. Then click Azure Active Directory tab.
  • Copy and paste your AAD information. Click validate.
  • Enter your configuration settings.
    • You can pick an AAD group to sync from the (5.) SELECT GROUPS TO SYNC FROM.
    • Click the toggle button (6.) AUTOMATICALLY SYNC.
    • Then select a start time for the synchronization to kick off by using the SYNC TIME drop down.
    • Then choose a frequency for the synchronization to repeat by using the SYNC FREQUENCY drop down. i.e. rerun the synchronization every hour, every 12 hours, every 24 hours
    • You can choose to have clients automatically deleted by toggling (7.) AUTOMATIC CLIENT DELETION. This will ensure that clients that are no longer in an Azure Group are completely deleted from the network. 
    • You can set a display attribute for the auto-created clients by selecting one from the 9 SELECT AN ATTRIBUTE FOR CLIENT NAME drop down. Currently, there are only four choices.
    • Lastly, you can choose to either send each client their registration key to their AAD login email or you can have the registration keys sent to an administrator email. To do this check the box 8 EMAIL EACH USER REGISTRATION INFORMATION to send the emails to the users otherwise uncheck it and enter the admin email.
  • Click SAVE to lock in your configuration. 
  • Either grab a coffee and comeback to check on your synchronization or if you are impatient click SYNC NOW. From the left panel, click MANAGE ENDPOINTS. From here either click  the Manage clients or Manage Endpoint Groups tab. You should see your endpoint groups with the corresponding AAD group names and clients with the corresponding display attribute! 
  • Click DELETE if you no longer want to remove your subscription.

The Directory Server Authentication form has three fields: (1.) Application ID, (2.) Tenant ID, (3.) Client Secret, which are all generated by you in Azure (see the image below). You will log into https://portal.azure.com to generate these field values, and then copy them into the subscription form. You can find them under Azure Active Directory->app registrations->{your application}.

sync_provider.bmp

Generate an Azure App Registration for NetFoundry

Sign into the Azure Portal, and navigate to Azure Active Directory → App Registrations. On this page, create a New Registration. Give the app registration a friendly name, such as "NetFoundry Group Sync", and click Register to save it. The next screen will display the values that you need to copy to the subscription form in the NetFoundry Console:

  1. "Application (client) ID"
  2. "Directory (tenant) ID"

Copy these two values into the NetFoundry AAD subscription form fields "Application ID" and "Tenant ID" respectively. Next you will grant NetFoundry read-only access to your Active Directory groups.

Azure_app_registrations.png

Grant NetFoundry access to read Active Directory groups and users

Now that you have created an app registration for NetFoundry, you must explicitly grant it permission to read your AAD groups and users. To do this, click View API Permissions → Add a permission → Microsoft Graph → Application Permissions.

Under Select Permissions, enter "Group.Read.All". In the search results, select from the list, and click Add permissions.

Under Select Permissions, enter "User.Read.All". In the search results, select from the list, and click Add permissions.

 

azure_grant_permissions.png

Once you add those permissions, you will need to Grant Consent to them via the button on the API permissions screen.

mceclip0.png

Additional Permissions if using InTune Sync

Under Select Permissions, enter "Device.Read.All". In the search results, select from the list, and click Add permissions.

Under Select Permissions, enter "DeviceManagementManagedDevices". In the search results, select from the list, and click Add permissions.

 

azure-endpoint-device-read-all.png

Next you will generate a client secret, and copy this value into the subscription form.

Generate a Client Secret

To generate the client secret, navigate to Certificates & Secrets in the azure portal. On this page, create a New client secret

Give the secret a friendly name, such as "NetFoundry Group Sync", choose an expiry time, and click Add to save it. The page will refresh, and display the secret "Value" that you need to copy to the subscription form field "Client Secret" in the NetFoundry console. This is the only time that the client secret will be visible to you. Be sure that you have successfully copied the value to the subscription form before you navigate away from the azure portal.

Once you have copied the client secret into the subscription form, you will validate that the connection settings are correct and that NetFoundry can talk to your AAD instance.

azure_AD.bmp 

Validate your subscription values

In the NetFoundry console, click Validate to test that the azure values you've entered are correct and that NetFoundry is able to talk to your AAD instance.

Once validated, you can choose the AAD groups to sync under Directory Server Settings.

Choose the Azure Active Directory groups to synchronize

Under the Directory Server Settings section of the page, you will chose the AAD groups you want to sync with NetFoundry, and the frequency on which to sync.

When you have completed filling out the form, hit Save to complete the set up and your first AAD sync will run at the next scheduled time.

directory_server_settings.png

Select groups to sync from

Use this pull-down menu to select one or more AAD groups you want to sync to NetFoundry. These groups will be imported as Endpoint Groups. A client endpoint will be generated for each user within the AAD group.

Sync Time

Sync time is in UTC. Select the time each day that NetFoundry will sync endpoint groups with your AAD. Choose a time each day when your AAD is least busy. NetFoundry will pull group data in batches as to not overload your AAD server. You can use this local time to UTC conversion page to help with the translation.

Sync Frequency

Choose how often to sync AAD groups with NetFoundry. You can choose every 12 hours or every 24 hours.

Select An Attribute For Client Name

For each user in your AAD group, NetFoundry will create a client endpoint. From this menu, you will select the client endpoint naming convention, based on AAD user attributes. Options are limited to ensure a unique attribute is used, thus if one o the options is know to not be unique, do not select it. Choose from the following options:

  • Employee ID
  • Display Name - typically the user first, last name
  • Email Nickname - user email portion prior to the @ symbol
  • Email - user full email address

Email Each User Registration Info Or Enter A Default For All

When new client endpoints are created, an email is generated containing the registration key and instructions for installing the client on various operating systems. Choose where this email will be delivered. You can choose to send them to the end user directly (for instances when users install software on their own machines), or you can choose to send them to an administrative email address (for instances when user machines are managed centrally).

After the first scheduled sync

After the first scheduled sync has run, navigate to Network SettingsEndpoints . Once the sync is complete, you will see a new endpoint with an associated attribute which corresponds to each AAD group that you configured for Syncing. 

As the AAD group changes (add, delete), the NetFoundry endpoints list will also be updated each time sync runs.

endpoint_group.bmp

Apply an Azure Active Directory group to an AppWAN

Once your AAD user groups have finished synchronizing to NetFoundry, you can add them to an AppWAN.

In the NetFoundry Console, navigate to Network Settings → Manage AppWANs. Click on an AppWAN row to bring up the editor. In in the editor you will find a Services panel and an Endpoint panel. Click on the endpoints panel and select the desired AAD group name listed amongst the available endpoints. Check that members are listed in the Endpoints Preview panel on the right & click on Create or Update. See Build an AppWAN using existing components for more detailed instructions.

From now one everyone in your AAD group will be authorized to the AppWAN.

appwan.bmp

 

Revoke NetFoundry access to Azure Active Directory

To revoke NetFoundry access to your AAD, sign into the Azure Portal, navigate to Azure Active Directory → App Registrations, and delete the App Registration for NetFoundry that you created in step 1 above.

Azure Active Directory subscription security

When you enter the Application ID, Tenant ID, and Client Secret form values and hit Validate, these data are stored in a secured NetFoundry secrets manager as hashed and encrypted data, away from the primary backend data storage service.

NetFoundry will locally store:

  • the field name used to populate the client endpoint name.
  • a delimited list of the group ids selected to sync
  • the admin email address (but not the individual users' email address - stored in the AAD) 

Configure Active Directory Integration for v7 network.

This example is not using AAD. We want to integrate with an Azure VM with Win Server 2016 installed and "regular" AD configured. Login to your console and select Manage Integrations > Active Directory Tab. Fill in the fields:

1. BASE DN:
2. ACCOUNT DN:
3. DIRECTORY SERVER ADDRESS: Public IP of AD server
4. PASSWORD: Password that goes with account DN
5. PORT: 389 for example
6. ENABLE SECURE CONNECTION:
7. "VALIDATE" button

ad_selections.jpg

Choose the Active Directory groups to synchronize

08. SELECT GROUPS TO SYNC FROM:
09. AUTOMATICALLY SYNC
10. SYNC DEVICES 
11. SYNC TIME (UTC) / SYNC FREQUENCY
12. AUTOMATIC CLIENT DELETION 
13. EMAIL EACH USER REGISTRATION INFORMATION
14. SELECT AN ATTRIBUTE FOR CLIENT NAME
15. OR ENTER A DEFAULT FOR ALL 

sync_settings.jpg

After the first scheduled sync

After the first scheduled sync has run, navigate to Endpoints > Manage Endpoints. You will see a new user for each AD group that you set up to sync. As the AD group changes (add, delete), the NetFoundry endpoints will also be updated each time sync runs.

manage_endpoints.jpg

Apply an Active Directory group to an AppWAN

Once your AD user groups have finished synchronizing to NetFoundry, you can add them to an AppWAN. In the NetFoundry Console, navigate to AppWANs > Manage AppWANs.

Click on an AppWAN row to bring up the editor. In in the editor you will find your AD group (and each user in group) listed in the ENDPOINTS ATTRIBUTES panel.

In the panel, select #groupname or each individual @username. Your selection will be visible in the ENDPOINTS PREVIEW panel to the right.  Don’t forgot to click the UPDATE button when finished to save your changes. The selected group/users will now be authorized to the AppWAN.

appwan_add_group.jpg

Was this article helpful?
6 out of 6 found this helpful

Comments

0 comments

Article is closed for comments.