When you sync an Azure Active Directory (AAD) group containing users with NetFoundry, it will appear in the console as an endpoint group, with a client endpoint for each user. The endpoint group will have the same name as the AAD group. As users are added and removed from your AAD group, the changes will be synchronized to NetFoundry automatically, by adding and removing clients from the associated endpoint group. This makes for a really simple and convenient way to control access to your AppWANs using Azure Active Directory.
In this guide you will learn how to link Azure Active Directory user groups with NetFoundry endpoint groups to automatically create a client endpoint for each AAD group member. Then we will go over how to user the endpoint group to control access to an AppWAN:
- Set up an Azure Active Directory subscription;
- Choose the Azure Active Directory groups to synchronize;
- Apply an Azure Active Directory group to an AppWAN;
- Revoke NetFoundry access to Azure Active Directory;
- Azure Active Directory subscription security;
You have an application named Apollo, who's access is managed by AAD, and you have an AAD user group named "Apollo users" that contains the users that are authorized to access it.
Your goal is to leverage a NetFoundry AppWAN to provide Apollo users with secure, performant access to the application, without having to manually maintain the list of authorized NetFoundry clients for every user that is added and removed from the authorized users group.
With a few minutes of set up time, you can secure your Apollo app, and use your AAD group to keep the AppWAN up-to-date with authorized clients automatically. With synchronization enabled, as you added and remove users from the AAD user group, client endpoints will be automatically added and removed from the AppWAN.
Set up an Azure Active Directory subscription
Before you can synchronize AAD with NetFoundry, you will need to create an AAD Subscription in the NetFoundry Console. This is a one-time setup is needed to authorize NetFoundry to read group information from your AAD instance. This in no way gives NetFoundry the ability to modify anything in your AAD. You will have full control over what NetFoundry is allowed to read, and you can revoke NetFoundry access at any point if you choose to.
Log into NetFoundry Console, and go to Network Settings → Manage Subscriptions → Active Directory Subscriptions.
The Directory Server Authentication form has three fields: Application ID, Tenant ID, Client Secret, which are all generated by you in Azure. You will log into https://portal.azure.com to generate these field values, and then copy them into the subscription form.
Generate an Azure App Registration for NetFoundry
Sign into the Azure Portal, and navigate to Azure Active Directory → App Registrations. On this page, create a New Registration. Give the app registration a friendly name, such as "NetFoundry Group Sync", and click Register to save it. The next screen will display the values that you need to copy to the subscription form in the NetFoundry Console:
- "Application (client) ID"
- "Directory (tenant) ID"
Copy these two values into the NetFoundry AAD subscription form fields "Application ID" and "Tenant ID" respectively. Next you will grant NetFoundry read-only access to your Active Directory groups.
Grant NetFoundry access to read Active Directory groups and users
Now that you have created an app registration for NetFoundry, you must explicitly grant it permission to read your AAD groups and users. To do this, click View API Permissions → Add a permission → Microsoft Graph → Application Permissions.
Under Select Permissions, enter "Group.Read.All". In the search results, select "Group.Read.All" from the list, and click Add permissions.
Under Select Permissions, enter "User.Read.All". In the search results, select "User.Read.All" from the list, and click Add permissions.
Once you add those permissions, you will need to Grant Consent to them via the button on the API permissions screen.
Next you will generate a client secret, and copy this value into the subscription form.
Generate a Client Secret
To generate the client secret, navigate to Certificates & Secrets in the azure portal. On this page, create a New client secret.
Give the secret a friendly name, such as "NetFoundry Group Sync", choose an expiry time, and click Add to save it. The page will refresh, and display the secret value that you need to copy to the subscription form field "Client Secret" in the NetFoundry console. This is the only time that the client secret will be visible to you. Be sure that you have successfully copied the value to the subscription form before you navigate away from the azure portal.
Once you have copied the client secret into the subscription form, you will validate that the connection settings are correct and that NetFoundry can talk to your AAD instance.
Validate your subscription values
In the NetFoundry console, click Validate to test that the azure values you've entered are correct and that NetFoundry is able to talk to your AAD instance.
Once validated, you can choose the AAD groups to sync under Directory Server Settings.
Choose the Azure Active Directory groups to synchronize
Under the Directory Server Settings section of the page, you will chose the AAD groups you want to sync with NetFoundry, and the frequency on which to sync.
When you have completed filling out the form, hit Save to complete the set up and your first AAD sync will run at the next scheduled time.
Select groups to sync from
Use this pull-down menu to select one or more AAD groups you want to sync to NetFoundry. These groups will be imported as Endpoint Groups. A client endpoint will be generated for each user within the AAD group.
Sync time is in UTC. Select the time each day that NetFoundry will sync endpoint groups with your AAD. Choose a time each day when your AAD is least busy. NetFoundry will pull group data in batches as to not overload your AAD server. You can use this local time to UTC conversion page to help with the translation.
Choose how often to sync AAD groups with NetFoundry. You can choose every 12 hours or every 24 hours.
Select An Attribute For Client Name
For each user in your AAD group, NetFoundry will create a client endpoint. From this menu, you will select the client endpoint naming convention, based on AAD user attributes. Options are limited to ensure a unique attribute is used, thus if one o the options is know to not be unique, do not select it. Choose from the following options:
- Employee ID
- Display Name - typically the user first, last name
- Email Nickname - user email portion prior to the @ symbol
- Email - user full email address
Email Each User Registration Info Or Enter A Default For All
When new client endpoints are created, an email is generated containing the registration key and instructions for installing the client on various operating systems. Choose where this email will be delivered. You can choose to send them to the end user directly (for instances when users install software on their own machines), or you can choose to send them to an administrative email address (for instances when user machines are managed centrally).
After the first scheduled sync
After the first scheduled sync has run, navigate to Network Settings → Manage Endpoints → Manage Endpoint Groups. Once the sync is complete, you will see a new endpoint group for each AAD group that you set up. You can distinguish regular groups from AD-linked groups with the "IAM" icon in the upper-right-hand corner of the group tile.
As the AAD group changes (add, delete), the NetFoundry endpoint group will also be updated each time sync runs.
Apply an Azure Active Directory group to an AppWAN
Once your AAD user groups have finished synchronizing to NetFoundry, you can add them to an AppWAN.
In the NetFoundry Console, navigate to Network Settings → Manage AppWANs. Click on an AppWAN row to bring up the editor. In in the editor you will find your AAD group listed amongst the Available Groups panel. Click on it and click the right arrow to move it into the Selected Endpoints panel. Hit Save when finished. See Build an AppWAN using existing components for more detailed instructions.
From now one everyone in your AAD group will be authorized to the AppWAN.
Revoke NetFoundry access to Azure Active Directory
To revoke NetFoundry access to your AAD, sign into the Azure Portal, navigate to Azure Active Directory → App Registrations, and delete the App Registration for NetFoundry that you created in step 1 above.
Azure Active Directory subscription security
When you enter the Application ID, Tenant ID, and Client Secret form values and hit Validate, these data are stored in a secured NetFoundry secrets manager as hashed and encrypted data, away from the primary backend data storage service.
NetFoundry will locally store:
- the field name used to populate the client endpoint name.
- a delimited list of the group ids selected to sync
- the admin email address (but not the individual users' email address - stored in the AAD)