Complete Guide to Azure AD Integration Configuration

Azure AD integration is a crucial step in securing your organization's cloud-based applications. You can connect your Azure Active Directory (Azure AD) to your on-premises Active Directory (AD) using Azure AD Connect.

To start the configuration process, you'll need to download and install the Azure AD Connect software on a server in your on-premises environment. This software is available for free from the Microsoft website.

The installation process will guide you through the setup of Azure AD Connect, including the configuration of synchronization and password hash synchronization. You'll also need to specify the credentials for your on-premises AD and Azure AD.

Azure AD Connect will then sync your on-premises AD users and groups to Azure AD, allowing you to manage access to cloud-based applications using your existing AD credentials. This process typically takes a few minutes to complete, depending on the size of your organization.

Azure AD integration allows you to link your on-premises Active Directory domains with Microsoft Entra ID. This creates a copy of your on-premises directory in Azure, which is maintained and managed by Microsoft.

You can configure Azure for integration by creating an app registration in your Azure AD tenant and setting up the necessary permissions. This requires being an administrator in Azure, specifically with roles like Global Administrator, Cloud Application Administrator, or Application Administrator.

To manually configure your Azure tenant, you can follow the instructions in the Azure Portal or use the UiPath Azure AD scripts available on GitHub. This will enable you to view your AD members, establish account identity, and prepare for the integration.

Here are the benefits of integrating your on-premises domains with Microsoft Entra ID:

With Azure AD integration, you can restrict access to your organization by activating user assignment for the UiPath app registration in Azure. This way, users need to be explicitly assigned to the app to access it.

By default, all Azure AD users can access Automation Cloud, but you can use the Azure AD Conditional Access feature to only allow users to access it from trusted networks or devices.

You can use the advanced security options of privileged identity management (PIM) to govern access requests for UiPath groups, especially if you've created groups in Azure AD for easy onboarding.

Active Directory is a critical component of Azure AD Integration.

You can integrate your on-premises domains with Microsoft Entra ID to create a domain in Azure and link it to your on-premises AD domain. This allows you to have the same identity information available on-premises and in Azure.

Microsoft Entra ID is not an extension of your on-premises directory, but rather a copy that contains the same objects and identities. Changes made to these items on-premises are copied to Microsoft Entra ID, but changes made in Microsoft Entra ID are not replicated back to the on-premises domain.

Here are some benefits of using Microsoft Entra ID:

However, you must configure connectivity with your on-premises domain to keep the Microsoft Entra directory synchronized. Additionally, applications may need to be rewritten to enable authentication through Microsoft Entra ID.

To configure Azure AD, you'll need to be an administrator in Azure, specifically with roles like Global Administrator, Cloud Application Administrator, or Application Administrator.

You have two options to set up your Azure tenant: manually configure an app registration or use the UiPath Azure AD scripts available on GitHub.

To manually configure, navigate to the Azure Portal, complete the setup, and then prepare for the integration, activate it, and clean up old accounts.

To collect client credentials, you'll need to navigate to the Overview page for the app registration. Note the Application (client) ID and Directory (tenant) ID shown in this form and record them along with your client secret.

These keys are essential for configuring the integration in dbt Cloud. In fact, you'll need to paste the Application (client) ID into the Client ID field and the Directory (tenant) ID into the Tenant ID field when setting up Single sign-on in dbt Cloud.

To configure Azure AD for integration, you'll need to create an app registration in your Azure AD tenant. This requires administrator privileges, specifically Global Administrator, Cloud Application Administrator, or Application Administrator roles. You can either manually configure the app registration or use the UiPath Azure AD scripts available on GitHub.

To manually configure, follow these steps in the Azure Portal: navigate to Azure AD, then to App registrations, and create a new registration. You'll need to provide a name, redirect URI, and other details. After setup is complete, you can prepare for the integration, activate it, and then clean up old accounts.

There are two ways to set up your Azure tenant for the integration: manually or using the UiPath Azure AD scripts. The scripts, available on GitHub, perform all the necessary actions and return the app registration details.

To manually configure your Azure tenant, do the following in Azure Portal:

1. Navigate to Azure AD, then to App registrations, and create a new registration.

2. Provide a name, redirect URI, and other details.

3. After setup is complete, you can prepare for the integration, activate it, and then clean up old accounts.

You can also use the UiPath Azure AD scripts to configure your Azure tenant. These scripts perform all the necessary actions and return the app registration details.

To use the scripts, follow these steps:

1. Go to GitHub and download the UiPath Azure AD scripts.

2. Run the configAzureADconnection.ps1 script to perform all the necessary actions.

3. Run the testAzureADappRegistration.ps1 script to verify the app registration was successful.

If you're using the scripts, be sure to follow the instructions carefully and take note of any errors or issues that arise.

Here are the administrator roles with the required privileges to perform the tasks in this section:

To ensure a smooth integration, it's essential to configure groups for permissions and robots. You can do this by adding new users to an Azure AD group if the group has the required roles already assigned.

Here are the ways to map your existing user groups from Automation Cloud to new or existing groups in Azure AD:

To verify any roles specifically assigned to users, ensure to check all instances. If feasible, remove these direct role assignments and add these users into groups already assigned with these roles.

For example, if the Administrators group in Automation Cloud includes users Anna, Tom, and John, and these same users are also in a group in Azure AD called admins, you can add the admins Azure group to the Administrators group in Automation Cloud. This way, Anna, Tom, and John, as members of the admins Azure AD group, all benefit from the roles of the Administrators group in Automation Cloud.

Here are the steps to configure groups for permissions and robots:

1. Add new users to an Azure AD group if the group has the required roles already assigned.

2. Map your existing user groups from Automation Cloud to new or existing groups in Azure AD.

3. Verify any roles specifically assigned to users and remove direct role assignments if feasible.

4. Add users into groups already assigned with these roles.

Here is a list of the Azure administrator roles with the required privileges to perform the tasks in this section:

Setting up Azure AD involves several key steps. You'll want to start by setting up SSO with Entra ID, which will allow users to access your applications securely.

Once you've completed setting up SSO, you'll need to set up RBAC groups to complete your access control configuration. This will involve defining the roles and permissions for different users and groups.

After setting up RBAC groups, you'll have a solid foundation for managing access to your applications and data. This will help you ensure that the right users have the right level of access, and that your security and compliance needs are met.

Integrating on-premises domains with Azure AD is a crucial step in setting up a seamless identity experience. You can use Microsoft Entra ID to create a domain in Azure and link it to an on-premises AD domain.

Microsoft Entra ID is not an extension of an on-premises directory, but rather a copy that contains the same objects and identities. Changes made to these items on-premises are copied to Microsoft Entra ID, but changes made in Microsoft Entra ID are not replicated back to the on-premises domain.

You have two options for integrating on-premises domains: using Microsoft Entra ID or AD DS in Azure. Here are the key differences between the two:

You can also use AD DS in Azure to join an on-premises forest, which provides access to the same identity information as on-premises and allows for authentication of user, service, and computer accounts. However, this requires deploying and managing your own AD DS servers and domain in the cloud, which can be a complex task.