How to Enable Azure AD SSO for Your Business

Enabling Azure AD SSO for your business is a straightforward process that can be completed in a few steps. First, you need to have a Microsoft Azure subscription and an Azure Active Directory (Azure AD) tenant.

To start, navigate to the Azure portal and sign in with your Azure AD account. From there, click on the Azure AD blade and select "Enterprise applications" from the menu.

Next, click on the "New application" button and search for the application you want to enable SSO for. Select the application and click on the "Get it now" button to begin the setup process. This will guide you through the configuration of SSO for your application.

Discover more: Azure Ad App

To set up Azure AD SSO, you'll need to meet some prerequisites first.

You'll need a Microsoft Entra user account, which you can create for free if you don't already have one.

To access the necessary settings, you should have one of the following roles: Cloud Application Administrator, Application Administrator, or owner of the service principal.

Intriguing read: Azure Ad Joined Device Local Administrator

You'll also need to complete the steps in the Quickstart: Create and assign a user account.

Here's a quick rundown of what you'll need:

To begin configuring Azure AD SSO, you must first complete the Basic SAML Configuration in Azure. This involves editing the Basic SAML Configuration section in Azure, copying the Identifier (Entity ID) and Reply URL, and pasting them into the corresponding fields in the Command Platform.

In the Command Platform, navigate to Company Settings > Authentication Settings > SSO Settings, and select Azure as your identity provider. You'll also need to copy the Relay State and paste it into Azure, and click Save. This will enable the SAML Certificate to become downloadable.

Before you can start the configuration process, ensure you have completed the Basic SAML Configuration section in Azure. You can then download the SAML Signing Certificate, which is necessary for the next steps.

For your interest: Atlassian Sso Azure B2c Configuration

To set up Azure AD SSO, you need to meet some essential prerequisites. You'll need a Microsoft Entra user account, which you can create for free if you don't already have one.

To access the necessary features, you'll require one of the following roles: Cloud Application Administrator, Application Administrator, or the owner of the service principal.

You'll also need to complete the steps in the Quickstart: Create and assign a user account guide.

Here's a summary of the necessary prerequisites:

To configure tenant settings for Azure AD SSO, you must first complete the Basic SAML Configuration in Azure. This involves clicking Edit in the Basic SAML Configuration section and then copying the Identifier (Entity ID) and replacing the default URL in Azure with this value.

In the Command Platform, navigate to Company Settings > Authentication Settings > SSO Settings and select Azure from the Select your identity provider (IdP) dropdown. You'll also need to copy the Reply URL and paste it into Azure, as well as the Relay State and paste it into Azure and click Save.

A different take: Azure Ad Basic

Before you can download your SAML Certificate, you must first complete the Basic SAML Configuration in Azure. This is a crucial step in the process, as it allows you to obtain the necessary information to configure your tenant settings.

Here are the steps to complete the Basic SAML Configuration:

Once you've completed the Basic SAML Configuration, you can download your SAML Certificate.

Here's an interesting read: Azure Ad Saml Setup

To create an application in Azure AD SSO, you'll need to log into the Azure portal for your organization and register a new application. This involves selecting the appropriate directory and clicking on + New Registration to begin creating a new application registration.

You'll need to supply configurations for the Name and Supported account types fields, with the Name field being "dbt Cloud" and the Supported account types field being "Accounts in this organizational directory only (single tenant)". This is a crucial step, as it sets the foundation for your application's registration.

To complete the application registration, you'll need to configure the Redirect URI, which is the URL that users will be redirected to after authenticating. For single-tenant deployments, the Redirect URI value is typically in the format of "https://YOUR_AUTH0_URI/callback".

Readers also liked: Azure Guest Account

To create an application, you'll need to log into the Azure portal for your organization. Using the Microsoft Entra ID page, you will need to select the appropriate directory and then register a new application.

You'll need to navigate to the Manage section and select App registrations. From there, click + New Registration to begin creating a new application registration. Supply configurations for the Name and Supported account types fields as shown in the following table:

To configure the Redirect URI, you'll need to select the appropriate Redirect URI values for single-tenant and multi-tenant deployments. For most enterprise use-cases, you will want to use the single-tenant Redirect URI.

To collect client credentials, you need to navigate to the Overview page for the app registration. You'll find the Application (client) ID and Directory (tenant) ID on this page, which you'll need to record along with your client secret.

The Application (client) ID is a unique identifier for your application, and the Directory (tenant) ID is a unique identifier for your Azure directory. Both of these IDs are essential for configuring the integration in dbt Cloud.

Take a look at this: Azure Active Directory Icon

You can find the Application (client) ID by looking for the "Application (client) ID" field on the Overview page. Similarly, the Directory (tenant) ID can be found by looking for the "Directory (tenant) ID" field.

Here's a summary of the client credentials you'll need to collect:

Now that you have these client credentials, you can proceed to the next step of configuring the integration in dbt Cloud.

User management in Azure AD SSO involves configuring user groups and assigning roles to users. You must create App Roles in Azure Active Directory that map to your Command Platform user groups, with the name matching the Command Platform user group name exactly.

To create App Roles, navigate to App Registrations > All Applications, search for your Rapid7 application, and click App Roles, then Create app role. Give your Role a display name and select Users and Groups as the Allowed member type.

A unique perspective: Azure Ad New Name

The Value field in App Roles must match the name of the corresponding Command Platform user group, without any spaces. Ensure your Command Platform user groups also do not contain spaces. You can then assign the App Roles to your users by navigating to Users and Groups, searching for and selecting the users and groups, and selecting the role that represents this group of users.

To add an attribute to the SAML assertion containing the names of the groups each user is assigned to, navigate to Enterprise Applications, select your Rapid7 application, click Single sign-on, and click Edit in the Attributes and Claims section. Click Add new claim and name it rbacGroups, select user.assignedroles as the Source attribute, and click Save.

Here's a quick overview of the steps to assign users to an Enterprise application:

To configure user groups, you'll want to create App Roles in Azure Active Directory that map to your Command Platform user groups. The name of your Command Platform user groups must not contain any spaces, as Azure forces the value to contain no spaces.

A unique perspective: Azure Ad Groups

In Azure, navigate to App Registrations > All Applications, search for your Rapid7 application, and click App Roles. Then, click Create app role, give your Role a display name, select Users and Groups as the Allowed member type, and enter the name of the corresponding Command Platform user group in the Value field.

To assign App Roles to your users, navigate to Enterprise Applications, select your Rapid7 application, and click Users and Groups. Click Add user/group, search for and select the users and groups that should be assigned a given role, select the role that represents this group of users in the Command Platform, and click Assign.

Here are the steps to add an attribute to the SAML assertion containing the names of the groups each user is assigned to:

1. In Azure Active Directory, navigate to Enterprise Applications and select your Rapid7 application.

2. Click Single sign-on, then click Edit in the Attributes and Claims section.

3. Click Add new claim and name it rbacGroups.

4. Select user.assignedroles as the Source attribute.

5. Click Save.

This will include the names of the groups each user is assigned to in the SAML assertion, allowing you to synchronize users to Command Platform user groups.

For your interest: Get Azure Ad Group Powershell

Migrating to a new user management system can be a breeze if you plan ahead.

You can export user data from your old system in CSV format, which is a simple and widely supported file type. This makes it easy to import into your new system.

User roles and permissions can be easily transferred from the old system to the new one, saving you time and effort.

With a little planning, you can minimize downtime and ensure a smooth transition for your users.

The new system's user import feature allows you to import users in bulk, saving you from having to manually create each user account.

Here's an interesting read: Move Azure Ad Connect to New Server