Azure Pin Management and User Provisioning

Azure Pin Management is a crucial aspect of Azure Pin, allowing administrators to manage and control access to their Azure resources. This includes assigning and revoking access to users and groups.

With Azure Pin, administrators can assign different levels of access to users and groups, depending on their needs and roles. This ensures that users only have access to the resources they need, reducing the risk of unauthorized access.

Azure Pin also provides a user provisioning feature, which automates the process of creating and managing user accounts. This simplifies the process of onboarding new users and reduces the administrative burden on IT teams.

To set up Azure with SSO Connect Cloud, you'll need to follow a series of steps. Start by logging into your Azure Admin account at https://portal.azure.com and navigating to Azure Active Directory > Enterprise Applications.

Click on the "Set up single sign on" then click "SAML" to begin the configuration process. You'll need to export the SAML Metadata file from the Keeper Admin Console by going to View -> Export Metadata.

Upload the Metadata file into the Azure interface by selecting the "Upload metadata file" button and adding the file. This will open up the SAML configuration screen, where you'll need to copy the URL from the "IDP Initiated Login Endpoint" and paste it into the "Sign on URL" field to fix the error.

Single Logout Service Endpoint is optional, but you can configure it at your identity provider. By default, Keeper will force a logout session with Entra/Azure after logging out, but you can remove this behavior by editing the Azure metadata file before uploading to Keeper and removing the SingleLogoutService line.

To test the configuration, don't click on the "Test" button, but instead wait a couple seconds and reload the Azure portal page on the web browser. This will allow you to view the certificate section in the "SAML Signing Certificate" area.

In the Admin Console, select Azure as the Identity Provider type and import the Federation Metadata file saved in the previous step in the SAML Metadata section. You'll also need to edit User Attributes & Claims, deleting the 4 claims in the "Additional Claims" section since they are not needed.

If your user.userprincipalname (UPN) is not the same as the users actual email address, you can edit the Email claim and change it to user.mail as the value for the Email attribute.

To configure allowed URLs for federated identity providers on Microsoft Entra joined devices, you'll need to set up a policy to allow a list of domains that can be reached during PIN reset flows. This can be done by setting the "Configure Web Sign In Allowed Urls" policy to a semicolon delimited list of domains, such as signin.contoso.com;portal.contoso.com.

Alternatively, you can configure devices using a custom policy with the Policy CSP, specifying the OMA-URI ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls and providing a semicolon delimited list of domains.

If you're experiencing issues with PIN reset on Microsoft Entra joined devices failing in Azure Government, you can use the ConfigureWebSignInAllowedUrls policy to set login.microsoftonline.us as the value to work around the issue.

Users can be provisioned to the Keeper application through the Azure portal using manual or automated provisioning.

To enable client recovery, you'll need to use either Microsoft Intune/MDM or group policy.

Microsoft Intune/MDM allows you to enable PIN recovery with just a few clicks. You can do this by going to the Windows Hello For Business section and setting the Enable Pin Recovery value to True.

Alternatively, you can use group policy to enable PIN recovery. This involves setting the Use PIN Recovery value to Enabled in the Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business section.

You can also configure PIN recovery from the Endpoint security blade in the Microsoft Intune admin center. To do this, select Endpoint security > Account protection > Create Policy, and then set the Enable Pin Recovery OMA-URI value to True. Remember to replace TenantId with your Microsoft Entra tenant ID.

Here's a summary of the steps:

User Management is a breeze with Azure PIN. Users can be provisioned to the Keeper application through the Azure portal using manual or automated provisioning.

This means you can easily grant access to the right people, without having to manually set up each user account. Users can be added quickly and efficiently, saving you time and effort.

Pinning charts to dashboards in Azure is a great way to get a quick overview of your resources. It's a simple process that can be done in just a few clicks.

To start, you'll need to go to the Azure portal and navigate to the dashboard. If your portal is configured to show Home, click on the menu in the top-left and select Dashboard.

Once you're in the dashboard, click on the Edit button to put it in customizing mode and open the Tile Gallery. From here, you can pick the Metrics chart tile and click Add.

To configure your chart, you'll need to select a scope that contains the service(s) you want to use for a chart. For instance, you might select an Application Insights resource.

You can then pick a Metric to display, such as "Process IO rate" if you selected an Application Insights resource.

User Provisioning is a crucial aspect of User Management.

Users can be provisioned to the Keeper application through the Azure portal.

You can choose between manual and automated provisioning methods to suit your organization's needs.

Manual provisioning allows for a more controlled approach, where users are added one by one.

Automated provisioning, on the other hand, streamlines the process by allowing for bulk imports and updates.