Box SSO Azure Integration with Microsoft Entra

Box SSO Azure integration with Microsoft Entra is a game-changer for businesses looking to streamline their security and productivity.

By integrating Box SSO with Azure Active Directory (Azure AD), organizations can eliminate the need for users to remember multiple passwords, reducing the risk of password-related security breaches.

This integration also enables single sign-on (SSO) for Box, allowing users to access their Box account with just one set of login credentials.

With Box SSO Azure integration, users can enjoy a seamless and secure experience across all their applications, including Box.

To get started with Box SSO on Azure, you'll need to ensure you have the necessary prerequisites in place. You can get a free account if you don't already have a Microsoft Entra subscription.

First, you'll need a Microsoft Entra subscription. If you don't have one, you can get a free account. You'll also need a Box single sign-on (SSO) enabled subscription.

To configure SSO, you'll need to have a Microsoft Entra user account. If you don't already have one, you can create an account for free. You'll also need to have one of the following roles: Cloud Application Administrator, Application Administrator, or owner of the service principal.

To ensure a smooth setup, it's essential to check that you have the following prerequisites in place:

Additionally, you'll need to ensure that you have completed the steps in Quickstart: Create and assign a user account.

To create and manage users in Box SSO with Azure, you'll need to create a user in Box, such as Britta Simon. This will trigger just-in-time user provisioning, which is enabled by default.

For SCIM-provisioned users, you'll need to create an authentication domain and enable SCIM by clicking + Add new.

In the authentication domain, select SCIM as the source of users, and copy and save the API token for later use. This API token will only be shown once, so be sure to save it carefully.

To configure single sign-on (SSO) for Box with Azure, you'll need to establish a link relationship between a Microsoft Entra user and the related user in Box. This involves configuring both Microsoft Entra SSO and Box SSO settings.

First, you'll need to sign in to the Microsoft Entra admin center as a Cloud Application Administrator. Then, browse to Identity > Applications > Enterprise applications > Box > Single sign-on.

For Microsoft Entra SSO, select SAML as the single sign-on method and click the edit/pen icon for Basic SAML Configuration to edit the settings. You'll need to enter the Sign on URL, Identifier (Entity ID), and Reply URL values, which are typically provided by Box. Note that the Sign-on URL value may not be real, so be sure to update it with the actual value.

In the Basic SAML Configuration section, you'll also need to add custom attribute mappings to your SAML token attributes configuration. This is because Box expects the SAML assertions in a specific format, which requires you to map the Unique User Identifier to the user's email address.

Once you've completed the Microsoft Entra SSO configuration, you'll need to configure Box SSO settings. This involves selecting Create in the middle of the page, entering the values for Login URL, Microsoft Entra Identifier, and Logout URL, and uploading the certificate that you previously downloaded.

After configuring both Microsoft Entra SSO and Box SSO settings, you can test the SSO configuration by signing in to the application using the Microsoft Entra credentials of the user account that you assigned to the application.

Here's a summary of the steps involved:

By following these steps, you can successfully configure single sign-on for Box with Azure.

To configure provisioning rules for Box SSO with Azure, you'll need to enable the feature in the Azure portal. Initially, nothing is configured to be sent to Box, so you must set up Microsoft Entra ID to send changes for user creation, updates, and deactivation.

In the Provisioning page, click on Edit attribute mappings to configure the mappings. Expand the Mappings section and click Provision Azure Active Directory Users to start the process. Verify that the Target Object Actions checkboxes are all checked, including Create, Update, and Delete.

The Attribute Mappings should look correct for your environment, with each New Relic attribute receiving a value. If your environment doesn't set the mail attribute, userPrincipalName could be a good alternative. Leave the switch for Enabled set to No until you're done with the user and group configuration.

Here are the steps to follow:

After saving the provisioning rules, the Box SCIM/SSO application is ready to provision any changes made to users assigned to the application.

To set up single sign-on (SSO) with Azure, you'll need to create an authentication domain and enable SCIM. This will allow you to manage access permissions and user passwords for web apps that don't allow identity federation.

You can use one of several SSO protocols, including password-based, linked, OAuth, OpenID Connect, SAML, or Integrated Windows Authentication (IWA). Each protocol has its own strengths and weaknesses, and you should choose the one that best fits your organization's needs.

Here are some of the SSO protocols you can use, along with their characteristics:

AD, or Azure Active Directory, is an identity and access management service for Microsoft's Azure cloud.

It's used to manage user identities and access to company resources.

Azure AD offers a single sign-on feature that automatically signs users into devices, applications, and networks in the company domain.

This feature is called Azure Active Directory Seamless Single Sign-On.

Users don't have to enter a password every time they want to use a cloud-based application, which makes it more convenient for them.

Azure AD doesn't require any on-premise components, which means it's more flexible and easier to set up.

Azure Active Directory (Azure AD) is an identity and access management service for Microsoft's Azure cloud. It's a crucial tool for managing user identities and access to company resources.

Azure AD offers a single sign-on (SSO) feature that automatically signs users into devices, applications, and networks in the company domain. This feature is a game-changer for convenience and security.

To enable Azure AD SSO, you create a workflow that includes creating an SSO computer account for every forest synced to AD via Azure AD Connect. This account is a critical part of the process.

Azure AD creates several Kerberos service principal names (SPNs) used for the sign-in process. These SPNs are essential for the SSO account to function correctly.

The SSO account—AZUREADSSOACC—requires strong protection to ensure security. Only domain administrators should have the ability to manage an AD computer account.

Here's a breakdown of the key components involved in Azure AD SSO:

By understanding how Azure AD SSO works, you can better appreciate the importance of proper setup and management of this feature.