Azure AD integration with SharePoint Server

Applies to version: 2017.1.x and above; author: Mateusz Syrek

Introduction

SharePoint server allows authenticating users based on Claims add-on. It also allows authenticating users based on different authentication providers which you trust but are managed externally.

This article describes external provider configuration which will be Azure Active Directory from SharePoint Server 2019 (it is an analogous configuration for SharePoint Server 2016).

Requirements

• Azure Active Directory catalog with Azure AD Premium P2 license.

• Web application working on HTTPS protocol

Configuration of new Azure AD application

This chapter is dedicated to a step-by-step configuration of Enterprise application Azure AD which is our external authentication provider. In order to add this kind of application, we need to have at least Azure AD Premium P2 license.

After logging in to www.azure.portal.com open our Azure Active Directory catalog and enter Enterprise applications tab. On this level add a new application from outside of the gallery which will be our authentication provider.

After adding a new application go to Single sign-on configuration where following elements are configured: Application Identifier, address where we should be brought back after successful authentication (Reply URL) and log-in address (Sign on URL).

Users will be identified by user.userprincipalname

Remember to change class.webconbps.com in URL addresses to the website of your application.

Now it’s worth to prepare all the necessary information to configure our login provider. To do that create a table with all the necessary values.

The Realm is the identifier of our application.

Download entire path of the log-in certificate from Single sign-on configuration panel from SAML Signing Certificate section. Choose RAW certificate.

Another important information is the address of the log-in website which we can find in Single sign-on configuration section in Set up SharePoint SAML tab. After copying change the address suffix from /saml2 to /wsfed.

The last step in preparing the table is copying our application’s ID. It can be found in Properties tab in Object ID field.

With a correctly filled table we can configure log-in provider in SharePoint.

Log-in provider configuration

To configure our log-in provider in SharePoint we’ll use Powershell script.

Add-PSSnapin "Microsoft.SharePoint.PowerShell"

$ realm = "<Realm from Table>"

$wsfedurl="<SAML single sign-on service URL from Table>"

$filepath="<Full path to SAML signing certificate file from Table>"

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath)

New-SPTrustedRootAuthority -Name "AzureAD" -Certificate $cert

$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"

$ap = New-SPTrustedIdentityTokenIssuer -Name "AzureAD Provider" -Description "SharePoint secured by Azure AD" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map -SignInUrl $wsfedurl -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"

In the place of $realm, $wsfedurl, $filepath variables insert values from the already prepared table.

Next in the central administration, in Manage Web Application section add new authentication provider which we have just created.

Next step is changing token authentication policy change in SharePoint from SAML 2.0 to SAML 1.1.

If AzureAD application was created in Portal it uses token authentication policy in version SAML 2.0 by default.

SharePoint server requires authentication token in version SAML 1.1.

SAML 1.1 configuration in SharePoint

In order to do that delete authentication policy SAML 2.0 and add SAML 1.1 policy.

This modification requires using a handful of scripts which delete default SAML 2.0 policy and add a new policy of authentication tokens: SAML 1.1.

The first step is to download scripts Initialize.ps1 and MSGraphTokenLifetimePolicy.psm1 from this repository: https://github.com/kaevans/spsaml11/tree/master/scripts and follow the instructions.

It’s best to save both scripts in one localization.

Open Powershell and import Initialize.ps1 module and start:

Add-TokenIssuancePolicy -DisplayName "SharePointSAML1.1" -SigningAlgorithm "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" -TokenResponseSigningPolicy TokenOnly -SamlTokenVersion "1.1"

Next step is to define function AssignSaml11PolicyToAppPrincipal which will delete current token authentication policy and will add SAML 1.1 policy.

To define function you have to previously define 2 variables: $pathToInitializeScriptFile and $appObjectid

The first variable is a complete path to script Initialize.ps1 while the second one is the ID of our Azure AD application which we pasted into the previously prepared table.

The last step in this configuration is launching a function with variables.

AssignSaml11PolicyToAppPrincipal $pathToInitializeScriptFile $appObjectid

Granting privileges in SharePoint

Users were granted access in Azure AD but they also need to have access to SharePoint Web Application.

One way of granting it is on the level of website settings.

To do that go into website settings and open website permissions and provide all Azure AD application users with appropriate privileges.

Verification

After entering Web Application website an option to choose an authentication provider should appear.

After correct authentication, a Web Application website should open.

In order to use only Azure AD authentication define default log-in page in Web Application configuration.

WEBCON BPS

Described configuration applies to authentication and access to SharePoint websites. For this kind of account to appear in WEBCON BPS system, it is needed to add name of an external log-in provider to the configuration of user list synchronization.

Provider name is in the SharePoint Central Administration. Go to Web Application management and on the ribbon choose Authentication Providers and then find a group with trusted authentication providers.

After adding and saving the external provider, at next user list synchronization, users who logged-in using it will be treated as external BPS users.