EUCUsability & Security in the Enterprise 2023 / 24Day 12. Integrating Workspace ONE Access with an existing Azure implementation

2. Integrating Workspace ONE Access with an existing Azure implementation

Introduction

The most common implementation of integrating with Microsoft Azure has and will always be, where a customer is already using Microsoft Azure and we wants to bring Workspace ONE Access to the table.

In this lab we will look at the configurations and related requirement to setup Microsoft Azure as a 3rd Party IDP to Workspace ONE Access

The above steps assume you have your own developer account

Intro

Part 1. Configuring Microsoft Active Directory Domains & Trusts

This option might not be a mandatory requirement, if the namespace we are using internally is publicly resolvable, in other words is not a private namespace like .local or .priv. and is unique.
In our lab environments, the euc-livefire.com namespace is resolvable. This however,  is not a unique namespace, as everyones Microsoft Active Directory environment is sharing a  common namespace. For us to be able to integrate our lab environments with Microsoft 365, its necessary to associate a unique namespace with an individual Microsoft 365 account. Each attendee has been offered a unique DNS Zone namespace under the *.euc-livefire.com namespace.

In this session we will associate this unique namespace with Microsoft Active Directory using the Active Directory Domains & Trusts feature

  1. On your ControlCenter server
    • In the bottom left corner
      • Select the Start button
    • In the Start Menu
      • Select Windows Administrative Tools
  1. In the Administration Tools menu
    • Select the Active Directory Domains and Trusts shortcut
  1. In  Active Directory Domains and Trusts
    • In the Inventory
      • Select and right click
        • Active Directory Domains and Trusts
          • Select Properties
  1. In the Active Directory Domains and Trusts window
    • Under Alternative UPN Suffixes
      • Enter the FQDN of your Azure Domain
        • e.g. CorpXXX.euc-livefire.com
          • where XXX is your assigned Domain Identifier
      • Select Add
  1. In the Administrative tools folder
    • Select Active Directory Users and Computers shortcut
      • Select open
  1. In the Active Directory Users and Computers Console
    • Expand the euc-livefire.com hierarchy
      • Select Corp OU and expand
        • Select Sales
  1. In the Active Directory Users and Computers Console
    • Select the Mark Debio user object
      • Select Properties
  1. In the Mark Debio properties
    • To the right and In line with Mark
      • From the Dropdown
        • Select your Alternate suffix eg. CorpXXX.euc-livefire.com
          • where XXX is your assigned Domain ID
    • To close Mark Debio Properties
      • Select OK
  1. In the Active Directory Users and Computers Console
    • Repeat the above mention steps for at least these accounts :
      • In the Sales OU :- Jill Verneo
      • In the Marketing OU: - Fernando Dusello
      • In the Marketing OU: - Tom Marios
      • In IT Support OU: - Kim Markez
      • In Developers OU: Craig Sroser, Jackie Puun, Malcolm Barneo, Nancy Encrarna
  1. On your ControlCenter server
    • Switch to your Chrome Browser
    • Select your Workspace ONE Access session
    • In the Integrations >  Directories area > EUC-Livefire area
  1. In the EUC-Livefire Directory
    • Next to Sync
      • Select the Dropdown
        • Select Sync without Safeguards
  1. Take the URL for WorkspaceONE Access and add /SAAS/auth/0 and save it to your bookmarks. This will ensure we will be able to login after we have done the federation with Azure.
Part 2: Preparing the Microsoft 365 environment to use a dedicated domain name
  • Introduction: In preparation for Part 2
    • In your browser open a new tab
    • In the address bar
      • enter https:\\portal.office.com
      • Log in with your Cloud admin credentials
  1. In the top left-hand corner off Microsoft 365
    • Select the Select the 9 dotted square
    • Once the Apps pop out expands
      • Select Admin
  1. In the Microsoft 365 admin center window
    • Select Show all
  1. In the Microsoft 365 admin center window
    • Under Support
      • expand  Settings
  1. In the Microsoft 365 admin center window
    • Under Settings
      • select  Domains
  1. In the Domains area
    • Select + Add domain

NOTE: Before moving onto the next section, ensure that you are 100% clear what YOUR registered Domain will be.

  • In the course lab we will use a Domain naming convention based on the location we are delivering at.
  • We will use the convention corpXXX.euc-livefire.com
  • Where XXX is your Assigned Domain, which you will find in Microsoft Teams in the Attendee Accounts sections
  • On the Microsoft 365 admin center  ensure the Connect a domain you already own radio button is selected and below type your registered Domain name
  1. In the Microsoft 365 admin center window
    • In the Add domain area
      • Under Yes, add this domain now
        • enter corpXXX.euc-livefire.com
          • Where XXX is your assigned Domain identifier
      • At the bottom of the page
        • Select Use this domain
  1. In the Microsoft 365 admin center window
    • In the How do you want to verify your domain?
      • Ensure the radio button next to Add a TXT record to the domain's DNS records is enabled (default)
    • Select Continue
  1. In the Microsoft 365 admin center window
    • In the How do you want to verify your domain?
      • Below TXT value
        • Copy the MS= ms ......
          • In the following steps, we will have this value entered into your assigned Zone database in AWS Route 53 using vRealize automation

Do step 9: VRA automation on a separate browser profile.

If you were doing your Azure registration on the Site 1 profile then might be helpful to do the VRA on the Site 2 Profile and have both profiles open side by side.

 

  1. On your Controlcenter desktop,
    • On your Site 2 browser
      • Open a new Tab
    • In the Address bar 
      • enter https://vra.lab.livefire.dev/
      • Select GO TO LOGIN PAGE
  1. In the Workspace ONE Login
    • Under Select your domain
      • Ensure livefire.lab selected
    • select Next
  1. In the Workspace ONE login
    • Under username
      • Enter your assigned dwuser0XX account
        • XX will be your assigned Student Login ID
    • Under password
      • Enter your assigned password
    • Select Sign in
  1. In the vRealize Automation - Cloud Services Console
    • Under My Services
      • Select Service Broker
  1. In the My Resource Usage window
    • Under update TXT  Records
      • Select REQUEST
  1. In the New Request page
    • Update the following next to:
      • Sub Hosted Zone Prefix* enter your domain
        • enter CorpXXX, XXX represents your assigned domain
      • TXT record value* Paste your TXT value (from step 7)
    • Select SUBMIT
  1. On your Microsoft 365 admin center page
    • When the vrealize automation is complete
    • Select Verify
  1. In the Microsoft 365 admin center window
    • In the  Connect domain section
      • At the bottom of the page
        • Select Continue
  1. In the Microsoft 365 admin center window
    • In the  Connect domain > ADD DNS records section
      • Next to MX records (1)
        • Expand the dropdown
        • Under Points to address or value and in line with Expected
          • Copy the output
  1. Switch back to your Service Broker session
    • Select the Catalog tab
  1. In the Catalog area
    • Under Update MX Records
      • select REQUEST
  1. In the Service Broker
    • New Request
      • Update MX Records page
      • Next to:
        • Sub Hosted Zone Prefix* enter corpXXX
          • Where XXX is your assigned Domain identifier
        • MX record value* paste your MX record
    • Select SUBMIT
  1. On the Connect domain page
    • At the bottom
      • Select Continue
  1. In the Microsoft 365 admin center window
    • In the Setup is Complete  page
    • Select Done

If you are using an existing account, its very likely you wont have to change your default domain. Validate and if necessary do the change

  1. In the Domains area
    • Under Domain name
      • Next to your unique *.onmicrosoft.com domain
        • select the checkbox
      • Under Domains , in the Task area
        • Select Set as default
  1. In the Set this domain as default? window
    • Select Set as default

 

  1. In the Domains page
    • Validate your default configuration

Your assigned domain should NOT be your (Default) domain. Your setup should look like the above example

Part 3: Using Microsoft Azure AD Connect for user provisioning to Microsoft Azure
  1. On your ControlCenter server
    • Open the Software shortcut
      • Navigate to the Applications > Azurefiles >ADConnect folder.
    • Double- click the AzureADConnect.msi
      • On the Open File - Security Warning window
        • Select Run
  1. On the Welcome to Azure AD Connect window
    • Next to I agree to the license terms and privacy notice
      • Enable the check box
      • Select Continue
  1. In the Express Settings window
    • Select Use express settings
  1. On the Connect to Azure AD window,
    • Under USERNAME
      • Enter your documented Azure Cloud Admin account
    • Under PASSWORD
      • Enter your documented Azure Cloud Admin password
    • Select Next
  1. On the Connect to AD DS window,
    • Under USERNAME
      • Enter EUC-Livefire\administrator
    • Under PASSWORD
      • Enter VMware1!
    • Select Next
  1. On the Azure AD sign-in configuration page
    • Validate that your custom Azure Domain has been Verified
    • Next to Continue without matching all UPN suffixes to verified domains
      • Select the Check box
    • Select Next
  1. On the "Ready to configure" window
    • Next to Start the synchronization process when configuration completes
      • Enable the check box
    • Select Install.
      • Getting to the next step could take a few minutes.
  1. On the Configuration complete window
    • Select Exit

Give the replication about 5 minutes to work

Part 4: Configuring Microsoft 365 licensing
  1. On your ControlCenter server
    1. Using the following URL
      • https://admin.microsoft.com/Adminportal/Home?source=applauncher#/homepage
    2. Login back to your Microsoft 365 Tenant
      • With cloudadmin username
      • With your CloudAdmin password
  1. In the Microsoft 365 Admin center
    • In the left-hand pane under Home,
      • Select Users
        • Select Active users.
  1. In the Active Users area
    • Notice that you have Licensed and Unlicensed users
      • It appears that in addition to us syncing in our account Microsoft creates dummy accounts for use
      • The dummy user accounts have already been licensed and we only can have up to 25 licensed users
      • Ensure you select only DUMMY accounts with Microsoft 365 E5 Developer licensing
      • At the top of browser select Delete user
      • DO NOT Delete your Cloudadmin account

This process is purely to keep it clean with euc-livefire accounts.

It wont be necessary to do this step if you have a pre-assigned account

  1. In the Active Users area
    • Select the radio buttons next to
      • Fernando Dusello
      • Jill Verneo
      • Kevin Ikin
      • Kim Markez
      • Mark Debio
    • From the top menu options
      • At the top of the Active Users area, next to Refresh,
      • select Manage product licenses

everyone needs to license their newly synced accounts in Microsoft 365

  1. In the Manage Product licenses window
    • Next to Replace ,
      • Select the radio button
    • Next to Microsoft E5 Developer (without Windows and Audio Conferencing)
      • Select the Checkbox
      • Select Save Changes.
Part 5: Configuring Microsoft Azure for Workspace ONE Access authentication
  1. On your ControlCenter server
    • Open your Site 1 Chrome Browser
    • Open a new Tab
    • In the Chrome address bar
      • enter https://portal.azure.com
  1. In the Microsoft Azure Sign in page
    • enter YOUR CloudAdmin account
    • select Next
  1. In the Microsoft Azure Enter password page
    • enter your Password
    • select Sign in
  1. In the Microsoft Azure Stay signed in? page
    • select Yes or No
  1. In the Microsoft Azure Admin Portal
    • In the left Inventory
      • select Microsoft Entra ID
        • select Enterprise Applications
  1. In the Enterprise applications area
    • select + New application
  1. In the Browse Azure AD Gallery area
    • select + Create your own application
  1. In the Create your own application area
    • below What's the name of your app?
      • enter Workspace ONE Access
    • select Create
  1. In the Workspace ONE Access | Overview page
    • select 2. Setup single sign on
  1. In the Workspace ONE Access | Single sign-on page
    • select SAML
  1. In the Workspace ONE Access | SAML-based Sign-on page
    • In the Basic SAML Configuration area
      • note that Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) are required
      • We will now switch to Workspace ONE Access for this information
      • On your ControlCenter server
        • switch to your Workspace ONE Access sysadmin console
  1. In the Workspace ONE Access admin Console
    • select the Resources tab
    • In the Resources inventory
      • select Web Apps
  1. In the Web Apps area
    • select SETTINGS
  1. In the Settings window
    • select SAML Metadata
  1. In the Settings window
    • under SAML Metadata
      • select and right-click Service Provider (SP) metadata
      • select Save link as.....
      • select and right-click Identity Provider (IdP) metadata
      • select Save link as.....

NOTE:  In this exercises we will only use the Service Provider metadata. In a later exercise we will use the Identity Provider metadata.

  1. In the Save As window
    • select Save
  1. In the bottom left-corner of your browser
    • next to sp.xml
      • select the dropdown
        • select Show in folder
  1. In the Downloads folder
    • select and right-click sp.xml
    • select Edit with Notepad++
  1. In the Notepad ++ application
    • select View
      • select Word wrap
  1. In the Notepad ++ application
    • In the XML code
      • find entityID  
        • Copy the URL which ends in sp.xml
    • Save the URL in a new tab in Notepad++
  1. In the Notepad ++ application
    • In the XML code
      • Find the code
        • AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location
      • Copy the URL that ends in response after this
      • Save the URL in your new tab in Notepad++
  1. In the Notepad++ application
    • Note which is your entity ID
    • Note which is your Response
    • Switch back to your Azure Admin Portal
  1. In the Workspace ONE Access | SAML-based Sign-on page
    • In the Basic SAML Configuration area
      • select Edit
  1. In the Basic SAML Configuration window
    • under Identifier (Entity ID) *
      • select Add Identifier
  1. In the Basic SAML Configuration
    • under Identifier (Entity ID) *
    • Paste your Entity ID
  1. In the Basic SAML Configuration
    • under Reply URL (Assertion Consumer Service URL) *
    • select Add reply URL
  1. In the Basic SAML Configuration
    • under Reply URL (Assertion Consumer Service URL) *
    • Paste YOUR Response URL
    • At the top of the page
      • select Save
  1. In the Workspace ONE Access area
    • Just above Single sign-on
      • select Users and groups
  1. In the Workspace ONE Access | Users and groups area
    • select + Add user / group
  1. In the Add Assignment area
    • click on None Selected
  1. In the Users and groups area
    • In the search area
      • enter DEV
      • select Developers
    • In the search area
      • enter Sales
      • select Sales
    • In the search area
      • enter Marketing
      • select Marketing
    • In the search area
      • enter IT support
      • select IT support
    • In the bottom right-corner
      • click on Select
  1. In the Add Assignment area
    • At the bottom of the page
      • select Assign
  1. In the Workspace ONE | Users and groups area
    • note the assigned groups
    • select Single sign-on
  1. In the Workspace ONE Access | SAML-based Sign-on area
    • In the SAML Certificates area
      • next to Federation Metadata XML
        • select Download
  1. On your ControlCenter server
    • browse to your Downloads folder
    • In the Downloads folder
      • note you have a Workspace ONE Access.xml file
    • In preparation for the next Part switch to your Workspace ONE Access Admin console
Part 6: Configuring Workspace ONE Access to be an Identity Provider for Microsoft Azure
  1. On your Workspace ONE Access admin console
    • select Integrations
    • In the Integrations inventory
      • select Identity Providers
  1. In the Identity Providers area
    • in the top right corner
      • select ADD
        • In the drop down menu
          • select SAML IDP
  1. In the New Identity Provider window
    • next to
      • Identity Provider Name
        • enter Azure Active Directory
    • Switch to your Downloads folder
  1. In the Downloads folder
    • select and right-click the Workspace ONE Access.xml file
    • select Edit with Notepad++
  1. In the Notepad++ application
    • In the title bar
      • select View
        • disable word wrap
    • Click your mouse in the Notepad++ area
    • With your Keyboard
      • Enter CTRL+A
      • Enter CTRL+C
  1. In the Azure Active Directory window
    • next to
      • SAML Metadata
        • under Identity Provider Metadata (URL or XML)
          • paste your XML Metadata
  1. In the Azure Active Directory window
    • In line with
      • Name ID Format
        • to the right
          • select the  + ADD twice
  1. In the Azure Active Directory window
    • below
      • Name ID Format
        • 1st row
          • from the drop down
            • select urn:oasis:names:tc:SAML:1.1:nameid:format:unspecified
      • Name ID Format
        • 2nd row
          • from the drop down
            • select urn:oasis:names:tc:SAML:1.1:nameid:format:emailAddress
  1. In the Azure Active Directory window
    • below
      • Name ID Value
        • 1st row
          • from the drop down
            • select username
      • Name ID Format
        • 2nd row
          • from the drop down
            • select userprincipalname
  1. In the Azure Active Directory window
    • In the Users area
      • next to EUC-livefire
        • select the checkbox
      • In the Network area
        • next to ALL RANGES
          • select the checkbox
  1. In the Azure Active Directory window
    • In the Authentication Methods area
      • below Authentication Methods
        • type AAD Password
      • below SAML Context
        • from the dropdown
          • select urn:oasis:names:tc:SAML:2.0:ac:classes:Password
  1. In the Azure Active Directory window
    • scroll to the top of the page
      • select SAVE
  1. In the Workspace ONE Access Admin Console
    • Select the Resources tab
      • select Policies
  1. In the Policies interface
    • next to default access policy set
      • select the radio button
        • select EDIT
  1. In the Edit Policy window,
    • In the left column
      • Select Configuration
    • To the left of Web Browser,
      • Select All Ranges
  1. In the Edit Policy Rule window
    • Next to then the user may authenticate using *
      • select AAD Password
    • Next to if preceding method fails or is not applicable,  then *
      • select Password (cloud deployment),
    • Select    ADD FALLBACK METHOD
      • Next to if preceding method fails or is not applicable,  then *
        • select Password (Local Directory)
    • Select SAVE at the bottom of the window
  1. In the Edit Policy Rule window
    • Select + ADD POLICY RULE
  1. In the Edit Policy Rule window
    • Next to: -
      • and user accessing content from*
        • select Windows 10  
      • then the user may authenticate using*
        • select AAD Password
      • if the preceding method fails or is not applicable, then
        • select Password (cloud deployment)
      • Select + ADD FALLBACK METHOD
        • if the preceding method fails or is not applicable, then
          • Select Password (Local Directory)
    • At the botom right hand side of the page
      • Select SAVE
  1. In the Edit Policy window
    • Next to ALL RANGES for Windows 10
      • Select the 6 DOTS and drag to the top
    • Select NEXT on the Edit Policy Page
  1. On the Edit Policy Page.
    • Summary tab
      • Select SAVE
Part 8: Testing to see if the Federation works
  1. On your Control Center server
    • On your Chrome browser
      • Open up an Incognito session
      • In the address bar enter your Workspace ONE Access tenant url
  1. In the Microsoft Sign in window
    • enter
      • craig@corpXXX.euc-livefire.com
      • XXX = your assigned domain
  • select Next
  1. In the Microsoft Sign in window
    • Under  Enter password
      • enter VMware1!
    • select Sign in
    • In the Stay signed in? window
      • select NO
  1. In the web Intelligent Hub
    • Select Apps
  1. In the web Intelligent Hub
    • Under Apps
      • Select Microsoft Excel
  1. In the Help us protect your account window
    • Select , Skip for now (xx days until this is required)
      • xx represents whatever you see on your screen)
    • Select Next
  1. In the office.com window
    • Notice you have access to your Microsoft 365 applications
    • Using deep links, we are able to publish these applications individually to Workspace ONE Access

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.