In this tutorial, you learn how to integrate SharePoint on-premises with Azure Active Directory (Azure AD).
Integrating SharePoint on-premises with Azure AD provides you with the following benefits:
- You can control in Azure AD who has access to SharePoint on-premises.
- You can enable your users to be automatically signed-in to SharePoint on-premises (Single Sign-On) with their Azure AD accounts.
- You can manage your accounts in one central location – the Azure portal.
To configure Azure AD integration with SharePoint on-premises, you need the following items:
- An Azure AD subscription. If you don’t have an Azure AD environment, you can get a free account
- SharePoint on-premises single sign-on enabled subscription
1. Adding SharePoint on-premises from the gallery
2. Configure Azure AD single sign-on
3. Configure SharePoint on-premises Single Sign-On
4. Enable Azure Authentication provider to Sharepoint Web application
5. Setup People picker to assign permission to the SharePoint site
6. Test the single-sign-on
let’s start with the real steps…
S-1. Adding SharePoint on-premises from the gallery
To configure the integration of SharePoint on-premises into Azure AD, you need to add SharePoint on-premises from the gallery to your list of managed SaaS apps.
To add SharePoint on-premises from the gallery, perform the following steps:
a). In the Azure portal, on the left navigation panel, click the Azure Active Directory icon.
b). Navigate to Enterprise Applications and then select the All Applications option.
c). To add a new application, click New application button on the top of the dialog.
d). In the search box, type SharePoint on-premises, select SharePoint on-premises from result panel then click Add button to add the application.
S-2. Configure Azure AD single sign-on
In this section, you enable Azure AD single sign-on in the Azure portal.
To configure Azure AD single sign-on with SharePoint on-premises, perform the following steps:
- In the Azure portal, on the SharePoint on-premises application integration page, select Single sign-on.
- On the Select a Single sign-on method dialog, select SAML/WS-Fed mode to enable single sign-on.
- On the Setup Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration dialog.
- On the Basic SAML Configuration section, perform the following steps:
- a. In the Sign-on URL text box, type a URL using the following pattern:
https://sharepoint.moreyeahs.com/_trust/default.aspxb. In the Identifier box, type a URL using the following pattern:
urn:sharepoint:federationc. In the Reply URL text box, type a URL using the following pattern:
- On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Certificate (Base64) from the given options as per your requirement and save it on your computer.
Please note down the file path to which you have downloaded the certificate file, as you need to use it later in the PowerShell script for configuration.
- On the Set up SharePoint on-premises section, copy the appropriate URL(s) as per your requirement. For Single Sign-On Service URL, use a value of the following pattern:
my_directory_id is the tenant id of Azure Ad subscription.
Sharepoint On-Premises application uses SAML 1.1 token, so Azure AD expects WS Fed request from the SharePoint server and after authentication, it issues the SAML 1.1. token.
S-3. Configure SharePoint on-premises Single Sign-On
- In a different web browser window, sign in to your SharePoint on-premises company site as an administrator.
- Configure a new trusted identity provider in SharePoint Server 2016Sign into the SharePoint Server 2016 server and open the SharePoint 2016 Management Shell. Fill in the values of $realm (Identifier value from the SharePoint on-premises Domain and URLs section in the Azure portal), $wsfedurl (Single Sign-On Service URL), and $filepath (file path to which you have downloaded the certificate file) from Azure portal and run the following commands to configure a new trusted identity provider.
S-4. Enable Azure Authentication provider to Sharepoint Web application
Follow these steps to enable the trusted identity provider for your application:
a. In Central Administration, navigate to Manage Web Application and select the web application that you wish to secure with Azure AD.
b. In the ribbon, click Authentication Providers and choose the zone that you wish to use.
c. Select Trusted Identity provider and select the identity provider you just registered named AzureAD.
d. On the sign-in page URL setting, select Custom sign in page and provide the value “/_trust/”.
e. Click OK.
S-5. Setup People picker to assign permission to the SharePoint sitE
Download the People picker form this link – https://yvand.github.io/AzureCP/
- -Download AzureCP.wsp.
- -Install and deploy the solution:
Open Sharepoint management shell and run below command
Install-SPSolution -Identity “AzureCP.wsp” -GACDeployment
Add-SPSolution -LiteralPath "F:\Data\Dev\AzureCP.wsp"
- Associate AzureCP with a SPTrustedIdentityTokenIssuer:
$trust.ClaimProviderName = “AzureCP”
$trust = Get-SPTrustedIdentityTokenIssuer "AzureAD"
- Visit central administration > System Settings > Manage farm solutions: Wait until solution status shows “Deployed”.
- Update assembly manually on SharePoint servers that do not run the service “Microsoft SharePoint Foundation Web Application” (see below for more details).
- Restart IIS service and SharePoint timer service on each SharePoint server.
5.1 Add an application in your Azure AD tenant to allow AzureCP to query it.
Sign in to the Azure portal and browse to your Azure Active Directory tenant
Go to “App Registrations” > “New registration” > Type the following information:
Name: e.g. AzureCP
Supported account types: “Accounts in this organizational directory only (TenantName)”
Click on “Register”
Note: Copy the “Application (client) ID”: it is required by AzureCP to add a tenant.
Click on “API permissions” and remove the permission added by default.
Click on “Add a permission” > Select “Microsoft Graph” > “Application permissions” > Directory > Directory.Read.All > click “Add permissions”
Click on “Grant admin consent for TenantName” > Yes
Note: “After this operation, you should have only the Microsoft Graph > Directory.Read.All permission, of type “Application”, with admin consent granted.
Click on “Certificates & secrets” > “New client secret”: Type a description, choose a duration and validate.
Note: Copy the client secret value: it is required by AzureCP to add a tenant.
- Configure AzureCP for your environment.
Go to SharePoint Central administration and select AzureCPClick to Global Configuration and fill the below detail-
Azure Tenant Name – tenant.onmicrosoft.com
Application ID – Which is copied at the time of App registration
Application Secret – Which is copied at the time of App registration
5.2 Grant access to the Azure active directory user
The user or group must be granted access to the application in SharePoint on-premises. Use the following steps to set the permissions to access the web application.
Note-* For the group, we have to update the manifest file of registered SharePoint-On-premises application, In the manifest file update the below the property.
SecurityGroup. Then, click on Save
Now lest assign the permission- In Central Administration, click on Application Management, Manage web applications, then select the web application to activate the ribbon and click on User Policy.
Under Policy for Web Application, click on Add Users, then select the zone, click on Next. Click on the Address Book.
Then, search for and add the Azure Active Directory Security Group and click on OK.
Select the Permissions, then click on Finish.
See under Policy for Web Application, the Azure Active Directory Group is added. The group claim shows the Azure Active Directory Security Group Object ID for the User Name.
Browse to the SharePoint site collection and add the Group or user there, as well. Click on Site Settings, then click Site permissions and Grant Permissions. Search for the Group Role claim, assign the permission level and click Share.
S-6. Test the single-sign-on
Before the test, the single-sign-on, Let’s configure the seamless authentication setting so that internal users can auto-login to the SharePoint site with their windows logged-in account(Machine should be domain joined )
Here I will only show you the Group policy part, reaming AAD connector configuration you can do by following this article – https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
Group policy” option – Detailed steps
- Open the Group Policy Management Editor tool.
- Edit the group policy that’s applied to some or all your users. This example uses the Default Domain Policy.
- Browse to User Configuration > Policy > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page. Then select Site to Zone Assignment List.
- Enable the policy, and then enter the following values in the dialog box:
- Value name: The Azure AD URL where the Kerberos tickets are forwarded.
- Value (Data): 1 indicates the Intranet zone.The result looks like this:Value name:
https://autologon.microsoftazuread-sso.comValue (Data): 1
5. Browse to User Configuration > Policy > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone. Then select Allow updates to the status bar via script.
6. Enable the policy setting, and then select OK.
Test the feature
To test the feature for a specific user, ensure that all the following conditions are in place:
- The user signs in on a corporate device.
- The device is joined to your Active Directory domain. The device doesn’t need to be Azure AD Joined.
- The device has a direct connection to your domain controller (DC), either on the corporate wired or wireless network or via a remote access connection, such as a VPN connection.
- You have rolled out the feature to this user through Group Policy.
To test the scenario where the user enters only the username, but not the password:
- Sign in to
https://myapps.microsoft.com/in a new private browser session.
To test the scenario where the user doesn’t have to enter the username or the password, use one of these steps:
- Sign in to
https://myapps.microsoft.com/contoso.onmicrosoft.comin a new private browser session. Replace contoso with your tenant’s name.
- Sign in to
https://myapps.microsoft.com/contoso.comin a new private browser session. Replace contoso.com with a verified domain (not a federated domain) on your tenant.
Reference link – https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial