Azure Active Directory integration with SharePoint on-premises

In this tutorial, you learn how to integrate SharePoint on-premises with Azure Active Directory (Azure AD).

Integrating SharePoint on-premises with Azure AD provides you with the following benefits:

  • You can control in Azure AD who has access to SharePoint on-premises.
  • You can enable your users to be automatically signed-in to SharePoint on-premises (Single Sign-On) with their Azure AD accounts.
  • You can manage your accounts in one central location – the Azure portal.
Prerequisites

To configure Azure AD integration with SharePoint on-premises, you need the following items:

  • An Azure AD subscription. If you don’t have an Azure AD environment, you can get a free account
  • SharePoint on-premises single sign-on enabled subscription
Steps

1. Adding SharePoint on-premises from the gallery

2. Configure Azure AD single sign-on

3. Configure SharePoint on-premises Single Sign-On

4. Enable Azure Authentication provider to Sharepoint Web application

5. Setup People picker to assign permission to the SharePoint site

6. Test the single-sign-on

let’s start with the real steps…

S-1. Adding SharePoint on-premises from the gallery

To configure the integration of SharePoint on-premises into Azure AD, you need to add SharePoint on-premises from the gallery to your list of managed SaaS apps.

To add SharePoint on-premises from the gallery, perform the following steps:

a). In the Azure portal, on the left navigation panel, click the Azure Active Directory icon.

b). Navigate to Enterprise Applications and then select the All Applications option.

c). To add a new application, click New application button on the top of the dialog.

d). In the search box, type SharePoint on-premises, select SharePoint on-premises from result panel then click Add button to add the application.

S-2. Configure Azure AD single sign-on

In this section, you enable Azure AD single sign-on in the Azure portal.

To configure Azure AD single sign-on with SharePoint on-premises, perform the following steps:

  1. In the Azure portal, on the SharePoint on-premises application integration page, select Single sign-on.
  2. On the Select a Single sign-on method dialog, select SAML/WS-Fed mode to enable single sign-on.
  3. On the Setup Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration dialog.
  4. On the Basic SAML Configuration section, perform the following steps:
  5. a. In the Sign-on URL text box, type a URL using the following pattern: https://sharepoint.moreyeahs.com/_trust/default.aspx
    b. In the Identifier box, type a URL using the following pattern: urn:sharepoint:federation
    c. In the Reply URL text box, type a URL using the following pattern: https://sharepoint.moreyeahs.com/_trust/default.aspx
  6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Certificate (Base64) from the given options as per your requirement and save it on your computer.

    Note

    Please note down the file path to which you have downloaded the certificate file, as you need to use it later in the PowerShell script for configuration.

  7. On the Set up SharePoint on-premises section, copy the appropriate URL(s) as per your requirement. For Single Sign-On Service URL, use a value of the following pattern: https://login.microsoftonline.com/_my_directory_id_/wsfedmy_directory_id is the tenant id of Azure Ad subscription.
    Sharepoint On-Premises application uses SAML 1.1 token, so Azure AD expects WS Fed request from the SharePoint server and after authentication, it issues the SAML 1.1. token.
S-3. Configure SharePoint on-premises Single Sign-On
  1. In a different web browser window, sign in to your SharePoint on-premises company site as an administrator.
  2. Configure a new trusted identity provider in SharePoint Server 2016Sign into the SharePoint Server 2016 server and open the SharePoint 2016 Management Shell. Fill in the values of $realm (Identifier value from the SharePoint on-premises Domain and URLs section in the Azure portal), $wsfedurl (Single Sign-On Service URL), and $filepath (file path to which you have downloaded the certificate file) from Azure portal and run the following commands to configure a new trusted identity provider.

S-4. Enable Azure Authentication provider to Sharepoint Web application

Follow these steps to enable the trusted identity provider for your application:

a. In Central Administration, navigate to Manage Web Application and select the web application that you wish to secure with Azure AD.

b. In the ribbon, click Authentication Providers and choose the zone that you wish to use.

c. Select Trusted Identity provider and select the identity provider you just registered named AzureAD.

d. On the sign-in page URL setting, select Custom sign in page and provide the value “/_trust/”.

e. Click OK.

S-5. Setup People picker to assign permission to the SharePoint sitE

Download the People picker form this link – https://yvand.github.io/AzureCP/

  • -Download AzureCP.wsp.
  • -Install and deploy the solution:
    Open Sharepoint management shell and run below command
    Add-SPSolution -LiteralPath "F:\Data\Dev\AzureCP.wsp"Install-SPSolution -Identity “AzureCP.wsp” -GACDeployment
  • Associate AzureCP with a SPTrustedIdentityTokenIssuer:
    $trust = Get-SPTrustedIdentityTokenIssuer "AzureAD"$trust.ClaimProviderName = “AzureCP”
    $trust.Update()
  • Visit central administration > System Settings > Manage farm solutions: Wait until solution status shows “Deployed”.
  • Update assembly manually on SharePoint servers that do not run the service “Microsoft SharePoint Foundation Web Application” (see below for more details).
  • Restart IIS service and SharePoint timer service on each SharePoint server.
    5.1 Add an application in your Azure AD tenant to allow AzureCP to query it.

    Sign in to the Azure portal and browse to your Azure Active Directory tenant

    Go to “App Registrations” > “New registration” > Type the following information:

    Name: e.g. AzureCP
    Supported account types: “Accounts in this organizational directory only (TenantName)”

    Click on “Register”

    Note: Copy the “Application (client) ID”: it is required by AzureCP to add a tenant.

    Click on “API permissions” and remove the permission added by default.

    Click on “Add a permission” > Select “Microsoft Graph” > “Application permissions” > Directory > Directory.Read.All > click “Add permissions”

    Click on “Grant admin consent for TenantName” > Yes

    Note: “After this operation, you should have only the Microsoft Graph > Directory.Read.All permission, of type “Application”, with admin consent granted.

    Click on “Certificates & secrets” > “New client secret”: Type a description, choose a duration and validate.

    Note: Copy the client secret value: it is required by AzureCP to add a tenant.

  • Configure AzureCP for your environment.
    Go to SharePoint Central administration and select AzureCPClick to Global Configuration and fill the below detail-
    Azure Tenant Name – tenant.onmicrosoft.com
    Application ID –  Which is copied at the time of App registration
    Application Secret – Which is copied at the time of App registration

     5.2 Grant access to the Azure active directory user

        The user or group must be granted access to the application in SharePoint on-premises. Use the following steps to set the permissions to access the web application.
        Note-*  For the group, we have to update the manifest file of registered SharePoint-On-premises application, In the manifest file update the below the property.
        Modify groupMembershipClaimsNULL, To groupMembershipClaimsSecurityGroup. Then, click on Save

Now lest assign the permission- In Central Administration, click on Application Management, Manage web applications, then select the web application to activate the ribbon and click on User Policy.

 

Under Policy for Web Application, click on Add Users, then select the zone, click on Next. Click on the Address Book.

       

Then, search for and add the Azure Active Directory Security Group and click on OK.

Select the Permissions, then click on Finish.

See under Policy for Web Application, the Azure Active Directory Group is added. The group claim shows the Azure Active Directory Security Group Object ID for the User Name.

 

Browse to the SharePoint site collection and add the Group or user there, as well. Click on Site Settings, then click Site permissions and Grant Permissions. Search for the Group Role claim, assign the permission level and click Share.

S-6. Test the single-sign-on

Before the test, the single-sign-on, Let’s configure the seamless authentication setting so that internal users can auto-login to the SharePoint site with their windows logged-in account(Machine should be domain joined )
Here I will only show you the Group policy part, reaming AAD connector configuration you can do by following this article – https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

Group policy” option – Detailed steps
  1. Open the Group Policy Management Editor tool.
  2. Edit the group policy that’s applied to some or all your users. This example uses the Default Domain Policy.
  3. Browse to User Configuration > Policy > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page. Then select Site to Zone Assignment List.
  4. Enable the policy, and then enter the following values in the dialog box:
    • Value name: The Azure AD URL where the Kerberos tickets are forwarded.
    • Value (Data): 1 indicates the Intranet zone.The result looks like this:Value name: https://autologon.microsoftazuread-sso.comValue (Data): 1

5. Browse to User Configuration > Policy > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone. Then select Allow updates to the status bar via script.

6. Enable the policy setting, and then select OK.

 Test the feature

To test the feature for a specific user, ensure that all the following conditions are in place:

  • The user signs in on a corporate device.
  • The device is joined to your Active Directory domain. The device doesn’t need to be Azure AD Joined.
  • The device has a direct connection to your domain controller (DC), either on the corporate wired or wireless network or via a remote access connection, such as a VPN connection.
  • You have rolled out the feature to this user through Group Policy.

To test the scenario where the user enters only the username, but not the password:

  • Sign in to https://myapps.microsoft.com/ in a new private browser session.

To test the scenario where the user doesn’t have to enter the username or the password, use one of these steps:

  • Sign in to https://myapps.microsoft.com/contoso.onmicrosoft.com in a new private browser session. Replace contoso with your tenant’s name.
  • Sign in to https://myapps.microsoft.com/contoso.com in a new private browser session. Replace contoso.com with a verified domain (not a federated domain) on your tenant.

 

 

Thank You

 

Reference link – https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

 

Comments (15)

I am regular reader, how are you, everybody? This article posted at
this website is really good.

We are a technical expert in several Microsoft and other technologies! for more info you can go through our official site https://www.moreyeahs.com
Thanks

If some one needs expert view concerning blogging
then i suggest him/her to pay a visit this web
site, Keep up the pleasant job.

I wanted to thank you for this fantastic read!!
I certainly loved every bit of it. I have you saved as a favorite to check
out new things you post…

We thank you for your appreciating comment.

Hello to every one, the contents present at this web site
are really amazing for people knowledge, well, keep up the good work fellows.

Fastidious answers in return of this question with real
arguments and explaining all regarding that.

Hey there! Would you mind if I share your blog with my zynga
group? There’s a lot of folks that I think would really enjoy your content.

Please let me know. Many thanks

Sure you can share my blog with your groups.

Everything is very open with a very clear
explanation of the challenges. It was really informative.
Your site is useful. Thanks for sharing!

I simply could not go away your web site before
suggesting that I extremely loved the usual information a person supply in your guests?
Is gonna be back steadily in order to check up on new posts

Great post. I used to be checking continuously this weblog and I’m impressed!
Extremely useful information specially the remaining phase 🙂 I care for such information much.
I used to be seeking this particular info for a
long time. Thanks and good luck.

Very descriptive blog, I loved that bit. Will there be a part 2?

Great goods from you, man. I have understand your stuff previous to and you’re just extremely great.
I really like what you’ve acquired here, certainly like what you’re stating and the way in which you say it.

You make it entertaining and you still take care of to keep
it sensible. I can not wait to read much more from you.
This is actually a wonderful website.

magnificent post, very informative. I’m wondering why the other specialists of this sector do not notice this.
You should continue your writing. I am sure, you have a huge
readers’ base already!

Leave a comment