To successfully use Azure AD with Back-IT 365, a new application must be created in your Azure AD environment. With the information from this application, a link can then be created in Back-IT 365. The setup consists of the following steps:
Creating an application in Azure
Setting up the enterprise application
Set up app registration
Back-IT 365 portal setup
Setting up Azure AD in the Back-IT 365 portal
Enabling Azure AD for Back-IT 365 users
Step 1: Creating an application in the Azure Portal #
- Go to https://portal.azure.com and log in with the credentials for the organization you want to connect to Back-IT 365.
- Navigate to “Enterprise applications”
- Click “+ New Application” at the top of the page. The “Browse Azure AD Gallery” page will load. Click on “+ Create your own application” in the top left corner. In the next window enter the name of your application. This is for your own administration only and can be changed later. Go to “Register an application…”. and click on “Create” at the bottom of the newly opened window.
- The page is redirected to the “App registration” overview. The name is predefined and can stat that way. At “Supported Account types” select the first choice “Accounts in this organizational directory only)
- At “Redirect URI (optional)” Select “Web” as platform and enter the following url “https://portal.backit365.com/Login/AzureAdResponse/”
- Next click “Register”
- There are now two entities created in Azure, an “Enterprise Application” and an “App registrations”. Continue with the next step: setting up the Enterprise Application.
Step 2: Setting up the Enterprise Application #
- Go to the Enterprise Application overview and select the newly created application. You will now be redirected to the application’s overview page.
- Navigate to “Users and Groups” using the left menu.
Click on “+ Add User/group” on the top left of the page to add users who are allowed to use the application.
- The e-mail addresses of these users must match the e-mail addresses of the users Back-IT 365 account.
Step 3: Setup App Registration #
- Navigate to App Registrations overview.
- Select the App you want to add to Back-IT 365 that you just set up the Enterprise application for.
- The next step is to setup Certificates & Secrets and API permissions.
Certifcates & secrets
Add a new user secret by pressing the “+ New client secret” button. Add a description to the client secret so that it can be easily recognized. Then choose a value for how long the user secret will be valid. The recommended length is 6 months, but this is up to the client. From here expired user secrets can be deleted or new ones created.
** PLEASE NOTE
When a client secret is created by pressing “Add” the value is shown. This value will not be visible again later. Therefore, we recommend saving it to a password manager or other option of your choosing. This value is needed to eventually link the application to Back-IT 365.
In the left menu, navigate to “Api Permissions”. You will now arrive at the API Permissions overview page. When creating the application, Microsoft automatically gives the “openid” and “User.Read” Permissions. These are needed to retrieve the users information when logging in.
Press ” Grant admin consent for Contoso” to have these permissions automatically approved. If the client does not do this, it will automatically be asked for this at the first login.
The new applications are now set up and can be used for the setup in the Back-IT 365 portal.
Step 4: Setting up Azure AD in the Back-IT 365 portal #
- Login to your Back-IT 365 environment.
- Navigate to the ‘Azure Active Directory Authentication Settings’ page through the left side menu.
- On this page we need to set three parameters. These parameters can be seen in the App registration in the Azure Portal.
- Once these parameters are saved, the use of AzureAD Authentication can be enabled per user. This will be explained in step 5.
Next, you have the possibility to test your credentials. Before the test actually starts, the screen as shown below is displayed with an explanation of what should be taken into account:
Only settings that have been saved are tested. When a setting is changed in the GUI, but not saved and the test button is used, these changes are not included in the test.
Only the Application ID and Tenant ID are tested. The Client Secret can only be tested by actually doing a successful login into the respective Azure AD environment. Currently, there is no way implemented in the Back-IT portal to be able to do this without affecting the current Back-IT session of the user.
When the Application ID and Tenant ID are correct the user is returned to the Dashboard within the Back-IT portal.
If the Application ID or Tenant ID are incorrect, a page will be displayed from Azure indicating what went wrong. Based on this information, the user can make changes necessary to get it working.
You have the option to clear the specified Azure Active Directory settings. When the user wants to do this the confirmation screen as shown on the right is shown. This explains that the option ‘Azure Active Directory Authentication’ will also be disabled for those users who have had it enabled. When these users want to access the Back-IT 365 portal again, they can use the ‘Forgot password’ functionality on the login page to set a new password.
Step 5: Enabling Azure AD for users #
Now you have successfully connected the Active Directory environment for the tenant. The next step is to enable Azure AD Authentication for your users. This must be done for each user separately and can only be done by Back-IT 365 admins. Please note that the Back-IT 365 account e-mail must be the same as in the Azure AD.
To have the Azure Active Directory Authentication option available, the following prerequisites are in place:
-When the option is enabled and saved, the corresponding user will be directed to the linked Azure Active Directory environment at the next login and Back-IT 365 authentication is bypassed.
-When the option is enabled and saved, the password of the affected user will be disabled.
-If the option is disabled and saved, the user in question will have to set a new password due to the previously disabled password before they can log in. To do this, the ‘Forgot password’ functionality on the login page can be used.
Back-IT 365 SSO with a Custom URL #
In order to be led directly to a corresponding Azure Active Directory environment, you have the option to specify a custom url. For example: <yourcompanyname.backit365.com>. In the GUI there are a number of guidelines that this subdomain must meet. In addition there is a list of reserved keywords.