Getting Started with Azure Active Directory Premium for Cloud Solution Providers

Introduction

The Microsoft Cloud Solution Provider (CSP) program was released in July 2014 to provide a scalable, flexible partner program. Designed to deepen customer relationships and expand business opportunities, the CSP program allows partners to:

  • Own and control billing
  • Sell combined offers and services
  • Deliver direct provisioning, management, and support

To achieve those capabilities, CSP partners need to integrate their backend systems and business processes with various Microsoft cloud services and processes. Once integration has taken place, CSP partners then have the ability to directly provision, manage and support clients within the Microsoft Office 365, Microsoft Azure, Dynamics CRM, and Enterprise Mobility Suite (EMS) product offerings.

The goal of this document is to help CSP organizations to quickly implement Azure Active Directory Premium, part of the Enterprise Mobility Suite , as a solution for their clients.

This document provides guidance on how to gather necessary information from clients to facilitate the initial setup of Azure Active Directory Premium. It also provides step by step instructions on how to configure its various features.

Scope

The scope of this document is to provide implementation and configuration guidance for the following Azure Active Directory Premium features:

  • Self-Service Password Reset
  • Delegated Group Management
  • Dynamic Group Access
  • Azure Active Directory SaaS applications

Terminology

Term

Description

CSP

Cloud Solution Provider

EMS

Enterprise Mobility Suite

AAD

Azure Active Directory

Partner Center

Portal for CSP Partners to administer their CSP offerings http://partnercenter.microsoft.com

Azure Management Portal

Portal for managing Azure subscriptions https://manage.windowsazure.com

End Customer

Organization that is managed by the CSP Partner

Azure Co-Administrator

Represents an administrator who can login to the Azure Portal and deploy or create new resources against a subscription

Before you start

This document assumes that the following conditions have been met:

  • The steps in the document "Getting Started with the Office 365 and EMS for Microsoft Cloud Solution Providers" have been completed
  • Password write-back has been enabled in Azure Active Directory Connect
  • The administrator completing these steps has co-administrator access to the Azure subscription
  • All users have authentication contact attributes associated with their user account, i.e. authentication phone, alternate authentication phone, or authentication email

Configuring Self-Service Password Reset

Azure Active Directory Premium's self-service password reset function grants end customer user the ability to reset their own passwords without the need to engage the services of an IT administrator. Before implementation, there are number of elements to Self-Service Password Reset that need to be agreed upon with the end customer.

Gathering end customer Self-Service Password Reset requirements

The following table outlines the features and functions that need to be agreed upon with the end customer to allow the CSP Partner to proceed with the configuration of Self-Service Password Reset.

CSP Partners can leverage this table to discuss and determine end customer settings for each of the Self-Service Password Reset configuration options.

For more information, refer to the document Customizing Password Management to fit your organization's needs.

Self-Service Password Reset Option

Description

End Customer Setting

Users enabled for password reset

Designates whether users in this directory who have an office phone, mobile phone, or alternate email address specified in their profile can reset their own password.

Yes

Restrict access to password reset

Select "yes" to restrict user password reset to only a limited group of users.

Yes/No

Group enabled for password reset

Defines the group of users who are allowed to reset their own passwords.

Enter AD Group Name:

_________________________

Authentication methods available to users

Select the alternate method types that the user may use to verify their identity when resetting their password.

Authentication Methods:

  • Office Phone
  • Mobile Phone
  • Alternate Email Address
  • Security Questions

Number of authentication methods required

Defines the number of alternate methods of identification a user in this directory must have to reset their password.

Number: __________

Require users to register when signing in?

Designates whether unregistered users are prompted to register their own authentication information when they sign in for the first time. This is not yet supported for Office 365 signins.

User register via the following portal http://aka.ms/ssprsetup

Yes/No

Number of days before users are asked to re-confirm their authentication information


Designates the period of time before registered users are prompted to re-confirm their existing authentication information is still valid, up to a maximum of 730 days.

If set to 0 days, registered users will never be prompted to reconfirm their existing authentication information.

Default: 180

Number of days: ______

Customize "Contact your administrator" link?

Designates whether or not the "Contact your administrator" link that normally allows users to contact a service administrator directly is overridden to point to a custom location.

Yes/No

Custom Email Address or URL

Designates the URL or email address to which your custom "Contact your administrator" link will point. If you provide a URL, we will open it in a new window. If you provide an email address, we will turn it into a mailto: link that will be sent to the email address you specify.

URL or Email address:

_________________________

Write-back passwords to onpremises Active Directory

If you deployed password writeback when installing Azure AD Connect, you can control whether or not this feature is enabled here.

If set to "no", federated or password-synchronized users will not be able to reset or change their passwords, even if password write back has been configured.

You can change this setting at any time.

Yes/No

Allow users to unlock accounts without resetting their password

Designates whether or not users who visit the password reset portal should be given the option to unlock their onpremises Active Directory accounts without resetting their password. By default, Azure AD will always unlock accounts when performing a password reset, this setting allows you to separate those two operations.

If set to "yes", then users will be given the option to reset their password and unlock the account, or to unlock without resetting the password.

If set to "no", then users will only be able to perform a combined password reset and account unlock operation.

Yes/No

Email language preference


Language for notification email will be sent to users in your organization.

Locale based on subscription

Notify admins when other admins reset their own passwords

Determines whether or not all global administrators receive an email to their primary email address when other administrators reset their own passwords via the self-service password reset portal.

Yes/No

Notify users and admins when their own password has been reset

Determines whether or not users receive an email to their primary and alternate email addresses notifying them when their own password has been reset via the self-service password reset portal.

Yes/No

Configuring end customer Self-Service Password Reset requirements

  1. When the requirements have been gathered from section 3.1, sign in to the Azure Management Portal as a co-administrator for the end customer tenant.

NOTE: If you experience an issue while logging into the Azure Portal as a partner with the customers Azure Active Directory (AAD) subscription, and see your own tenant and not the end customer's tenant, allow the browser session to completely load and then sign out and log in again to access the correct tenant.

  1. Select the AAD tenant for the end customer:

  1. Select the CONFIG tab.
  2. Under the heading, user password reset policy, select YES for USERS ENABLED FOR PASSWORD RESET to enable self-service password reset.
  3. The User Password Reset Policy will populate will the configurable options:

  1. Complete the configuration according to the information gathered from the end customer.
  2. Once complete, select SAVE.

Configuring group management

Delegated group management

Azure Active Directory Premium's group management function grants the ability to delegate group management to the end customer users. With this feature, end customer users are able to create and manage memberships in groups they own. There are number of elements to group management in AAD that need to be agreed upon with the end customer.

The following table outlines the features and functions that need to be agreed upon with the end customer to allow the CSP Partner to proceed with the configuration of group management.

Group Management Option

Description

End Customer Setting

Delegated group management enabled

Enable delegated group management for users through the access panel

Yes

Users can create security groups

Enable users to create new security groups through the access panel

Yes/No

Users who can create security groups

Select "some" to restrict security group management to only a limited group of users

All/Some

     Group that can use selfservice for security groups

Defines the group of users who are allowed to create security groups

Enter AD Group Name:

______________________


Users can create Office 365 groups

Preview Feature

Enable users to create new Office 365 groups through the access panel

Yes/No

Users who can use self-service for Office 365 groups

Restrict management.

Select "some" to restrict Office 365 group management to only a limited group of users.


All/Some

     Group that can use selfservice for Office 365 groups

Defines the group of users who are allowed to create security groups

Enter AD Group Name:

_________________________




Enable dedicated groups


Select "yes" to enable dedicated groups in the directory

Yes/No


Enable "All Users" group

Select "yes" to enable the All Users group in the directory.

Yes/No

     Display name for "All

Users" group


Default: All Users

Enter Group Name:

__________________________


  1. When the above information has been gathered, sign in to the Azure Management Portal as a co-administrator for the end customer tenant.
  2. Select the AAD tenant for the end customer:

  1. Select the CONFIG tab.
  2. Scroll down to group management.
  3. The user password reset policy will populate will the configurable options:

  1. Complete the configuration according to the information gathered from the end customer.
  2. Once complete, select SAVE.

Dynamic group membership

The following section provides an example scenario where group membership within AAD can be established dynamically, based on user attributes synchronized from on-premises user properties.

This example will dynamically add marketing users to the Twitter AAD group.

This group will then be used in section 5 to assign Software-as-a-Service applications to users.

  1. From within the Azure Management Portal, select the AAD tenant for the end customer:

  1. Select the GROUPS tab:

  1. Select ADD A GROUP.
  2. Enter the following information:

Field

Description

Value

Name

Friendly name of the group

Twitter

Group type

Select the group type for this group

Security

Description

Use this field to describe the group's purpose, members, or access type that would be granted when a user becomes a member

Twitter for Marketing

  1. Click the tick button to create the group.
  2. Once the group has been created, select the group to view the properties.
  3. Select the CONFIGURE tab:

  1. Under the dynamic membership tab, select YES to ENABLE DYNAMIC MEMBERSHIPS.
  2. Select YES to the warning popup:

  1. Build the ADD USERS WHERE membership query with the following information:

Radio Button

   

Drop-down Menu

Add Users Where

Department

Equals (-eq)

Marketing

  1. Select SAVE. All users with the Active Directory attribute Department with Marketing as a value will be dynamically added to the group.
  2. Review any dynamically assigned members of the group by selecting the MEMBERS tab in the Twitter Group menu:

Configuring Software-as-a-Service applications

AAD integrates with thousands of Software-as-a-Service (SaaS) applications. CSP Partners will want to provide end customers with access to SaaS applications managed by AAD.

Review the list of available applications at the Azure Active Directory Marketplace
with the end customer, including any designated as a CSP Partner who are included as part of the offering to the customer.

Once the appropriate applications for the end customer have been agreed upon, these can be added to AAD to provide managed and secure access to SaaS applications.

Adding Active Directory SaaS applications

In this example, the following instructions will add Twitter to AAD as a managed application for the end customer. This Twitter SaaS application will integrate with the dynamic group created in the previous section of this document to define which end customer users can gain access. Additionally, as the application is managed, each of the end customer users, defined in the dynamic group, will be logging in with a single Twitter for Marketing account, and therefore will not require individual usernames and passwords for access.

  1. Sign in to the Azure Management Portal as a co-administrator for the end customer tenant.
  2. Select the AAD tenant for the end customer:

  1. Select the APPLICATIONS tab.
  2. There will be applications provisioned automatically as part of the EMS and any Office 365 subscriptions:

  1. Select ADD.
  2. Select Add an application from the gallery:

  1. Enter Twitter into the search field and select the search icon.
  2. Enter the display name of the application as Twitter for Marketing:

  1. Click the tick icon to continue. This will add Twitter for Marketing to the list of managed AAD applications.
  2. The properties of Twitter for Marketing will now be displayed:

  1. Select Assign accounts.
  2. Enter within the search field the word, Twitter, and tick the box to continue.
  3. A list of all AAD groups with the word 'Twitter' will be displayed.
  4. Select the Twitter group and select ASSIGN:

  1. A window to configure the authentication for the SaaS application will appear.
  2. To configure a shared account for the SaaS offering that is managed by the administrator, enter the following values:

Setting

Description

Value

I want to enter credentials to

be shared among all group members

Administrative populated credentials without the need to provide individual users with the authentication details

Selected

User name


Application user name

Password


Application password for user name provided above

I want to enable auto password rollover

Refer to Azure Active Directory enables automatic password change for shared accounts for further details

1-13 Weeks

During each password update, the password is updated using a

randomly generated 16-

   

character complex string. To disable this feature and regain normal access, you will need to go through the password reset procedure provided by the application.

  1. Select the arrow to continue.
  2. Select the Rollover Frequency:

  1. Click the tick box to continue.

This process can be repeated for any other SaaS applications that are to be integrated with AAD for the end customer.

For tutorials related to other AAD integrated SaaS applications, refer to the Azure documentation List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory.

Reference links