Integration with Microsoft Azure AD

PAM supports integration with Microsoft’s Azure AD cloud directory. The capabilities supported are user authorization (web and proxy), queries for search and group membership, and user profile attributes.

Prerequisites

A working Imprivata PAM deployment with the Federated Sign-In experience.

The required Azure subscription plan and an account with access to create and configure necessary applications in the Azure Portal.

Steps to configure Azure

  1. In the Microsoft Azure portal, create a new or identify an existing application to be configured from App Registrations:

    AzureAD01.png

  2. In the Microsoft Azure portal, navigate to the application you created or wish to reuse and copy IDs from Directory (tenant) ID and Application (client) ID boxes. These will be required to configure $PAM_HOME/web/conf/catalina.properties later:

    AzureAD02.png

  3. From the overview page of the registered app, Select Client credentials and create a new client secret:

    AzureAD03.png

    AzureAD04.png

    AzureAD05.png

  4. Once added, copy the Value of the secret as this will be used to configure later.

    $PAM_HOME/web/conf/catalina.properties

    Note: Client secret values cannot be viewed, except for immediately after creation. Be sure to save/copy the secret when created before leaving this page and progressing further.

    AzureAD06.png

  5. Add permissions to the registered app by navigating to API Permissions and selecting Add a permission:

    AzureAD07.png

    6. From the Request API permissions tab select Microsoft Graph:

    AzureAD08.png

  6. Select Application permissions and include the following requirements from the list of permissions:

    • Application.Read.All

    • Directory.Read.All

    • Group.Read.All

    • GroupMember.Read.All

    • User.Read.All

      • AzureAD09.png

      AzureAD10.png

      AzureAD11.png

      AzureAD12.png

      AzureAD13.png

  7. Now select Delegated permissions and include the following requirement from the list of permissions:

    • User.Read

      • AzureAD14.png

      AzureAD15.png

    Once all necessary permissions are selected, click on Add permissions:

    AzureAD16.png

  8.   To enable Password Reset Task with Microsoft Entra ID, add the following permissions:

    1. With a Shadow Account:

      1. Add User Administrator role to the user mapped to the Shadow Account record.

      2. Add the following App permissions:

        • User.ReadWrite.All

        • Directory.AccessAsUser.All

      2. MFA enabled Shadow Accounts are not supported. MFA must be disabled on Entra ID accounts that are to be used for Shadow Account functionality.

    2. Without a Shadow Account:

      1. Add delegated permission:

        • Directory.AccessAsUser.All

    To add support for self password reset from Management > My Profile page, include the following delegated permission:

    • Directory.AccessAsUser.All

    9. Note: This step must be done by an admin user.

  9. The client app is now ready to be configured on PAM.

    AzureAD18.png

  10. Configure PAM: Edit $PAM_HOME/web/conf/catalina.properties and add the following properties with the values from Steps 2 & 4:

    11. Copy 
    #Azure AD 
    azureAD[0].name={unique name}  
    azureAD[0].tenantID=00000000-0000-0000-0000-000000000000 
    azureAD[0].clientID=00000000-0000-0000-0000-000000000000 
    azureAD[0].secretValue={AES256},{73dMf0bkaTVHjM73pR6l4yHRzSU=},{vuErr/+HSD/RdKFqmtSi oQ==},{AgDH95leDji01KJ2jHnhV8FKU0g8xZW+N+RVbMKmGbLrraqkooqhiOy+nsH//7nO} 

    Note: In order to add multiple domains, copy and add the same properties and increment the index value.

    Copy 
    #Azure AD 
    azureAD[1].name={unique name}  
    azureAD[1].tenantID=00000000-0000-0000-0000-0000000000010 
    azureAD[1].clientID=00000000-0000-0000-0000-000000000001 
    azureAD[1].secretValue={AES256},{73dMf0bkaTVHjM73pR6l4yHRzSU=},{vuErr/+HSD/RdKFqmtSi oQ==},{AgDH95leDji01KJ2jHnhV8FKU0g8xZW+N+RVbMKm3bLrraqkooqhiOy+nsH//7rO} 

    Note: For best practice it is recommended to encrypt your Client Secret Value by using the command below. This will generate your encrypted secret value which will be used in the catalina.properties. Using the default Client Secret Value which was copied in step 4, is supported as well in this field.

    1. For Windows, substitute your Client Secret Value with {SECRET VALUE} and issue this command from $PAM_HOME:

      2. Copy 
      bin\PamDirectory Encrypt {SECRET VALUE}

    2. For Unix, substitute your Client Secret Value with {SECRET VALUE} and issue this command from $PAM_HOME:

    Copy 
    bin/PamDirectory.sh Encrypt {SECRET VALUE}

    Copy the newly generated encrypted value and insert it to the property shown below:

    Copy 
    azureAD[0].secretValue={ENCRYPTED SECRET} 

  11. Restart Pammanager (Linux) or pammanagement service on Windows.

    Test the integration: You should now see the unique name configured in catalina.properties azureAD[1].name={unique name} in the drop down when searching for AD users from the Global Users, Permissions or Local Groups > Add member popup.

    AzureAD19.png