Configure Azure Active Directory Security Groups for use with SharePoint on-premises

This post has been republished via RSS; it originally appeared at: SharePoint Support Blog articles.

Read and follow https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial through, then make the additional modifications listed below.

 

When you get to the section Configure and test Azure AD single sign-on, there are some additional steps required to permission Azure Active Directory Users with Azure Active Directory Security Groups on SharePoint on-premise web applications.

 

Addendum to #2: Configure SharePoint on-premises Single-Sign-on:

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#configure-sharepoint-on-premises-single-sign-on

 

Either add a mapping for Role as it is required to allow access to SharePoint on-premise with Azure Active Directory Security Groups:

#Add Role Mapping
$ap = Get-SPTrustedIdentityTokenIssuer "AzureAD"
$ap.ClaimTypes.Add("http://schemas.microsoft.com/ws/2008/06/identity/claims/role")
$mapRole = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
$ap.AddClaimTypeInformation($mapRole)
$ap.Update() 

Alternatively, rather than add role mapping, include it when you configure SharePoint on-premises Single Sign-On:

Add-PSSnapin "Microsoft.SharePoint.PowerShell"
$realm = "<Identifier value from the SharePoint on-premises Domain and URLs section in the Azure portal>"
$wsfedurl="<SAML single sign-on service URL value which you have copied from the Azure portal>"
$filepath="<Full path to SAML signing certificate file which you have downloaded from the Azure portal>"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath)
New-SPTrustedRootAuthority -Name "AzureAD" -Certificate $cert
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" -IncomingClaimTypeDisplayName "name" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "GivenName" -SameAsIncoming
$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "SurName" -SameAsIncoming
$map4 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming
$map5 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
$ap = New-SPTrustedIdentityTokenIssuer -Name "AzureAD" -Description "SharePoint secured by Azure AD" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2,$map3,$map4,$map5 -SignInUrl $wsfedurl -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"

Addendum to #3: Create an Azure AD test user

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#create-an-azure-ad-test-user

 

Create an Azure AD Security Group in the Azure Portal:

Click on Azure Active Directory, Groups, New group:

A3-1_NewGroup.jpg

Fill in Group type, Group name, Group description, Membership type. Click on the arrow to select members, then search for or click on the member you will like to add to the group.

A3-2_FillInGroupInfo.jpg

Click on Select to add the selected members, then click on Create.

A3-3_Create.jpg

Now its possible to search for and find the new group:

A3-4_SearchFindGroup.jpg

In order to assign Azure Active Directory Security Groups to SharePoint on-premise, it will be necessary to install and configure AzureCP in the on-premise SharePoint farm OR develop and configure an alternative custom claims provider for SharePoint. See the more information section at the end of the document for creating your own custom claims provider, if you don’t use AzureCP.

 

Addendum to #4: Assign the Azure AD test user

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#assign-the-azure-ad-test-user

 

Assign the Azure AD Security Group in the Azure Portal:

Click on Azure Active Directory, Enterprise applications, then select the proper SharePoint on-premise application. It will appear however its named:

A4-1_SelectApp.jpg

Click on Users and Groups:

A4-2_ClickUsersGroups.jpg

Click on Add User:

A4-3_ClickAddUser.jpg

Search for the Security Group you want to use, then click on the group to add it to the Select members section:

A4-4_SearchAddGroup.jpg

Click Select, then click Assign:

A4-5_AddAssignment.jpg

Check the notifications in the menu bar to be notified that the Group was successfully assigned to the Enterprise application in the Azure Portal:

A4-6_ConfirmGroup.jpg

 

Addendum to #5: Grant access to SharePoint on-premises test user

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#grant-access-to-sharepoint-on-premises-test-user

 

To grant access of the Azure Active Directory Security Group to the SharePoint on-premise web application, additional configuration is required:

  1. Configure Security Groups and Permissions on the App Registration
  2. Configure the AzureCP on the SharePoint on-premise farm or an alternative custom claims provider solution. In this example, we are using AzureCP
  3. Grant access to the Azure Active Directory Security Group in the on-premise SharePoint

1.  Configure Security Groups and Permissions on the App Registration in the Azure Portal.

Click on Azure Active Directory, App registrations, View all applications:

A5-1_ViewApps.jpg

Select the proper application:

A5-2_SelectApp.jpg

Click on Manifest:

A5-3_ClickManifest.jpg

Modify "groupMembershipClaims": "NULL",  
To "groupMembershipClaims": "SecurityGroup",
Then, click on Save

A5-4_EditManifest.jpg

Click on Settings, then click on Required permissions:

A5-5_RequiredPerms.jpg

Click on Add. Select an API

A5-6_AddAPIs.jpg

We are going to add both Windows Azure Active Directory and Microsoft Graph, but it’s only possible to select 1 at a time.

A5-7_SelectAPIs.jpg

Select Windows Azure Active Directory, check Read directory data and click on Select:

A5-8_SelectWinAADAPI.jpg

Then, click on Done. Go back and add Microsoft Graph and select Read directory data for it, as well. Click on Select and click on Done.

A5-9_SelectMSGraphAPI.jpg

Now, under Required Settings, click on Grant permissions:

A5-10_GrantPerms.jpg

Click Yes to Grant permissions:

A5-11_GrantPerms2.jpg

Check under notifications to determine if the permissions were successfully granted. If they are not, then the AzureCP will not work properly and it won’t be possible to configure SharePoint on-premise with Azure Active Directory Security Groups.

 

  1. Configure the AzureCP on the SharePoint on-premise farm

*Please note that AzureCP is not a Microsoft product or supported by Microsoft Technical Support.

Download, install and configure AzureCP on the on-premise SharePoint farm per https://yvand.github.io/AzureCP/

 

  1. Grant access to the Azure Active Directory Security Group in the on-premise SharePoint

The groups must be granted access to the application in SharePoint on-permise. Use the following steps to set the permissions to access the web application.

In Central Administration, click on Application Management, Manage web applications, then select the web application to activate the ribbon and click on User Policy:

A5-12_UserPolicy.jpg

Under Policy for Web Application, click on Add Users, then select the zone, click on Next. Click on the Address Book:

A5-13_PolicyforWA.jpg

Then, search for and add the Azure Active Directory Security Group and click on OK:

A5-14_Picker1.jpg

Select the Permissions, then click on Finish:

A5-15_PolicyforWA2.jpg

See under Policy for Web Application, the Azure Active Directory Group is added. The group claim shows the Azure Active Directory Security Group Object Id for the User Name:

A5-16_PolicyforWAPerms.jpg

Browse to the SharePoint site collection and add the Group there, as well. Click on Site Settings, then click Site permissions and Grant Permissions. Search for the Group Role claim, assign the permission level and click Share:

A5-17_AddToSitePerms.jpg

Then, return to https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#test-single-sign-on for #6: Testing single sign-on.

 

More Information:

Microsoft Graph Permissions Reference: https://docs.microsoft.com/en-us/graph/permissions-reference

Using Application Roles and Security Groups in your apps: https://www.youtube.com/watch?v=V8VUPixLSiM

Tech Community: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-Active-Directory-now-with-Group-Claims-and-Application/ba-p/243862

Azure AD SharePoint on-premise with multiple on-premise endpoints: https://sharepointwhoknew.wordpress.com/2019/02/01/sharepointazuressoapps/

Claims Providers:

https://docs.microsoft.com/en-us/sharepoint/dev/general-development/how-to-create-a-claims-provider-in-sharepoint

https://docs.microsoft.com/en-us/previous-versions/office/developer/sharepoint-2010/ff699494%28v%3doffice.14%29

https://docs.microsoft.com/en-us/sharepoint/administration/plan-for-custom-claims-providers-for-people-picker 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.