Azure AD with SharePoint On Premises 2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so here we are in the demo environment is very simple for the purposes of this demonstration we just have a single server running SharePoint Server 2019 we also have a couple of web applications already configured the intranet and on Drive the intranet very standard stuff just using the standard team site template here's a user's onedrive and of course we have the SharePoint home which is hosted in the my site host and that's the two web applications that we're going to configure to use azure ad for sign-in so the first step to configure that is to go ahead and login city as your admin portal and then go to Azure ad and we're going to use enterprise applications for this so we click into here you can see there's already something figured in this tenancy when I go ahead and choose new application now on this screen at these three panels at the top now in the past we would have done this manually using an on gallery application but you'll notice that it wants us here that this requires azure ad premium to use this so we're going to instead choose the on-premises applications gallery and if we type in SharePoint into the text box here you can see that we have one called the SharePoint on-premises so go ahead and select that and then give it a name and then we'll add that location so it takes us to this overview screen I'm going to go ahead into the properties and just update the icon for this particular application just to make it a little bit easier to see what's going on within the rest of the screen so once we've updated that we can see the icon has been changed there the next step is then to choose the single sign-in blade and we'll choose the saml panel this gives us a setup screen the first panel here in number one the basic sam'l configuration is the one that requires us to make some changes so we'll go ahead and click Edit and I'll answer the sign-in URL for my intranet which is infinite fabric and the con underscore trust default dot aspx I'm actually going to pop that into the deploy URL as well we don't need to change the entity ID that's not been pre-populated for us by the gallery template so we'll go ahead and hit save on this configuration once we have that configuration we need to grab a couple of extra details from this screen if we go to the sam'l signing certificate section we need to download the certificate which we'll use later to create the trust between SharePoint on-premises and Azure ad so I'm going to copy that file to the root of my C Drive and we also need the login URL which is in the setup and then whatever the name of the application is so we'll copy that to the clipboard now the next stage is to configure our trusted identity provider within SharePoint on-premises so to do that we need to use PowerShell I have this sample script here with some variables preset you can see here's the certificate and then here's our sign-in URL so I just need to update this value here to the one that I copied from the azure ad portal now you'll notice at the end here the default includes sam'l two at the end of the URL now a SharePoint on-premises doesn't support Sam 102 so we need to change this to WS fed then we can go ahead and run this script which will go ahead and import that certificate into the SharePoint trusts and we can view that in central administration just by going to security manage trusts you can see that it's created the trust there with Azure ad the next step is to create the claims provider itself or rather the trusted identity provider now this sample script uses basic claims mappings we could make those a bit more involved if we wish to and we'll see more about those later on so this step is basically created a trusted identity provider now back on Central Admin we can go ahead and pick our intranet web application choose authentication providers click into here and we should now see the identity provider is listed and I'm going to go ahead and select that there for the moment I'm going to leave the assigning URL with the default which will mean the user will be prompted which identity provider they wish to use when signing in and I'm going to go ahead and save these changes now this user interface doesn't give us any indication of what's happening and it's interesting little bug here if we go to is and look at sites will see that central admin is actually stopped so I'm going to start that again and if they do that quick enough then this page will return eventually once the changes have been made this is a an area where you can use of course PowerShell to configure this instead and avoid the problem so now that's complete if we actually go back in we'll be able to see the changes have actually been persisted there now one of the things that most of the walkthroughs we'll talk about is adding a user policy to the web application this is not a required step there's no need to do this and we really shouldn't but one of the implications of any customs claims provider is that no matter what we type in here now it's going to resolve the results and as you can see which search for Hans Christian Andersen here he's a great guy in everything but it probably wasn't really a SharePoint go swimming more of the team's going and the problem here is because we don't have any claims provider installed you know we can resolve whatever we want here this causes a lot of problems for end users with typos and things like that so we'll see how to resolve that a little later on so I'm just going to cancel out of here now the next step is to assign users to our enterprise applications so we'll switch back to Azure ad and we'll go to the users and groups section here and I'm going to go and choose add users ok because I'm using Azure ad basic for this demonstration I can't use groups but I can go ahead and add users directly so we have some sample users here that will add it so let's select those three users and then we'll assign the users to this enterprise application sorry forgot one of the users there that let's see how free users are now able to use this enterprise application so I'm going to go ahead and test this by loading a new Chrome browser window but this time in a different identity this is of the identity set for Miles Davis I'm going to go ahead and attempt to access the intranet because I updated the authentication providers you know the applique for every set hence the slight delay that so now you can see this selection screen I'm going to pick this yer ad it's then going to take me across to the azure ad assign in experience so answer the password now of course at this stage I haven't actually added that user to the SharePoint site collection so in a few minutes I'm going to see the SharePoint access capability so we'll just quite typing a message here send that request so the request is now pending I'm going to go back in as the site collection administrator eventually I'm going to go back in as the psycho action administrator go ahead and approve that request check that I was taken okay so now if I come back over here to the Miles Davis browser it's like real fans occasionally again and this looks we end so now it's all working now of course we have multiple web applications in this SharePoint farm and I'd like to use Azure 80 for both of those so in order to support that we need to add an additional reply URL so the way we do that if we come to our 0d routes blade and choose app registrations you can see that the spin 1 there created for us automatically when we created the gallery application so we'll click on that go into the settings and go to the reply URL section and then I'll go ahead and add in another of my URL for the one drive web application so the changes I also need to tell sharepoint about that and the way we do that is associate or sub sorry set the properties of the trusted identity provider with the use reply parameter now we've done that we can go ahead and configure the web application itself oops so it can go into the authentication providers and select our trusted identity provider save the changes we'll do a little trick with IRS one more time and in a few moments this should be complete so if I now switch over to the Miles Davis browser I can go ahead and select onedrive again the delay here is caused by updating the web applications and there's an apple reset and so what we should see in a second is the standard experience when the user first goes to the my site so it's going to go ahead and and create that site collection so you can see now that we're signing in as that as your ad user - both web applications it's quite important from a planning perspective to understand the implications and the relationship between the SharePoint services on-premises and these as your ad identities we take a look at the user profile and do a search for the Tagus and the user name you'll see that we have our azure ad identifier and then obviously the the account name there at the end as well so just bear that in mind from a planning point of view so the last step is to fix this people pick up and this is a task we needs to do with every trusted identity provider luckily for Azure ad we have a very good sample solution that's available that deals with virtually all of the issues for us now I've already installed this in this farm and it's a farm solution at good old WSP can see it here it's not deployed I'm going to go ahead and deploy that solution and this is probably the only time that you'll see a full trust code at this conference they do still have their place and this is an example of somewhere where it's absolutely required so we'll wait for this to deploy to the web applications and you can see that this is now deployed once that's it available I need to associate the claims provider with the trusted identity provider if I go into the security section you see that this year's CPS ended this section here the global configuration will actually warn us that it doesn't have an association at present so again we switch to PowerShell and we'll go ahead and connect the claims provider to the identity provider will always see an update conflict warning here at this stage we don't need to worry about that for the purposes of this demonstration so if i refresh this screen now the warning will go away and I can go ahead and configure the rest of the settings here the first one is the tenant name so that's my azure ad tenant and it's asking for an application ID and secret so as you might imagine in order to configure this I need another app registration within Azure ad so I'm going to go back to here and choose a new application registration just give this a name and we don't care about the sign-on URL so we're just going to put a dummy one in there click create and I'm going to copy this application ID here and pop that into is CP configuration screen over on SharePoint I also need some settings here in this register in this app registration the first one is the required permissions so this allows us to select which permissions this registration has all the eight no near zero dates I'm going to choose read directory data and I'm going to unselect silence this is the only one we need for the purposes of what we're using it before so I'm going to save that and then importantly I'm going to grant the permissions from which to take effect I also need a secret or password so I'm going to go to keys and create a new one here oops set that to be a couple of years when I say that the key is generated and I'm going to copy that and since the only time I have access to this if I move away from this blade I won't be able to see this key need to create another one so I'm just going to copy that from here and pop that into the secret on this screen and then she is at tempt now you can see that the 8010 is connected to the azure gleams provider if I scroll down here we have some other settings that can be used to configure the claims provider I'm going to stick with all the defaults for the moment click ok we also have another screen here which is pretty nice allows us to manage and view the claims mappings we configured these with PowerShell earlier but this screen gives us the user interface to edit them and so on and so forth very useful customization so at this stage I should now be able to go ahead and test the people their code and see if things have been improved so I'm going to go back over to our Commission's screen here bring up the numbers group and if we've done everything correctly we should now only see results from users that actually exist in Azure ad so if I do a search for hands here you can see that there's no results found but if I do a search for Juke you see the user from this your ad and they have the little pop-up there that actually shows what which identity provider the user is coming from if I do a search for miles and see that we actually get two results is what the one user which is coming from Azure ad and then the second user is actually in the on-premises active directory two different print so there we go the configuration is very very straightforward and simple another thing that we can use which is useful is the azure access power I have this installed here as a clinic extension and if I just sign in here it's going to take me to app screen where you can see that I have the enterprise application here can click on that take me directly to the intranet so this is a useful utility for switching identities and testing the the configuration of the enterprise application thanks for listening

Info

Channel: Spencer Harbar

Views: 1,876

Rating: 5 out of 5

Keywords:

Id: ONa9OJKrGqI

Channel Id: undefined

Length: 20min 32sec (1232 seconds)

Published: Tue Nov 27 2018