Monthly Archives: June 2015

Service Manager Self Service Portal – Password Reset with Azure AD Premium

1 Reply

One challenge with using a Self Service Portal for Service Manager is that the user must have a valid Active Directory user name and password to be able to log on to the Self Service portal. So what do you do if have forgotten your password or the password has expired?

Previously in Service Manager, we have addressed this by having another user request a password reset on your behalf, that user being either a Service Desk analysts or a Super User allowed to create that password reset request.

The optimal solution would be to enable the user to reset their own password. This blog article will show how you can use Azure AD Premium to accomplish just that!

Some requirements

First of all, this solution will have some requirements:

  • You must have Azure AD with Directory Integration enabled for your on-premises Active Directory
  • You must have configured password write-back to on-premises Active Directory

  • You must configure a user password reset policy in Azure AD, and users must at least have one authentication method defined:
  • You must have either configured federated (SSO with ADFS) users or users with password synchronization in the directory integration set up
  • Each user, and any administrator setting this up, needs to have an Azure AD Premium license. Azure AD Premium is either licensed directly or part of the Enterprise Mobility Suite (EMS)

Some recommendations

In addition to the requirements above, I have some recommendations as well:

How this works

With all these requirements in place, this is how it works when a user tries to access the Self Service Portal and wants to reset the password.

In my environment, I am using the Self Service Portal from Cireson, but this should work for the built-in Service Manager Portal as well.

  1. First, I go to my application URL, https://selfservice.skill.no. Since I have published this with Azure AD App Proxy, I must sign in with my hybrid Azure AD identity. I am presented with my customized Azure AD sign in page:
  2. Since I have forgotten my password or maybe my password has expired, I select the link for “Can’t access your account” under the Sign in button. This will bring me to the reset password page where I can specify my user identity and write the captcha code:
  3. Next I select one of my defined authentication methods, in this example I will receive a text message to my mobile phone:
  4. I receive the SMS verification code and type it in:
  5. Next after successfully verifying my SMS code, I can specify my new password:
  6. And my password has been reset:
  7. Since my user are a federated user I will now be redirected back to the ADFS on-premises and my customized sign-in page there:

  8. After logging in, I’m redirected directly to the published Self Service Portal:

Conclusion

By using the powers of Azure AD Premium and directory integration with my local Active Directory, I can as an end-user reset my passwords, and directly access my published Self Service Portal for Service Manager in this case.

PS! For those that are not in Azure AD yet, Cireson will soon deliver their own password reset solution in the Identity Management Stream. I’ll come back to that later.

Discussing Azure AD on Skill TV

Leave a reply

Recently I did an interview on our video blog at Skill TV, talking about Azure AD with our HR Manager Elham Binai.


The interview is in Norwegian and can be seen here: https://www.youtube.com/watch?v=pkRHW-ZJC2w

I have below provided a translated version from our interview transcript. While some questions and answers flowed a little bit different in the real recording, the transcript quite covers it all. Apologize for a couple of cuts as well, we had some problems with noise from spotlight fans and had to pause recording when that happened.

Here it goes:

Elham: Today I am lucky to have Jan Vidar Elven with me here at Skill TV. He is an Architect in our Infrastructure Department and an expert on the Azure Active Directory, which is the topic of today. Welcome you are, Jan Vidar.

Jan Vidar: Thanks for that, Elham. Very glad to come and talk about something I am very engaged in and work a lot with!

Elham: Jan Vidar, in recent years we have moved us more and more to the Cloud. More companies are using these Cloud solutions. However, it has not been without challenges, many companies are concerned that their business secrets should leak out, afraid of hackers, unfortunate leaks etc. … simply the security around the cloud. What are your thoughts about this?

Jan Vidar: Well, when you move the solutions out in the cloud, so also follows users identities and access control with these. It is then important to have confidence that the authentication and authorization take place in a secure manner, so that one can be assured that no one but those who should HAVE access GET access to their solutions. It is this and more Azure Active Directory delivers. Azure AD is a platform for identity management and access control solutions in the cloud, AND for the local data center.

Elham: What are the challenges around users now? Moreover, what does it require when it comes to security around systems that companies use? We live in a world where users use many devices and they take these with them everywhere … This offers some challenges. How can you resolve it with Azure AD?

Jan Vidar: The challenge of users now is two-part. One is that they increasingly use the PC’s and mobile devices delivered to them by their workplace at home or on the go. The second is that they are using their personal mobile phones, tablets and laptops to log on to the company’s solutions. Very often, these are also to the disposal of the other members in the family. When the solutions are located in the cloud, it can be a concern that only the use of your user name and password is not enough, especially when some Apps store the credentials as well.

A solution to this in Azure AD is to make use of Multi-factor authentication. Multi-factor authentication is free for Office 365 users and Azure AD administrators. With the MFA do you get an SMS, a phone call or a notification in a separate App where you have to authenticate authentication before you can access. We can also choose to use MFA only when the user is outside the company’s network. In the Premium version of Azure AD, MFA is included in hybrid scenarios so that you can protect your own solutions in the on premise data center as well.

Another way to solve the challenges is to require that devices be registered before you get access to log on to the solutions in the cloud. You can also require that the devices should be in compliance with company policy, for example require that they have a password on the lock screen. Requirements for registration of mobile devices can be set up in the Office 365, which is powered by the MDM platform in Microsoft Intune, or you can use of the entire platform to configure Intune MDM and MAM, Mobile Device Management and Mobile Application Management, for device management, application management and policies for the company’s Devices and Apps. All this is linked to the user’s identity in the Azure AD.

Elham: Many IT managers believe that things were easier in the past, where they were very close to their solutions and data and now might feel that they have lost control … What is your experience around that?

Jan Vidar: Not only are the users and devices spread, but the data exchanged in the solutions both internally between each other and externally with others is also important to have control on. When it was easier in the past, it probably meant that you had the solutions in the local data center, you had them integrated with Active Directory, and had one simple and transparent Single Sign-On, a user name and a password to all or at least most services at the same time that we had control of the data locally. When we now apply the solutions in the cloud, we must have a solution that facilitates the same, and at the same time to have control of the data. Azure AD together with Azure Rights Management Services can associate the identity and protection at the file level. However, this only applies to the solutions in the cloud and the Apps that IT has control over and know about.

Elham: The IT department don’t have much control over all the cloud apps and outside the local firewall and it concerns many, what is your advice around this? Users are going to use it anyway, what should our customers think about?

Jan Vidar: What we are talking about here is what is we call shadow IT; users find their own solutions where there is lack of personalized services from the company. Email, file sharing, social media, productivity applications are areas for SaaS applications used by users in business context. This is concerns applications, user names, passwords, and data that IT has no control over. What can IT do? Azure AD has the ability to facilitate applications from a catalog of over 2400 SaaS applications, you can also add your own self-developed applications and as well publish internal applications from the local data center. That way one can arrange for authentication via Azure AD, Single Sign-On for those applications that support it, or Same Sign-On with password storage for other applications. In this way IT can take control of your applications and facilitate the access of its users. IT can also run discovery, and reports to find out what the users actually use on the devices they has to identify if there are applications it is important to provide and facilitate.

Elham: We know Active Directory, but now it can also be located in Azure if you wish it? It can then be managed in both cloud and on premise, explain this a bit more.

Jan Vidar: By integrating local Active Directory with Azure AD through synchronization, companies can manage users and groups in one place at the same time as you can give access to solutions in the cloud. With hybrid identities and Single Sign-On, users can relate to the same user name and password for either using solutions in the cloud or in the local data center, at the same time that IT has control of the authentication, both who, what, where and when.

Elham: IT can actually go in and see how, when and where users have logged in from – and have more control over the activities?

Jan Vidar: Yes, Azure AD Premium will provide opportunities to monitor and run reports on authentications and application usage, as well as view suspicious pattern in sign-on, credentials that may have been lost, or devices that may be infected, for example.

Elham: Does this work on any device? Single Sign-On? You have only one password and can log in once?

Jan Vidar: Yes, both iOS, Android and Mac are supported in addition to Windows and Windows Phone. Office applications, SSO, Device Management and Rights Management is supported on these, and all linked together with your identity in Azure AD. With the upcoming Windows 10, these devices can also be joined directly into Azure AD, and you can log on with your Azure AD identity. One can also use a pin code associated with the device for even easier authentication, or use biometric authentication with Windows Hello!

Elham: How will this take away the uncertainty around the Cloud, security, and control over users?

Jan Vidar: It all starts with control of identities, and Azure AD will facilitate this for the solutions running in the cloud, and not necessarily just for Microsoft solutions but also for SaaS solutions that support SSO and Federation with Azure AD. With control of the devices and rights management for the files as well, as well as security mechanisms for authentication and conditional access, you have the tools you need to get started. Azure AD can also provide for Self Service IT, where users can reset their passwords, or access to an application if they want it.

Elham: Azure AD has really simplified my life without me noticing it, I can log in from anywhere and on any device. If customers would like to know more about this then you can come visit and tell about how Azure AD can simplify a lot for IT departments as well as security. Thank you so much for that I got to talk to you today.

Jan Vidar: Thank you for inviting me!

Using a Custom Domain Name for an Application Published with with Azure AD Application Proxy

11 Replies

This is a follow up post from an earlier blog post on how to Publish the Cireson Self Service Portal with Azure AD Application Proxy. Is this blog post I will show how to configure a custom domain name for the same published application.

Change External URL

From earlier I already have published this application with the external URL of https://selfservice-skillas.msapproxy.net. I will now change this to our own domain, like this:

As shown over, I now have to configure the public DNS zone for my domain, with a CNAME record as specified in the screenshot.

Upload SSL Certificate

Following that, I now need to upload a SSL certificate to work with the external URL. Either a Wildcard Cert or a Certificate with common name or subject alternative name containing the external URL can be used.

 

When uploading the certificate I will need the .pfx file and the password to access the private key:

After uploading, I can verify the certificate subject, thumbprint and expiry date:

Testing the External URL

I can now test the external URL, https://selfservice.skill.no.

If I’m already authenticated with Azure AD in this session I will be directed to the external URL, or else I will have to pre-authenticate first as I have configured that.

In the end, everything works as expected with the custom domain name: