Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Integrate Azure AD as an Identity Provider

Microsoft Azure Active Directory (Azure AD), now known as Microsoft Entra ID, is an identity and access management solution. Juniper Mist Access Assurance allows you to integrate authentication service natively into Azure AD using OAuth.

  • For credentials-based (EAP-TTLS) authentication, Azure AD:
    • Performs delegated authentication, that is, checks username and password by using OAuth.
    • Retrieves user group membership information to support authentication policies based on this user identity.
    • Gets the status—active or suspended—of an user account.
  • For certificate-based (EAP-TLS or EAP-TTLS) authorization, Azure AD:
    • Retrieves user group membership information to support authentication policies based on this user identity.
    • Gets the status—active or suspended—of an user account

  • EAP-TTLS with PAP

    • Performs delegated authentication, that is, checks username and password by using OAuth or ROPC.
    • Retrieves user group membership information to support authentication policies based on this user identity.
    • Gets the status—active or suspended—of an user account

Configuration on Azure Portal

To integrate Azure AD with Juniper Mist Access Assurance, you need Client ID, Client Secret, and Tenant ID.

  1. Use your credentials to sign in to the Azure portal and navigate to your Azure AD.
  2. From the left-navigation bar, select App registrations.
  3. Click New Registration to register a new application.
  4. On the New Registration page, enter the required information in the following fields.
    Note that the following list displays sample user inputs.
    • NameMist AA IDP connector
    • Supported Account Type—Select Accounts in this organization directory only.
  5. Click Register to continue.
    A page appears displaying information about the newly created connector.
  6. Note down the following details, which you will need to set up an identity provider (IdP) connector on the Juniper Mist portal:
    • Application (Client) ID—You'll need to enter this information in the OAuth Client Credential (CC) Client ID and Resource Owner Password Credential Client ID fields on the Juniper Mist cloud portal.
    • Directory (Tenant) ID—You'll need this information for the OAuth Tenant ID field on the Juniper Mist portal.
  7. Click Add a certificate or secret and set the followings on Add a client secret window:
    Enter the following details and click Add.
    • Name
    • Expiry time

    The system generates Value and Secret ID.

    Copy and save the Value field. Note that you'll see this field only once. That is, right after secret is created. Ensure to save it in the safe place.

    Note down the information in the Value field. You will need this information for the OAuth Client Credentials Client Secret field on the Juniper Mist portal when you add Azure AD as an IdP.

  8. On the Azure portal page for the registered application, in the left-navigation bar, go to the Authentication tab and scroll-down to the Advanced Settings section.
  9. On the Azure portal page for the registered application, on the left-navigation bar, select API permissions > Add a permission.

    You must give your application the required access permissions to use Microsoft Graph API to fetch information about users.

    Under Microsoft Graph, add the following permissions:
    • User.ReadDelegated
    • User.Read.AllApplication
    • Group.Read.AllApplication

    Click grant admin consent for your AD.

Configuration on Juniper Mist Dashboard

  1. On the Juniper Mist portal, from the left menu, select Organization > Access > Identity Providers.

    The Identity Providers page appears, displaying a list of configured IdPs (if any).

    Figure 1: Identity Providers Page Identity Providers Page
  2. Click Add IDP to add a new IdP.
  3. On the New Identity Provider page, enter the required information as shown below.
    Figure 2: Add Azure AD as Identity Provider Add Azure AD as Identity Provider
    1. Name—Enter an IdP name (In this example, use Azure AD).
    2. IDP Type—Select OAuth.
    3. OAuth Type—Select Azure from the drop-down list.
    4. OAuth Tenant ID—Enter the value from Directory (Tenant) ID you copied from the Azure application.
    5. Domain Names—Enter the domain name, that is, the user's username (for example: username@domain.com). The domain name field examines incoming authentication requests, identifying the respective username and associated domain. After setting up the domain name for a connector, the connector can identify the Azure tenant it needs to communicate with.
    6. OAuth Client Credential (CC) Client id—Enter the Application (Client) ID of the registered Azure AD application.
    7. OAuth Client Credential (CC) Client secret—Azure AD application secret. This is the value of the secret you created earlier from the Azure portal.
    8. OAuth Resource Owner Password Credential (ROPC) Client id—Enter the Application (Client) ID of the registered Azure AD application.

On the Juniper Mist portal, go to Monitoring > Insights > Client Events.

When a user authenticates using EAP-TLS with Azure AD, you can see the event called NAC IDP Group Lookup Success as shown below:

Figure 3: View IDP Authentication Success for EAP-TLS Authentication View IDP Authentication Success for EAP-TLS Authentication

In case of EAP-TTLS authentication, you can see the NAC IDP Authentication Success event. This event indicates that Azure AD has validated the user credentials. You can also see the NAC IDP Group Lookup Success event that fetches user group memberships.

Figure 4: View IDP Authentication Success for EAP-TTLS Authentication View IDP Authentication Success for EAP-TTLS Authentication

About EAP-TTLS and Azure AD Using ROPC

EAP-TTLS leverages ROPC (Resource Owner Password Credential) OAuth flow with Azure AD to perform user authentication and group retrieval. This implies the use of legacy authentication, which involves the use of a username and password without MFA. There are several factors to consider when employing this method:

  • Configure client devices with the correct Wi-Fi profile, either from GPO or MDM. Providing only username and password at the login prompt does not work for some operating systems.
  • Users must use the full User Principal Name (UPN) format (username@domain) for entering the username.
  • Configure clients to trust the server certificate. See
  • Users must log in at least once to the Azure portal before attempting access using ROPC authentication. This step is important for testing user accounts.
  • The Azure portal must store the password for the user either in full cloud accounts, or in a local AD where password synchronization is enabled with Azure AD Connect. Federated Authentication users are not supported.
  • MFA needs to be disabled for users using authentication.

See Also