Integrate Azure AD as an Identity Provider
Microsoft Azure Active Directory (Azure AD), now known as Microsoft Entra ID, is an identity and access management solution. Juniper Mist Access Assurance allows you to integrate authentication service natively into Azure AD using OAuth.
- For
credentials-based
(EAP-TTLS) authentication, Azure AD:
- Performs delegated authentication, that is, checks username and password by using OAuth.
- Retrieves user group membership information to support authentication policies based on this user identity.
- Gets the status—active or suspended—of an user account.
- For certificate-based (EAP-TLS or
EAP-TTLS)
authorization, Azure AD:
- Retrieves user group membership information to support authentication policies based on this user identity.
- Gets the status—active or suspended—of an user account
-
EAP-TTLS with PAP
- Performs delegated authentication, that is, checks username and password by using OAuth or ROPC.
- Retrieves user group membership information to support authentication policies based on this user identity.
- Gets the status—active or suspended—of an user account
Configuration on Azure Portal
To integrate Azure AD with Juniper Mist Access Assurance, you need Client ID, Client Secret, and Tenant ID.
Configuration on Juniper Mist Dashboard
On the Juniper Mist portal, go to Monitoring > Insights > Client Events.
When a user authenticates using EAP-TLS with Azure AD, you can see the event called NAC IDP Group Lookup Success as shown below:
![View IDP Authentication Success for EAP-TLS Authentication](../../images/maa-azure-integration-11.png)
In case of EAP-TTLS authentication, you can see the NAC IDP Authentication Success event. This event indicates that Azure AD has validated the user credentials. You can also see the NAC IDP Group Lookup Success event that fetches user group memberships.
![View IDP Authentication Success for EAP-TTLS Authentication](../../images/maa-azure-integration-12.png)
About EAP-TTLS and Azure AD Using ROPC
EAP-TTLS leverages ROPC (Resource Owner Password Credential) OAuth flow with Azure AD to perform user authentication and group retrieval. This implies the use of legacy authentication, which involves the use of a username and password without MFA. There are several factors to consider when employing this method:
- Configure client devices with the correct Wi-Fi profile, either from GPO or MDM. Providing only username and password at the login prompt does not work for some operating systems.
- Users must use the full User Principal Name (UPN) format (username@domain) for entering the username.
- Configure clients to trust the server certificate. See
- Users must log in at least once to the Azure portal before attempting access using ROPC authentication. This step is important for testing user accounts.
- The Azure portal must store the password for the user either in full cloud accounts, or in a local AD where password synchronization is enabled with Azure AD Connect. Federated Authentication users are not supported.
- MFA needs to be disabled for users using authentication.