Microsoft Azure AD connector
This documentation refers to the Microsoft Azure Active Directory (Azure AD) integration. It explains how to protect your Azure AD applications with inWebo MFA. The inWebo Azure AD connector uses OpenID Connect.
Prerequisites
Azure Directory account at a Premium level (P1 or P2)
An inWebo account (could be a Trial Account)
Register with inWebo to enable the inWebo Azure AD connector in your tenant
Configuring inWebo MFA to protect Azure AD
Step 1: Creating a new inWebo Azure AD connector
Connect as administrator to the inWebo administration console.
Go to “Secure Sites” section.
Choose to create a connector of type “OIDC Azure AD”.
Fill in the fields to create your inWebo Azure AD Connector:

Setting | Description |
---|---|
Connector name | Enter a chosen name / information to define the connector's goal in the administration console. The name of the connector will be used to create the secure site, so it will appear in the authentication context sentence. |
Client ID | Enter the client ID. It allows the junction between the inWebo connector and the Azure AD custom control (when creating the custom control, the ClientID is mentioned in the JSON code). |
Login Type |
Azure AD uses the UPN (UserPrincipalName) attribute as a login for the authentication process. The login type must match the UPN sent from Azure AD. Select the login type to use during Azure AD user authentication process. As the login type must match the UPN, you have 3 options:
|
Client Secret | It is not used for the Azure AD connector (this value is defined for OpenID Connect standards). |
Authentication URL | Select the default authentication method you have decided to provide to your users when accessing your secure content. Possible authentication page used by inWebo Azure AD connector:
Client applications (mobile apps & desktop clients) and Web applications For client applications, we do not recommend using Virtual Authenticator (VA) authentication method. (examples of client applications: Outlook for windows/IOS/Android, Teams, native IOS/Android mail client)
→ the WebView evolution (the emulated browser type, compatibility, versions) in the application is unknown and not documented by the third party vendor. → a client application enrollment will not always be used by another application (meaning that each application will have to be enrolled).
|
Custom claims | Check that the claim keys and values are present: InWeboMFa - Static value - MfaDone. |
Click on Add to create the Azure AD connector.
A connector alias, a secure site alias and a discovery URL have been automatically generated. These elements are displayed on the top of the connector properties.

Click on “Display json code for Azure custom control” at the bottom of the connector properties.

Copy the json code: it should be used for Azure AD custom control (see “Step 2: Creating a new custom control in Azure AD” below).
{
"Name": "Name of your AZURE service",
"AppId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"ClientId": "xxxx openId client identifier xxxx",
"DiscoveryUrl": "https://connect.myinwebo.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/.well-known/openid-configuration",
"Controls": [
{
"Id": "RequireInWeboMfa",
"Name": "RequireInWeboMfa",
"ClaimsRequested": [
{
"Type": "InWeboMfa",
"Value": "MfaDone",
"Values": null
}
],
"Claims": null
}
]
}
The "Id": "RequireInWeboMfa"
and "Name": "RequireInWeboMfa"
fields must be unique. They must not be used by other "custom control" mechanisms.
However, you can change the "Name"
field to "RequireInWeboMfa service name"
for a more meaningful display by adding the name of the related inWebo service for Azure AD.
Note that the associated secure site is automatically created after OIDC Azure AD connector creation (in Secure sites tab).

Step 2: Creating a new custom control in Azure AD
To add inWebo multi-factor authentication you have to create and configure an Azure AD custom control.
As an Administrator, access your Microsoft Azure AD tenant with the Microsoft Azure Portal.
Select "More Services", browse to "Identity" category and select "Azure AD Conditional Access".
Select "Custom controls (preview)" in the Conditional Access menu.
Click on the "+" at the top of the displayed page, next to "New Custom Control”.
Delete the existing code displayed and paste the inWebo Json code provided by inWebo (see “Step1: Creating a new inWebo Azure AD connector” above).
Click on "Create".
Step 3: Creating a new conditional access policy in Azure AD
You can control how authorized users can access your cloud apps.
The objective of a conditional access policy is to enforce additional access controls when a user attempts to access a cloud app, depending on how the access attempt is performed. You can control how authorized users can access your cloud apps.
From the Microsoft Azure Portal, go to Azure Active Directory > Security > Conditional Access.
Go to "Policies" in the left menu and click on "+ New policy".
Name your new Policy i.e "inWebo policy"
Assign impacted Users groups following your own specifications.
When testing it is recommended to not apply this policy on your own Administrator. Test it on a limited group of users at first to verify your authentication mechanism.
Assign impacted apps following your own specifications.
Under the "Access controls" section, select "Grant".
At the top of the displayed page, select "Grant access".
In the check-list,
Make sure "require Multi-factor authentication" is not checked (this is Microsoft MFA),
Scroll down and select the custom control ID you have created ("RequireInWeboMfa" in our exemple).
Click on “Select”.
Set the "Enable Policy" parameter to On.

Click on “Create” to save the new policy.
Additional references
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/controls
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions