Microsoft Azure AD connector

This documentation refers to the Microsoft Azure Active Directory (Azure AD) integration. It explains how to protect your Azure AD applications with inWebo MFA. The inWebo Azure AD connector uses OpenID Connect.

Prerequisites

• Azure Directory account at a Premium level (P1 or P2)

• An inWebo account (could be a Trial Account)

• Register with inWebo to enable the inWebo Azure AD connector in your tenant

Configuring inWebo MFA to protect Azure AD

Step 1: Creating a new inWebo Azure AD connector

• Connect as administrator to the inWebo administration console.

• Go to “Secure Sites” section.

• Choose to create a connector of type “OIDC Azure AD”.

• Fill in the fields to create your inWebo Azure AD Connector:

Setting	Description
Connector name	Enter a chosen name / information to define the connector's goal in the administration console. The name of the connector will be used to create the secure site, so it will appear in the authentication context sentence.
Client ID	Enter the client ID. It allows the junction between the inWebo connector and the Azure AD custom control (when creating the custom control, the ClientID is mentioned in the JSON code).
Login Type	Azure AD uses the UPN (UserPrincipalName) attribute as a login for the authentication process. The login type must match the UPN sent from Azure AD. Select the login type to use during Azure AD user authentication process. As the login type must match the UPN, you have 3 options: user login → select this login type if the inWebo User login matches the Azure AD UPN. user email → select this login type if the inWebo User email matches the Azure AD UPN. login 2 → select this login type and enter the UPN value in the “login 2 field” of user properties.
Client Secret	It is not used for the Azure AD connector (this value is defined for OpenID Connect standards).
Authentication URL	Select the default authentication method you have decided to provide to your users when accessing your secure content. Possible authentication page used by inWebo Azure AD connector: Helium - https://ult-inwebo.com/authentication-oidc/helium Virtual Authenticator (VA) - https://ult-inwebo.com/authentication-oidc/va - Note that Virtual Authenticator will be the first authentication option presented to users. They still can choose another authentication method, such as push to Authenticator (mobile/desktop) or OTP entry. mAccess Web - https://ult-inwebo.com/authentication-oidc/neon inWebo Authenticator App https://ult-inwebo.com/authentication-oidc/authenticator - Note that only Authenticator (mobile/desktop) will be presented to users as an authentication method Client applications (mobile apps & desktop clients) and Web applications For client applications, we do not recommend using Virtual Authenticator (VA) authentication method. (examples of client applications: Outlook for windows/IOS/Android, Teams, native IOS/Android mail client) Why? The VA authentication method enrolls a web browser. When using VA for a client application, the enrolled web browser is actually a WebView embedded in the application. → the WebView evolution (the emulated browser type, compatibility, versions) in the application is unknown and not documented by the third party vendor. → a client application enrollment will not always be used by another application (meaning that each application will have to be enrolled). How to configure client and web applications with inWebo Azure AD connector? In order to have an optimal user experience of the inWebo Azure AD connector on both client and web applications, we recommend to create two connectors with different authentication URL settings. Then you should configure two policies in Azure AD to get a different authentication scenario depending on the application type (client or web app). Please, read the following documentation to know how to proceed → Specific Azure AD configurations for client apps and web apps
Custom claims	Check that the claim keys and values are present: InWeboMFa - Static value - MfaDone.

• Click on Add to create the Azure AD connector.

• A connector alias, a secure site alias and a discovery URL have been automatically generated. These elements are displayed on the top of the connector properties.

• Click on “Display json code for Azure custom control” at the bottom of the connector properties.

• Copy the json code: it should be used for Azure AD custom control (see “Step 2: Creating a new custom control in Azure AD” below).

{
  "Name": "Name of your AZURE service",
  "AppId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "ClientId": "xxxx openId client identifier xxxx",
  "DiscoveryUrl": "https://connect.myinwebo.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/.well-known/openid-configuration",
  "Controls": [
    {
      "Id": "RequireInWeboMfa",
      "Name": "RequireInWeboMfa",
      "ClaimsRequested": [
        {
          "Type": "InWeboMfa",
          "Value": "MfaDone",
          "Values": null
        }
      ],
      "Claims": null
    }
  ]
}

The "Id": "RequireInWeboMfa" and "Name": "RequireInWeboMfa" fields must be unique. They must not be used by other "custom control" mechanisms.
However, you can change the "Name" field to "RequireInWeboMfa service name"for a more meaningful display by adding the name of the related inWebo service for Azure AD.

Note that the associated secure site is automatically created after OIDC Azure AD connector creation (in Secure sites tab).

Step 2: Creating a new custom control in Azure AD

To add inWebo multi-factor authentication you have to create and configure an Azure AD custom control.

• As an Administrator, access your Microsoft Azure AD tenant with the Microsoft Azure Portal.

• Select "More Services", browse to "Identity" category and select "Azure AD Conditional Access".

• Select "Custom controls (preview)" in the Conditional Access menu.

  

• Click on the "+" at the top of the displayed page, next to "New Custom Control”.

• Delete the existing code displayed and paste the inWebo Json code provided by inWebo (see “Step1: Creating a new inWebo Azure AD connector” above).

  

• Click on "Create".

Step 3: Creating a new conditional access policy in Azure AD

You can control how authorized users can access your cloud apps.
The objective of a conditional access policy is to enforce additional access controls when a user attempts to access a cloud app, depending on how the access attempt is performed. You can control how authorized users can access your cloud apps.

• From the Microsoft Azure Portal, go to Azure Active Directory > Security > Conditional Access.

  

• Go to "Policies" in the left menu and click on "+ New policy".

  

• Name your new Policy i.e "inWebo policy"

• Assign impacted Users groups following your own specifications.

  

When testing it is recommended to not apply this policy on your own Administrator. Test it on a limited group of users at first to verify your authentication mechanism.

• Assign impacted apps following your own specifications.

  

• Under the "Access controls" section, select "Grant".

• At the top of the displayed page, select "Grant access".

• In the check-list,

  • Make sure "require Multi-factor authentication" is not checked (this is Microsoft MFA),

  • Scroll down and select the custom control ID you have created ("RequireInWeboMfa" in our exemple).

• Click on “Select”.

• Set the "Enable Policy" parameter to On.

• Click on “Create” to save the new policy.

Additional references

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/controls
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions