Azure Directory
This is an end-to-end tutorial to link the Azure AD Directory Service to Mamori.
Mamori provides Azure AD integration for what Microsoft calls browserless apps. These are applications like database tools, BI servers, and other clients that do not have the facility to participate in SAML, Open ID or OAuth2 workflows. For browserless apps Microsoft provides the device code workflow.
You can read on how Microsoft's authetication workflows and device code workflow via the links below
- Azure AD Authentication Workflows
- Azure AD Browserless App Device Code Workform
- Azure AD - Configure a native client application
Note: Via the Mamori Azure AD integration you can not obtain access to any Azure services or an authenticated user session.
No, Microsoft MFA is only for SAML, OPENID or OAUTH2 enabled web applications and it does not support push MFA workflows for browserless applications. Mamori provides its own free TOTP or Mobile Push MFA service.
Setup Azure AD
First, login to Azure AD as the Azure Administrator and perform these tasks:
| Step | Description |
|---|---|
| Register a Mamori app in Azure | This includes setting up Microsoft Graph and Active Directory permissions |
| Create an Azure user group | Create a group and add users. |
Register a Mamori app in Azure
You first need to register Mamori as a Native Application within Azure.
Click Azure Active Directory then choose App Registrations.
Click New Application Registration.
Field Value Name MamoriApp Type Native Redirect URI https://mamori.io
Set required permissions
Mamori Requires the following permissions. Follow the instructions below to add them.
Open App registrations then choose your Mamori app MamoriApp.
Click API Permissions then Add a permission.
Click Microsoft Graph
Select the following application permissions (Not Delegate):
- GroupMember.Read.All
- User.Read.All
Select the following Delegated permissions:
- User.ReadBasic.All
Click Grant admin consent for mamori
Permissions setup complete. The grid should look like the image below.
Create application secret token
Mamori uses an application secret to authenticate and request user group information.
Open App registrations then choose your Mamori app MamoriApp.
Click Certificates & secrets then New client secret.
Select secret expiration
OAUTH 2.0 Authorization Endpoint
This step is only required for customers running multiple domains.
-
Open App Registrations then Endpoints.
-
Click the copy button and paste into a text file for later use.
Add Azure AD Authentication provider
Login to the mamori portal
Click Server Settings > Authentication ProvidersClick
Name the provider
Choose Azure Directory from the Authentication Provider list.
Fill in these fields on the Settings tab:
Field Description Required Azure path to find this... Application ID Redirect URI from App Registration settings Yes Azure Active Directory > App Registrations Authority Oauth Endpoint No Azure Active Directory > App Registrations > Endpoints > OAUTH 2.0 Token Endpoint Resource ID Microsoft Graph API resource name or ID No Azure Active Directory > App Registrations > Endpoints > Microsoft Azure AD Graph API Endpoint Secret Application API Secret Yes Redirect Service For MFA via Email, add an optional redirect service used to simplify the MFA email and remove the need to cut and paste the authorization code. The default is a free service at https://access.mamori.io/mfa/relay Click Create Provider when finished.
Add provider to authentication chain
Click update
Querying Azure Directory API
Click Console
to see all the available users in a directory
-- count users call azure_search('{Your Azure AD Provider Name}', 'https://graph.microsoft.com/v1.0/users/$count'); -- fetch all users call azure_search('{Your Azure AD Provider Name}', 'https://graph.microsoft.com/v1.0/users/'); -- fetch external users call azure_search('{Your Azure AD Provider Name}', 'https://graph.microsoft.com/v1.0/users?$filter=userType%20eq%20''Guest''');