Azure Directory

This is an end-to-end tutorial to link the Azure AD Directory Service to Mamori.

Mamori provides Azure AD integration for both web logins via OAuth (MSAL) and database tools via the Micosoft device code workflow for browserless applications. Browserless applications are applications like database tools, BI servers, and other clients that do not have the facility to participate in SAML, Open ID or OAuth2 workflows. For browserless apps Microsoft provides the device code workflow.

You can read on how Microsoft's authetication workflows and device code workflow via the links below

These steps require Admin access to Azure AD. If you create an app without Admin access, your app will not register until an Administrator enables it.
Mamori uses Azure AD to validate a user's login credentials and obtain the groups the user is a member of. It does not call any other Azure services on the user's behalf.
Can I use my Azure MFA to access resources via Mamori?
Yes, you will be Microsoft Entra Multi-Factored when you login to the Mamori web portal or via the transparent web proxy. However, Microsoft does not support further notifications post login. If you want to MFA users on every resource access, then you will need to enable Mamori Push TOTP and scan the QRCode with the Microsoft mobile app.
For Oracle, MySQL, Postgres database proxies, users must login to the web portal at least once and go via the device token workflow.

Setup Azure AD

First, login to Azure AD as the Azure Administrator and perform these tasks:

StepDescription
Register a Mamori app in AzureThis includes setting up Microsoft Graph and Active Directory permissions
Create an Azure user groupCreate a group and add users.

Register a Mamori app in Azure

You first need to register Mamori as a Native Application within Azure.

  • Click Azure Active Directory then choose App Registrations.

  • Click New Application Registration.


FieldValue
NameMamoriApp
TypeNative
Redirect URIhttps://[mamori server]/auth/web/oauth/[Mamori Azure Provider Name]


Set required permissions

Mamori Requires the following Application (Not Delegate) permissions. Follow the instructions below to add them.

  • GroupMember.Read.All
  • User.Read.All
  • Open App registrations then choose your Mamori app MamoriApp.

  • Click API Permissions then Add a permission.

  • Click Microsoft Graph

Select the following application permissions (Not Delegate):

  • GroupMember.Read.All
  • User.Read.All

Click Grant admin consent for mamori

Permissions setup complete. The grid should look like the image below.



Create application secret token

Mamori uses an application secret to authenticate and request user group information.

  • Open App registrations then choose your Mamori app MamoriApp.

  • Click Certificates & secrets then New client secret.

  • Select secret expiration

Set Authentication

To Configure Mamori-Azure OAuth logins:

  • Open App registrations then choose your Mamori app MamoriApp.

  • Click Authentications

  • Add a Web Redirect URI https://yourmamoriserver/auth/web/oauth/yourprovider

  • Check Access tokens (used for implicit flows) under Implicit grant and hybrid flows.

  • Toggle Yes Allow public client flows under Advanced settings

OAUTH 2.0 Authorization Endpoint

This step is only required for customers running multiple domains.

  • Open App Registrations then Endpoints.

  • Click the OAuth 2.0 token endpoint (v2) copy button and paste into a text file for later use.


This concludes Azure AD setup. Next is to configure the Mamori Provider

Add Azure AD Authentication provider

Login to the mamori portal

Click Server Settings > Authentication Providers

Click

Name the provider

Choose Azure Directory from the Authentication Provider list.

Fill in these fields on the Settings tab:

FieldDescriptionRequiredAzure path to find this...
Application IDRedirect URI from App Registration settingsYesAzure Active Directory > App Registrations
AuthorityOauth EndpointNoAzure Active Directory > App Registrations > Endpoints > OAUTH 2.0 Token Endpoint
Resource IDMicrosoft Graph API resource name or IDNoAzure Active Directory > App Registrations > Endpoints > Microsoft Azure AD Graph API Endpoint
SecretApplication API SecretYes
Redirect ServiceFor MFA via Email, add an optional redirect service used to simplify the MFA email and remove the need to cut and paste the authorization code. The default is a free service at https://access.mamori.io/mfa/relay

Click Create Provider when finished.

Add provider to authentication chain

Click update

Querying Azure Directory API

Click Console

to see all the available users in a directory

-- count users
call azure_search('{Your Azure AD Provider Name}', 'https://graph.microsoft.com/v1.0/users/$count');
-- fetch all users
call azure_search('{Your Azure AD Provider Name}', 'https://graph.microsoft.com/v1.0/users/');
-- fetch external users
call azure_search('{Your Azure AD Provider Name}', 'https://graph.microsoft.com/v1.0/users?$filter=userType%20eq%20''Guest''');

Edit this page on GitHub Updated at Mon, Oct 14, 2024