Azure Directory

This is an end-to-end tutorial to link the Azure AD Directory Service to Mamori.

Mamori provides Azure AD integration for what Microsoft calls browserless apps. These are applications like database tools, BI servers, and other clients that do not have the facility to participate in SAML, Open ID or OAuth2 workflows. For browserless apps Microsoft provides the device code workflow.

You can read on how Microsoft's authetication workflows and device code workflow via the links below

These steps require Admin access to Azure AD. If you create an app without Admin access, your app will not register until an Administrator enables it.
Mamori uses Azure AD to validate a user's login credentials and obtain the groups the user is a member of. It does not call any other Azure services on the user's behalf.

Note: Via the Mamori Azure AD integration you can not obtain access to any Azure services or an authenticated user session.
Can I use my Azure MFA to access resources via Mamori?
No, Microsoft MFA is only for SAML, OPENID or OAUTH2 enabled web applications and it does not support push MFA workflows for browserless applications. Mamori provides its own free TOTP or Mobile Push MFA service.

Setup Azure AD

First, login to Azure AD as the Azure Administrator and perform these tasks:

StepDescription
Register a Mamori app in AzureThis includes setting up Microsoft Graph and Active Directory permissions
Create an Azure user groupCreate a group and add users.

Register a Mamori app in Azure

You first need to register Mamori as a Native Application within Azure.

  • Click Azure Active Directory then choose App Registrations.

  • Click New Application Registration.


FieldValue
NameMamoriApp
TypeNative
Redirect URIhttps://mamori.io


Set required permissions

Mamori Requires the following permissions. Follow the instructions below to add them.


  • Open App registrations then choose your Mamori app MamoriApp.

  • Click API Permissions then Add a permission.

  • Click Microsoft Graph

Select the following Delegated permissions:

  • GroupMember.Read.All
  • User.ReadBasic.All

Click Grant admin consent for mamori

Permissions setup complete. The grid should look like the image below.



Create application secret token

Mamori uses an application secret to authenticate and request user group information.

  • Open App registrations then choose your Mamori app MamoriApp.

  • Click Certificates & secrets then New client secret.

  • Select secret expiration

Copy the Application ID and active secret for use in Mamori server provider setup.

OAUTH 2.0 Authorization Endpoint

This step is only required for customers running multiple domains.

  • Open App Registrations then Endpoints.

  • Click the copy button and paste into a text file for later use.

This concludes Azure AD setup. Next is to configure the Mamori Provider

Add Azure AD Authentication provider

Login to the mamori portal

Click Server Settings > Authentication Providers

Click

Name the provider

Choose Azure Directory from the Authentication Provider list.

Fill in these fields on the Settings tab:

FieldDescriptionRequiredAzure path to find this...
Application IDRedirect URI from App Registration settingsYesAzure Active Directory > App Registrations
AuthorityOauth EndpointNoAzure Active Directory > App Registrations > Endpoints > OAUTH 2.0 Token Endpoint
Resource IDMicrosoft Graph API resource name or IDNoAzure Active Directory > App Registrations > Endpoints > Microsoft Azure AD Graph API Endpoint
Redirect ServiceFor MFA via Email, add an optional redirect service used to simplify the MFA email and remove the need to cut and paste the authorization code. The default is a free service at https://access.mamori.io/mfa/relay

Click Create Provider when finished.

Add provider to authentication chain

Click update

Edit this page on GitHub Updated at Mon, Aug 28, 2023
Service Accounts Overview