Blog Post

Microsoft SharePoint Blog
6 MIN READ

Configure Azure Active Directory Security Groups for use with SharePoint on-premises

Melissa Bajric's avatar
Feb 22, 2019

Read and follow https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial through, then make the additional modifications listed below.

 

When you get to the section Configure and test Azure AD single sign-on, there are some additional steps required to permission Azure Active Directory Users with Azure Active Directory Security Groups on SharePoint on-premise web applications.

 

Addendum to #2: Configure SharePoint on-premises Single-Sign-on:

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#configure-sharepoint-on-premises-single-sign-on

 

Either add a mapping for Role as it is required to allow access to SharePoint on-premise with Azure Active Directory Security Groups:

#Add Role Mapping
$ap = Get-SPTrustedIdentityTokenIssuer "AzureAD"
$ap.ClaimTypes.Add("http://schemas.microsoft.com/ws/2008/06/identity/claims/role")
$mapRole = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
$ap.AddClaimTypeInformation($mapRole)
$ap.Update() 

Alternatively, rather than add role mapping, include it when you configure SharePoint on-premises Single Sign-On:

Add-PSSnapin "Microsoft.SharePoint.PowerShell"
$realm = "<Identifier value from the SharePoint on-premises Domain and URLs section in the Azure portal>"
$wsfedurl="<SAML single sign-on service URL value which you have copied from the Azure portal>"
$filepath="<Full path to SAML signing certificate file which you have downloaded from the Azure portal>"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath)
New-SPTrustedRootAuthority -Name "AzureAD" -Certificate $cert
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" -IncomingClaimTypeDisplayName "name" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "GivenName" -SameAsIncoming
$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "SurName" -SameAsIncoming
$map4 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming
$map5 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
$ap = New-SPTrustedIdentityTokenIssuer -Name "AzureAD" -Description "SharePoint secured by Azure AD" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2,$map3,$map4,$map5 -SignInUrl $wsfedurl -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"

Addendum to #3: Create an Azure AD test user

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#create-an-azure-ad-test-user

 

Create an Azure AD Security Group in the Azure Portal:

Click on Azure Active Directory, Groups, New group:

Fill in Group type, Group name, Group description, Membership type. Click on the arrow to select members, then search for or click on the member you will like to add to the group.

Click on Select to add the selected members, then click on Create.

Now its possible to search for and find the new group:

In order to assign Azure Active Directory Security Groups to SharePoint on-premise, it will be necessary to install and configure AzureCP in the on-premise SharePoint farm OR develop and configure an alternative custom claims provider for SharePoint. See the more information section at the end of the document for creating your own custom claims provider, if you don’t use AzureCP.

 

Addendum to #4: Assign the Azure AD test user

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#assign-the-azure-ad-test-user

 

Assign the Azure AD Security Group in the Azure Portal:

Click on Azure Active Directory, Enterprise applications, then select the proper SharePoint on-premise application. It will appear however its named:

Click on Users and Groups:

Click on Add User:

Search for the Security Group you want to use, then click on the group to add it to the Select members section:

Click Select, then click Assign:

Check the notifications in the menu bar to be notified that the Group was successfully assigned to the Enterprise application in the Azure Portal:

 

Addendum to #5: Grant access to SharePoint on-premises test user

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#grant-access-to-sharepoint-on-premises-test-user

 

To grant access of the Azure Active Directory Security Group to the SharePoint on-premise web application, additional configuration is required:

  1. Configure Security Groups and Permissions on the App Registration
  2. Configure the AzureCP on the SharePoint on-premise farm or an alternative custom claims provider solution. In this example, we are using AzureCP
  3. Grant access to the Azure Active Directory Security Group in the on-premise SharePoint

1.  Configure Security Groups and Permissions on the App Registration in the Azure Portal.

Click on Azure Active Directory, App registrations, View all applications:

Select the proper application:

Click on Manifest:

Modify "groupMembershipClaims": "NULL",  
To "groupMembershipClaims": "SecurityGroup",
Then, click on Save

Click on Settings, then click on Required permissions:

Click on Add. Select an API

We are going to add both Windows Azure Active Directory and Microsoft Graph, but it’s only possible to select 1 at a time.

Select Windows Azure Active Directory, check Read directory data and click on Select:

Then, click on Done. Go back and add Microsoft Graph and select Read directory data for it, as well. Click on Select and click on Done.

Now, under Required Settings, click on Grant permissions:

Click Yes to Grant permissions:

Check under notifications to determine if the permissions were successfully granted. If they are not, then the AzureCP will not work properly and it won’t be possible to configure SharePoint on-premise with Azure Active Directory Security Groups.

 

  1. Configure the AzureCP on the SharePoint on-premise farm

*Please note that AzureCP is not a Microsoft product or supported by Microsoft Technical Support.

Download, install and configure AzureCP on the on-premise SharePoint farm per https://yvand.github.io/AzureCP/

 

  1. Grant access to the Azure Active Directory Security Group in the on-premise SharePoint

The groups must be granted access to the application in SharePoint on-permise. Use the following steps to set the permissions to access the web application.

In Central Administration, click on Application Management, Manage web applications, then select the web application to activate the ribbon and click on User Policy:

Under Policy for Web Application, click on Add Users, then select the zone, click on Next. Click on the Address Book:

Then, search for and add the Azure Active Directory Security Group and click on OK:

Select the Permissions, then click on Finish:

See under Policy for Web Application, the Azure Active Directory Group is added. The group claim shows the Azure Active Directory Security Group Object Id for the User Name:

Browse to the SharePoint site collection and add the Group there, as well. Click on Site Settings, then click Site permissions and Grant Permissions. Search for the Group Role claim, assign the permission level and click Share:

Then, return to https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#test-single-sign-on for #6: Testing single sign-on.

 

More Information:

Microsoft Graph Permissions Reference: https://docs.microsoft.com/en-us/graph/permissions-reference

Using Application Roles and Security Groups in your apps: https://www.youtube.com/watch?v=V8VUPixLSiM

Tech Community: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-Active-Directory-now-with-Group-Claims-and-Application/ba-p/243862

Azure AD SharePoint on-premise with multiple on-premise endpoints: https://sharepointwhoknew.wordpress.com/2019/02/01/sharepointazuressoapps/

Claims Providers:

https://docs.microsoft.com/en-us/sharepoint/dev/general-development/how-to-create-a-claims-provider-in-sharepoint

https://docs.microsoft.com/en-us/previous-versions/office/developer/sharepoint-2010/ff699494%28v%3doffice.14%29

https://docs.microsoft.com/en-us/sharepoint/administration/plan-for-custom-claims-providers-for-people-picker 

 

Updated Mar 20, 2019
Version 7.0
  • Hi Melissa

    Great addition to the original article about how to bind sp onprem with azure ad directly.

    https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#test-single-sign-on

     

    I have a minor but important step to add.

    - from the azure portal, when the manifest for the application is changed to "SecurityGroup"

    Modify "groupMembershipClaims": "NULL",  
    To "groupMembershipClaims": "SecurityGroup",
    Then, click on Save

    After this is done, you will need to configure which and how the new claim-attribute is mapped from azure.

     

    Again thanks - i have been trying to solve this for weeks now.

     

    /Regards

    Johannes

  • Hi Johannes Decca-Winding thank you for the reply. I am so glad you found this helpful and thanks for the feedback, too!! Regarding the feedback, Configure which and how the new claim-attribute is mapped from azure: I am not sure what exactly you mean.....I went back into my azure configuration and under the path Enterprise applications - All applications, my selected app (SP16T2-SharePoint on-premises - Single sign-on), then clicking on SAML-based sign-on, then User Attributes & Claims, I see a value for user.groups but there is no claim name, name or namespace configured for it. only the value of user.group. Also, I don't recall adding it there myself (I totally could have and forgot about it). The other claims showing up are there by default. Do you mean this or some other place in Azure? I will like to understand what specifically you mean, please. Kind regards, Melissa
  • Hi Melissa

    Yes just as you described, here is a screenshot from where i configured the missing things.

    I my environment i could not gain access to SharePoint, before the below was in place.

     

    regards

    Johannes

     

  • Hi Johannes Decca-Winding,

     

    Thank you SO much for sharing.  I don't have any values specified there in my configuration and it is working without error, so I cant explain that but its why I didn't include in the original post.   I will update the post and the doc and cite you.  Please let me know of any other differences or suggestions.  Thanks again for sharing and following up with me. 

     

    Kind regards,
    Melissa