identity space

%3CLINGO-SUB%20id%3D%22lingo-sub-1169852%22%20slang%3D%22fr-FR%22%3Eidentity%20space%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1169852%22%20slang%3D%22fr-FR%22%3E%3CP%3E%26nbsp%3BDo%20you%20how%20to%20redirect%20user'%20Office%20365%20access%20request%20to%20a%20secure%20Gateway%3F%20I%20try%20to%20configure%20user's%20authentication%20through%20a%20secure%20Gateway%20before%20they%20acess%20to%20the%20holding%20Office%20365.I%20provide%205%20screen%20shot%20to%20describe%20the%20process.%20Where%20must%20the%20administrator%20configure%20this%20redirection%3A%20in%20OWA%3F%20Azure%20AD%3F%20office%20365%20administration%3F%20PowerShell%3F%20I%20Don't%20know%20how%20to%20do%20the%20same%20a%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1169852%22%20slang%3D%22fr-FR%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1170761%22%20slang%3D%22en-US%22%3ERe%3A%20identity%20space%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1170761%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F555086%22%20target%3D%22_blank%22%3E%40gwendal55%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWell%2C%20actually%20the%20mentioned%20screenshots%20in%20your%20post%20are%20missing%20(or%20not%20displayed%20to%20me)%2C%20so%20I%20can%20only%20guess%20how%20your%20%22process%22%20looks%20like%20and%20what%20you%20finally%20trying%20to%20achieve.%20Especially%20what%20do%20you%20understand%20under%20the%20term%20secure%20gateway%20%3F%3F%20A%20cloud%20proxy%20solution%2C%20a%20CASB%20system%2C%20a%20federation%20service%2C%20hmm%20%3B)%3C%2Fimg%3E%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20every%20O365%20tenant%20finally%20depends%20on%20Azure%20AD%20as%20identity%20provider%26nbsp%3B%20I%20would%20say%20the%20starting%20point%20for%20configuring%20%22authentication%22%20is%20Azure%20AD.%20There%20are%20different%20approaches.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20supported%20AuthN%20methods%20for%20Hybrid%20Identity%20deployments%20are%20described%20under%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1171363%22%20slang%3D%22fr-FR%22%3ERe%3A%20identity%20space%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1171363%22%20slang%3D%22fr-FR%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F81035%22%20target%3D%22_blank%22%3E%40Claus%20Witjes%3C%2FA%3E%20Here%20are%20the%20screen%20shot%20describing%20the%20process%20from%20screenshot1%20to%20screenshot%205.%20It%20would%20works%20without%20federation.%26nbsp%3B%20I%20try%20to%20find%20out%20how%20it%20works.%20So%20as%20to%20repeat%20the%20same%20process%20for%20other%20tenant.%20Thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1176009%22%20slang%3D%22en-US%22%3ERe%3A%20identity%20space%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1176009%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F555086%22%20target%3D%22_blank%22%3E%40gwendal55%3C%2FA%3E%26nbsp%3BWell%2C%20I%20think%20you%20need%20to%20contact%20your%20vendor%20(Apria)%20in%20order%20to%20figure%20out%20how%20to%20connect%20the%20gateway%20with%20Azure%20AD.%26nbsp%3BIf%20you%20are%20working%20for%20Apria..%20you%20might%20want%20to%20get%20in%20touch%20with%20MS%20directly%20(Developer%20Support).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20website%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Fwww.apriarsa.fr%2Fpublic%2Fportal%2Fpublic%2Fapriarsa.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.apriarsa.fr%2Fpublic%2Fportal%2Fpublic%2Fapriarsa.html%3C%2FA%3E%26nbsp%3Bdoes%20not%20provide%20much%20information%20to%20me%20personally%20(might%20be%20wrong)%20..%20anyway%20I%20can%20not%20speak%2Fread%20french.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20Conditional%20Access%20has%20the%20capability%20to%20integrate%20with%20%22custom%20controls%22.%20See%20documentation%20here.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fcontrols%23custom-controls-preview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fcontrols%23custom-controls-preview%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApria%20is%20not%20explicitly%20listed%20here...%20RSA%20(%3CA%20href%3D%22https%3A%2F%2Fcommunity.rsa.com%2Fdocs%2FDOC-81278%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcommunity.rsa.com%2Fdocs%2FDOC-81278%3C%2FA%3E)%20yes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProviders%20currently%20offering%20a%20compatible%20service%20include%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fduo.com%2Fdocs%2Fazure-ca%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDuo%20Security%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fwww.entrustdatacard.com%2Fproducts%2Fauthentication%2Fintellitrust%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEntrust%20Datacard%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fmobileconnect.io%2Fazure%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGSMA%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocumentation.pingidentity.com%2Fpingid%2FpingidAdminGuide%2Findex.shtml%23pid_c_AzureADIntegration.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPing%20Identity%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fcommunity.rsa.com%2Fdocs%2FDOC-81278%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERSA%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.secureauth.com%2Fpages%2Fviewpage.action%3FpageId%3D47238992%23%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESecureAuth%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fwww.silverfort.io%2Fcompany%2Fusing-silverfort-mfa-with-azure-active-directory%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESilverfort%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.symantec.com%2Fhome%2FVIP_Integrate_with_Azure_AD%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESymantec%20VIP%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fresources.eu.safenetid.com%2Fhelp%2FAzureMFA%2FAzure_Help%2FIndex.htm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EThales%20(Gemalto)%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fwww.trusona.com%2Fdocs%2Fazure-ad-integration-guide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ETrusona%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20basically%20requires%20the%20Apria%20Secure%20Gateway%20solution%20to%20be%20registered%20in%20Azure%20AD%20(usually%20an%20App%20Registration%20%2B%20Conditional%20Access%20Custom%20Control%20config).%26nbsp%3B%20I%20have%20personally%20configured%20this%20scenario%20with%20Ping%20Identity%20(PingID)%20as%202FA%20provider%20and%20can%20say%20it%20works%20as%20expected.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

 Do you how to redirect user' Office 365 access request  to a secure Gateway ? I try to configure user's authentication through a secure Gateway before they acess to the tenant Office 365.I provide 5 screen shot to describe the process. Where must the administrator configure this redirection : in OWA ? Azure AD ? in Office 365 administration ? in PowerShell ? I Don't know how to do the same a

3 Replies
Highlighted

@gwendal55 

 

Well, actually the mentioned screenshots in your post are missing (or not displayed to me), so I can only guess how your "process" looks like and what you finally trying to achieve. Especially what do you understand under the term secure gateway ?? A cloud proxy solution, a CASB system, a federation service, hmm ;) ? 

 

As every O365 tenant finally depends on Azure AD as identity provider  I would say the starting point for configuring "authentication" is Azure AD. There are different approaches.

 

For example, supported AuthN methods for Hybrid Identity deployments are described under https://docs.microsoft.com/en-us/azure/active-directory/hybrid/

 

Highlighted

@Claus WitjesHere are the screen shot describing the process from screenshot1 to screenshot 5. It would works without federation.  I try to find out how it works. So as to repeate the same process for other tenant. Thanks

Highlighted

@gwendal55 Well, I think you need to contact your vendor (Apria) in order to figure out how to connect the gateway with Azure AD. If you are working for Apria.. you might want to get in touch with MS directly (Developer Support).

 

The website http://www.apriarsa.fr/public/portal/public/apriarsa.html does not provide much information to me personally (might be wrong) .. anyway I can not speak/read french. 

 

Microsoft Conditional Access has the capability to integrate with "custom controls". See documentation here.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/controls#custom-controls-...

 

Apria is not explicitly listed here... RSA (https://community.rsa.com/docs/DOC-81278) yes.

 

Providers currently offering a compatible service include:

 

This basically requires the Apria Secure Gateway solution to be registered in Azure AD (usually an App Registration + Conditional Access Custom Control config).  I have personally configured this scenario with Ping Identity (PingID) as 2FA provider and can say it works as expected.