Read and follow https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial through, then make the additional modifications listed below.
When you get to the section Configure and test Azure AD single sign-on, there are some additional steps required to permission Azure Active Directory Users with Azure Active Directory Security Groups on SharePoint on-premise web applications.
Addendum to #2: Configure SharePoint on-premises Single-Sign-on:
Either add a mapping for Role as it is required to allow access to SharePoint on-premise with Azure Active Directory Security Groups:
#Add Role Mapping $ap = Get-SPTrustedIdentityTokenIssuer "AzureAD" $ap.ClaimTypes.Add("http://schemas.microsoft.com/ws/2008/06/identity/claims/role") $mapRole = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming $ap.AddClaimTypeInformation($mapRole) $ap.Update()
Alternatively, rather than add role mapping, include it when you configure SharePoint on-premises Single Sign-On:
Add-PSSnapin "Microsoft.SharePoint.PowerShell" $realm = "<Identifier value from the SharePoint on-premises Domain and URLs section in the Azure portal>" $wsfedurl="<SAML single sign-on service URL value which you have copied from the Azure portal>" $filepath="<Full path to SAML signing certificate file which you have downloaded from the Azure portal>" $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath) New-SPTrustedRootAuthority -Name "AzureAD" -Certificate $cert $map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" -IncomingClaimTypeDisplayName "name" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" $map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "GivenName" -SameAsIncoming $map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "SurName" -SameAsIncoming $map4 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming $map5 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming $ap = New-SPTrustedIdentityTokenIssuer -Name "AzureAD" -Description "SharePoint secured by Azure AD" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2,$map3,$map4,$map5 -SignInUrl $wsfedurl -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
Addendum to #3: Create an Azure AD test user
Create an Azure AD Security Group in the Azure Portal:
Click on Azure Active Directory, Groups, New group:
Fill in Group type, Group name, Group description, Membership type. Click on the arrow to select members, then search for or click on the member you will like to add to the group.
Click on Select to add the selected members, then click on Create.
Now its possible to search for and find the new group:
In order to assign Azure Active Directory Security Groups to SharePoint on-premise, it will be necessary to install and configure AzureCP in the on-premise SharePoint farm OR develop and configure an alternative custom claims provider for SharePoint. See the more information section at the end of the document for creating your own custom claims provider, if you don’t use AzureCP.
Addendum to #4: Assign the Azure AD test user
Assign the Azure AD Security Group in the Azure Portal:
Click on Azure Active Directory, Enterprise applications, then select the proper SharePoint on-premise application. It will appear however its named:
Click on Users and Groups:
Click on Add User:
Search for the Security Group you want to use, then click on the group to add it to the Select members section:
Click Select, then click Assign:
Check the notifications in the menu bar to be notified that the Group was successfully assigned to the Enterprise application in the Azure Portal:
Addendum to #5: Grant access to SharePoint on-premises test user
To grant access of the Azure Active Directory Security Group to the SharePoint on-premise web application, additional configuration is required:
- Configure Security Groups and Permissions on the App Registration
- Configure the AzureCP on the SharePoint on-premise farm or an alternative custom claims provider solution. In this example, we are using AzureCP
- Grant access to the Azure Active Directory Security Group in the on-premise SharePoint
1. Configure Security Groups and Permissions on the App Registration in the Azure Portal.
Click on Azure Active Directory, App registrations, View all applications:
Select the proper application:
Click on Manifest:
Modify "groupMembershipClaims": "NULL", To "groupMembershipClaims": "SecurityGroup", Then, click on Save
Click on Settings, then click on Required permissions:
Click on Add. Select an API
We are going to add both Windows Azure Active Directory and Microsoft Graph, but it’s only possible to select 1 at a time.
Select Windows Azure Active Directory, check Read directory data and click on Select:
Then, click on Done. Go back and add Microsoft Graph and select Read directory data for it, as well. Click on Select and click on Done.
Now, under Required Settings, click on Grant permissions:
Click Yes to Grant permissions:
Check under notifications to determine if the permissions were successfully granted. If they are not, then the AzureCP will not work properly and it won’t be possible to configure SharePoint on-premise with Azure Active Directory Security Groups.
- Configure the AzureCP on the SharePoint on-premise farm
*Please note that AzureCP is not a Microsoft product or supported by Microsoft Technical Support.
Download, install and configure AzureCP on the on-premise SharePoint farm per https://yvand.github.io/AzureCP/
- Grant access to the Azure Active Directory Security Group in the on-premise SharePoint
The groups must be granted access to the application in SharePoint on-permise. Use the following steps to set the permissions to access the web application.
In Central Administration, click on Application Management, Manage web applications, then select the web application to activate the ribbon and click on User Policy:
Under Policy for Web Application, click on Add Users, then select the zone, click on Next. Click on the Address Book:
Then, search for and add the Azure Active Directory Security Group and click on OK:
Select the Permissions, then click on Finish:
See under Policy for Web Application, the Azure Active Directory Group is added. The group claim shows the Azure Active Directory Security Group Object Id for the User Name:
Browse to the SharePoint site collection and add the Group there, as well. Click on Site Settings, then click Site permissions and Grant Permissions. Search for the Group Role claim, assign the permission level and click Share:
Then, return to https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#test-single-sign-on for #6: Testing single sign-on.
More Information:
Microsoft Graph Permissions Reference: https://docs.microsoft.com/en-us/graph/permissions-reference
Using Application Roles and Security Groups in your apps: https://www.youtube.com/watch?v=V8VUPixLSiM
Tech Community: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-Active-Directory-now-with-Group-Claims-and-Application/ba-p/243862
Azure AD SharePoint on-premise with multiple on-premise endpoints: https://sharepointwhoknew.wordpress.com/2019/02/01/sharepointazuressoapps/
Claims Providers:
Welcome to the SharePoint Blog! Learn best practices, news, and trends directly from the SharePoint team.