Configure Azure Active Directory Security Groups for use with SharePoint on-premises
Published Feb 22 2019 05:41 AM 12.1K Views
Microsoft

Read and follow https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial through, then make the additional modifications listed below.

 

When you get to the section Configure and test Azure AD single sign-on, there are some additional steps required to permission Azure Active Directory Users with Azure Active Directory Security Groups on SharePoint on-premise web applications.

 

Addendum to #2: Configure SharePoint on-premises Single-Sign-on:

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#co...

 

Either add a mapping for Role as it is required to allow access to SharePoint on-premise with Azure Active Directory Security Groups:

#Add Role Mapping
$ap = Get-SPTrustedIdentityTokenIssuer "AzureAD"
$ap.ClaimTypes.Add("http://schemas.microsoft.com/ws/2008/06/identity/claims/role")
$mapRole = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
$ap.AddClaimTypeInformation($mapRole)
$ap.Update() 

Alternatively, rather than add role mapping, include it when you configure SharePoint on-premises Single Sign-On:

Add-PSSnapin "Microsoft.SharePoint.PowerShell"
$realm = "<Identifier value from the SharePoint on-premises Domain and URLs section in the Azure portal>"
$wsfedurl="<SAML single sign-on service URL value which you have copied from the Azure portal>"
$filepath="<Full path to SAML signing certificate file which you have downloaded from the Azure portal>"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath)
New-SPTrustedRootAuthority -Name "AzureAD" -Certificate $cert
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" -IncomingClaimTypeDisplayName "name" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "GivenName" -SameAsIncoming
$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "SurName" -SameAsIncoming
$map4 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming
$map5 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
$ap = New-SPTrustedIdentityTokenIssuer -Name "AzureAD" -Description "SharePoint secured by Azure AD" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2,$map3,$map4,$map5 -SignInUrl $wsfedurl -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"

Addendum to #3: Create an Azure AD test user

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#cr...

 

Create an Azure AD Security Group in the Azure Portal:

Click on Azure Active Directory, Groups, New group:

A3-1_NewGroup.jpg

Fill in Group type, Group name, Group description, Membership type. Click on the arrow to select members, then search for or click on the member you will like to add to the group.

A3-2_FillInGroupInfo.jpg

Click on Select to add the selected members, then click on Create.

A3-3_Create.jpg

Now its possible to search for and find the new group:

A3-4_SearchFindGroup.jpg

In order to assign Azure Active Directory Security Groups to SharePoint on-premise, it will be necessary to install and configure AzureCP in the on-premise SharePoint farm OR develop and configure an alternative custom claims provider for SharePoint. See the more information section at the end of the document for creating your own custom claims provider, if you don’t use AzureCP.

 

Addendum to #4: Assign the Azure AD test user

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#as...

 

Assign the Azure AD Security Group in the Azure Portal:

Click on Azure Active Directory, Enterprise applications, then select the proper SharePoint on-premise application. It will appear however its named:

A4-1_SelectApp.jpg

Click on Users and Groups:

A4-2_ClickUsersGroups.jpg

Click on Add User:

A4-3_ClickAddUser.jpg

Search for the Security Group you want to use, then click on the group to add it to the Select members section:

A4-4_SearchAddGroup.jpg

Click Select, then click Assign:

A4-5_AddAssignment.jpg

Check the notifications in the menu bar to be notified that the Group was successfully assigned to the Enterprise application in the Azure Portal:

A4-6_ConfirmGroup.jpg

 

Addendum to #5: Grant access to SharePoint on-premises test user

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#gr...

 

To grant access of the Azure Active Directory Security Group to the SharePoint on-premise web application, additional configuration is required:

  1. Configure Security Groups and Permissions on the App Registration
  2. Configure the AzureCP on the SharePoint on-premise farm or an alternative custom claims provider solution. In this example, we are using AzureCP
  3. Grant access to the Azure Active Directory Security Group in the on-premise SharePoint

1.  Configure Security Groups and Permissions on the App Registration in the Azure Portal.

Click on Azure Active Directory, App registrations, View all applications:

A5-1_ViewApps.jpg

Select the proper application:

A5-2_SelectApp.jpg

Click on Manifest:

A5-3_ClickManifest.jpg

Modify "groupMembershipClaims": "NULL",  
To "groupMembershipClaims": "SecurityGroup",
Then, click on Save

A5-4_EditManifest.jpg

Click on Settings, then click on Required permissions:

A5-5_RequiredPerms.jpg

Click on Add. Select an API

A5-6_AddAPIs.jpg

We are going to add both Windows Azure Active Directory and Microsoft Graph, but it’s only possible to select 1 at a time.

A5-7_SelectAPIs.jpg

Select Windows Azure Active Directory, check Read directory data and click on Select:

A5-8_SelectWinAADAPI.jpg

Then, click on Done. Go back and add Microsoft Graph and select Read directory data for it, as well. Click on Select and click on Done.

A5-9_SelectMSGraphAPI.jpg

Now, under Required Settings, click on Grant permissions:

A5-10_GrantPerms.jpg

Click Yes to Grant permissions:

A5-11_GrantPerms2.jpg

Check under notifications to determine if the permissions were successfully granted. If they are not, then the AzureCP will not work properly and it won’t be possible to configure SharePoint on-premise with Azure Active Directory Security Groups.

 

  1. Configure the AzureCP on the SharePoint on-premise farm

*Please note that AzureCP is not a Microsoft product or supported by Microsoft Technical Support.

Download, install and configure AzureCP on the on-premise SharePoint farm per https://yvand.github.io/AzureCP/

 

  1. Grant access to the Azure Active Directory Security Group in the on-premise SharePoint

The groups must be granted access to the application in SharePoint on-permise. Use the following steps to set the permissions to access the web application.

In Central Administration, click on Application Management, Manage web applications, then select the web application to activate the ribbon and click on User Policy:

A5-12_UserPolicy.jpg

Under Policy for Web Application, click on Add Users, then select the zone, click on Next. Click on the Address Book:

A5-13_PolicyforWA.jpg

Then, search for and add the Azure Active Directory Security Group and click on OK:

A5-14_Picker1.jpg

Select the Permissions, then click on Finish:

A5-15_PolicyforWA2.jpg

See under Policy for Web Application, the Azure Active Directory Group is added. The group claim shows the Azure Active Directory Security Group Object Id for the User Name:

A5-16_PolicyforWAPerms.jpg

Browse to the SharePoint site collection and add the Group there, as well. Click on Site Settings, then click Site permissions and Grant Permissions. Search for the Group Role claim, assign the permission level and click Share:

A5-17_AddToSitePerms.jpg

Then, return to https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#te... for #6: Testing single sign-on.

 

More Information:

Microsoft Graph Permissions Reference: https://docs.microsoft.com/en-us/graph/permissions-reference

Using Application Roles and Security Groups in your apps: https://www.youtube.com/watch?v=V8VUPixLSiM

Tech Community: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-Active-Directory-now-wi...

Azure AD SharePoint on-premise with multiple on-premise endpoints: https://sharepointwhoknew.wordpress.com/2019/02/01/sharepointazuressoapps/

Claims Providers:

https://docs.microsoft.com/en-us/sharepoint/dev/general-development/how-to-create-a-claims-provider-...

https://docs.microsoft.com/en-us/previous-versions/office/developer/sharepoint-2010/ff699494%28v%3do...

https://docs.microsoft.com/en-us/sharepoint/administration/plan-for-custom-claims-providers-for-peop...

 

5 Comments
Copper Contributor

Hi Melissa

Great addition to the original article about how to bind sp onprem with azure ad directly.

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#te...

 

I have a minor but important step to add.

- from the azure portal, when the manifest for the application is changed to "SecurityGroup"

Modify "groupMembershipClaims": "NULL",  
To "groupMembershipClaims": "SecurityGroup",
Then, click on Save

After this is done, you will need to configure which and how the new claim-attribute is mapped from azure.

 

Again thanks - i have been trying to solve this for weeks now.

 

/Regards

Johannes

Microsoft
Hi @Johannes Decca-Winding thank you for the reply. I am so glad you found this helpful and thanks for the feedback, too!! Regarding the feedback, Configure which and how the new claim-attribute is mapped from azure: I am not sure what exactly you mean.....I went back into my azure configuration and under the path Enterprise applications - All applications, my selected app (SP16T2-SharePoint on-premises - Single sign-on), then clicking on SAML-based sign-on, then User Attributes & Claims, I see a value for user.groups but there is no claim name, name or namespace configured for it. only the value of user.group. Also, I don't recall adding it there myself (I totally could have and forgot about it). The other claims showing up are there by default. Do you mean this or some other place in Azure? I will like to understand what specifically you mean, please. Kind regards, Melissa
Copper Contributor

Hi Melissa

Yes just as you described, here is a screenshot from where i configured the missing things.

I my environment i could not gain access to SharePoint, before the below was in place.

 

regards

Johannes

 

azure_spRoleClaim.png

Microsoft

Hi @Johannes Decca-Winding,

 

Thank you SO much for sharing.  I don't have any values specified there in my configuration and it is working without error, so I cant explain that but its why I didn't include in the original post.   I will update the post and the doc and cite you.  Please let me know of any other differences or suggestions.  Thanks again for sharing and following up with me. 

 

Kind regards,
Melissa

Copper Contributor

Thank you so much for the update :hearteyes::hearteyes:

Regards,

Olivia

Version history
Last update:
‎Mar 20 2019 09:02 AM
Updated by: