Skip to content

CyberFM

  • Home
  • FileMaker Security
  • Disclaimer
  • Privacy Policy
  • Home
  • Edward McPike
  • Authenticate Access to Your Solution with Microsoft Azure
  • Edward McPike

Authenticate Access to Your Solution with Microsoft Azure

Dimitris Kokoutsidis 4 years ago2 weeks ago31 mins0

Authenticating Access to Your Solution with Microsoft Azure Active Directory

Edward McPike, Claris Engage 2020

Table of Contents

  • Introduction
  • Understanding Azure Active Directory
    • What is Azure AD?
    • Benefits of Using Azure AD for Authentication
  • Prerequisites
  • Overview of Authentication Flow
  • Step-by-Step Guide to Authenticating with Azure AD
    • 1. Preparing Your Environment
      • Ensuring Proper Access and Permissions
      • Setting Up Necessary Tools
    • 2. Registering Your Application in Azure AD
      • Accessing the Azure Portal
      • Creating a New App Registration
      • Configuring Application Settings
    • 3. Configuring FileMaker Server for Azure Authentication
      • Accessing the FileMaker Server Admin Console
      • Enabling External Authentication
      • Inputting Azure Application IDs and Keys
    • 4. Setting Up Azure AD Groups for Access Control
      • Understanding Group-Based Authentication
      • Creating Security Groups in Azure AD
      • Assigning Users to Groups
      • Using Dynamic Group Membership
    • 5. Configuring Your FileMaker Solution
      • Accessing Security Settings in FileMaker Pro
      • Linking Azure AD Groups to Privilege Sets
      • Understanding Privilege Sets and Extended Privileges
    • 6. Inviting External Users for B2B Collaboration
      • Enabling External Identities in Azure AD
      • Configuring Collaboration Settings
      • Inviting Guest Users
      • Accepting Invitations as a Guest User
    • 7. Testing the Authentication Process
      • Logging in with Azure AD Credentials
      • Verifying Multi-Factor Authentication
      • Checking Access Levels and Permissions
    • 8. Managing and Monitoring Access
      • Monitoring Sign-In Activity
      • Managing Group Membership
      • Revoking Access for Users
  • Advanced Topics
    • Implementing Multi-Factor Authentication (MFA)
      • Configuring MFA Policies in Azure AD
      • User Experience with MFA
    • Using Custom Domains and Branding
      • Adding Custom Branding to Sign-In Pages
    • Integrating with Other Identity Providers
      • Setting Up External Identity Providers
      • SAML and WS-Fed Integration
  • Troubleshooting Common Issues
    • Authentication Failures
    • Group Membership Not Recognized
    • MFA Challenges
  • Security Best Practices
    • Regularly Updating Secrets and Certificates
    • Monitoring for Suspicious Activity
    • Ensuring Compliance with Policies
  • Additional Resources
  • Conclusion

Introduction

In the modern digital era, ensuring secure and efficient access to applications is paramount. As organizations increasingly adopt cloud services and remote work environments, managing user authentication becomes both more complex and more critical. Microsoft Azure Active Directory (Azure AD) provides a robust platform for identity and access management, enabling developers and administrators to enhance security while simplifying user experiences.

This comprehensive guide explores how to authenticate access to your solutions using Microsoft Azure AD. We will delve into detailed steps, from setting up your Azure AD environment to configuring your application and testing the authentication process. By the end of this guide, you will have a thorough understanding of integrating Azure AD authentication into your solution, leveraging features like group-based access control, multi-factor authentication, and business-to-business (B2B) collaboration.

Understanding Azure Active Directory

What is Azure AD?

Azure Active Directory is Microsoft’s cloud-based identity and access management service. It helps employees sign in and access resources in:

  • External resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
  • Internal resources, like apps on your corporate network and intranet, along with any cloud apps developed by your organization.

Azure AD offers features like:

  • Single Sign-On (SSO)
  • Multi-Factor Authentication (MFA)
  • Conditional Access Policies
  • User and Group Management

Benefits of Using Azure AD for Authentication

  • Enhanced Security: Implement strong authentication mechanisms, including MFA and conditional access.
  • Centralized Identity Management: Manage user identities and access permissions from a single platform.
  • Scalability: Easily scale to accommodate growth in users and applications.
  • Integration Capabilities: Seamlessly integrate with a wide range of Microsoft and third-party services.
  • B2B Collaboration: Share resources with external users while maintaining control over your data.

Prerequisites

Before proceeding, ensure you have:

  • An Azure Subscription: Access to the Azure portal with permissions to create applications and manage Azure AD.
  • FileMaker Server: Installed and configured, with administrative access.
  • FileMaker Pro: For configuring security settings within your solution.
  • Administrative Access: Permissions to manage Azure AD settings and FileMaker Server configurations.
  • Basic Understanding: Familiarity with Azure AD concepts, OAuth 2.0, OpenID Connect, and FileMaker Server administration.

Overview of Authentication Flow

Understanding the authentication flow helps in configuring and troubleshooting the process.

  1. User Accesses Application: The user attempts to access your solution (e.g., via FileMaker Pro or WebDirect).
  2. Authentication Request: The application redirects the user to Azure AD for authentication.
  3. User Authenticates with Azure AD: The user enters their Azure AD credentials and completes any additional verification (e.g., MFA).
  4. Token Issuance: Upon successful authentication, Azure AD issues an access token and an ID token to the user.
  5. Application Validates Token: Your solution validates the token to ensure it is from a trusted source.
  6. Access Granted: The user gains access to the application with permissions based on their group memberships and assigned privilege sets.

Step-by-Step Guide to Authenticating with Azure AD

1. Preparing Your Environment

Ensuring Proper Access and Permissions

  • Azure AD Administrator Rights: Verify that you have sufficient permissions to create app registrations and manage Azure AD settings.
  • FileMaker Server Administrator: Ensure you can access and modify settings in the FileMaker Server Admin Console.
  • Network Considerations: Confirm that necessary network ports are open and that your server is accessible over HTTPS.

Setting Up Necessary Tools

  • Web Browser: Use a modern browser (e.g., Microsoft Edge, Chrome, Firefox) for accessing the Azure portal and FileMaker Server Admin Console.
  • Secure Storage: Have a secure method for storing sensitive information like client secrets and application IDs.

2. Registering Your Application in Azure AD

Accessing the Azure Portal

  1. Sign In: Navigate to https://portal.azure.com and sign in with your Azure account credentials.
  2. Azure AD Overview: In the portal’s left-hand navigation menu, select Azure Active Directory.

Creating a New App Registration

  1. App Registrations: In the Azure AD menu, click on App registrations.
  2. New Registration: Click + New registration to create a new application.
  3. Application Details:
    • Name: Enter a descriptive name (e.g., MySolution_FileMakerServer).
    • Supported Account Types:
      • Single tenant: Only users in your organization’s directory.
      • Multitenant: Users in any Azure AD directory (useful for B2B collaboration).
    • Redirect URI:
      • Type: Select Web.
      • URI: Enter your FileMaker Server’s OAuth callback URL, typically https://yourserver.domain.com/oauth/callback.
  4. Register: Click Register to create the application.

Configuring Application Settings

After registration, you’ll be directed to the application’s Overview page.

  1. Application (client) ID: Note this GUID; it uniquely identifies your app.
  2. Directory (tenant) ID: Note this as well; it identifies your Azure AD tenant.

Configuring Redirect URIs

  1. Authentication Settings: From the left menu, select Authentication.
  2. Redirect URIs: Verify that the URI matches the one required by FileMaker Server.
  3. Implicit Grant and Hybrid Flows:
    • ID tokens: Check this box to enable OpenID Connect authentication.
    • Access tokens: Typically not required for authentication-only scenarios.
  4. Logout URL (Optional): If desired, specify a logout URL for users.
  5. Save Changes: Click Save.

Setting Application Permissions

  1. API Permissions: In the left menu, select API permissions.
  2. Review Permissions: By default, your app should have the Microsoft Graph – User.Read permission.
  3. Adjust as Necessary: For basic authentication, no additional permissions are required.

Generating Client Secret

  1. Certificates & Secrets: Select Certificates & secrets from the left menu.
  2. New Client Secret:
    • Click + New client secret.
    • Description: Enter something like FileMakerServerSecret.
    • Expires: Choose an appropriate expiration (e.g., 1 year, 2 years, or Never).
    • Add: Click Add.
  3. Copy the Secret:
    • The secret’s value will be displayed once.
    • Important: Copy the Value (not the Secret ID) immediately and store it securely.

Configuring Group Claims in the Token

To receive group information in the token (necessary for group-based access control):

  1. Manifest: Select Manifest from the left menu.
  2. Edit Group Membership Claims:
    • Find the groupMembershipClaims setting.
    • Change its value from null to "SecurityGroup".
    • Example:jsonCopy code"groupMembershipClaims": "SecurityGroup",
  3. Save: Click Save to apply changes.

3. Configuring FileMaker Server for Azure Authentication

Accessing the FileMaker Server Admin Console

  1. Open Admin Console: Navigate to your FileMaker Server Admin Console, typically at https://yourserver.domain.com/admin-console.
  2. Log In: Use your administrative credentials.

Enabling External Authentication

  1. Administration Tab: In the Admin Console, go to the Administration section.
  2. External Authentication: Select External Authentication from the side menu.
  3. Enable Identity Providers:
    • Ensure that External Authentication is enabled.
    • Enable Microsoft by toggling the switch to On.

Inputting Azure Application IDs and Keys

  1. Edit Microsoft Settings: Click Change next to Microsoft.
  2. Enter Credentials:
    • Application ID: Paste the Application (client) ID from Azure AD.
    • Azure Key: Paste the Client Secret Value you copied earlier.
    • Azure Directory ID: Paste the Directory (tenant) ID.
  3. Redirect URI: Verify that the Redirect URI matches the one configured in Azure AD.
  4. Save Settings: Click Save Authentication Settings.

4. Setting Up Azure AD Groups for Access Control

Understanding Group-Based Authentication

  • Groups: Azure AD groups allow you to manage user permissions collectively.
  • Privilege Sets: In your FileMaker solution, you can assign privilege sets to groups, streamlining access control.

Creating Security Groups in Azure AD

  1. Navigate to Groups: In Azure AD, select Groups from the left-hand menu.
  2. New Group: Click + New group.
  3. Group Details:
    • Group Type: Ensure Security is selected.
    • Group Name: Enter a clear name (e.g., FM_FullAccess, FM_DataEntry, FM_ReadOnly).
    • Group Description: Optional but helpful for clarity.
    • Membership Type:
      • Assigned: Manually add members.
      • Dynamic User: Use rules to automatically include users.
    • Owners: Add yourself or other administrators.
    • Members: Add users who should have this group’s permissions.
  4. Create: Click Create to finalize the group.

Assigning Users to Groups

  1. Add Members:
    • Open the group from the list.
    • Select Members.
    • Click + Add members.
    • Search for users and select them.
    • Click Select to add them.
  2. Bulk Operations (Optional):
    • Use bulk operations for adding multiple users via CSV or scripts.

Using Dynamic Group Membership

  1. Set Membership Type:
    • When creating the group, choose Dynamic User.
  2. Define Rules:
    • Click Add dynamic query.
    • Use Azure AD’s rule syntax to define membership criteria.
    • Example Rule: user.department -eq "Sales"
  3. Validate and Save:
    • Use the Validate feature to test your rule.
    • Click Save to apply.
  4. Benefits:
    • Automatically include users based on attributes.
    • Reduces manual management.

5. Configuring Your FileMaker Solution

Accessing Security Settings in FileMaker Pro

  1. Open Your Solution: Launch FileMaker Pro and open your solution file.
  2. Manage Security:
    • Go to File > Manage > Security.
    • The Manage Security dialog appears.

Linking Azure AD Groups to Privilege Sets

  1. Change Authentication Method:
    • At the bottom-left, change Authentication via to Microsoft Azure AD.
    • A warning may appear if the server isn’t properly configured; ensure previous steps are complete.
  2. Add New Account (Group):
    • Click New to add a new account.
    • Account is a: Select Group.
    • Group Name: Paste the Object ID of the Azure AD group.
      • In Azure AD, navigate to the group’s Overview page to find the Object ID.
    • Privilege Set: Assign the appropriate privilege set (e.g., Full Access, Data Entry Only).
    • Description: Enter the group’s name or any helpful note.
  3. Repeat for Other Groups: Add entries for each Azure AD group.
  4. Review Extended Privileges:
    • Ensure that each privilege set has the correct extended privileges (e.g., fmwebdirect for WebDirect access).
  5. Save Changes: Click OK to apply security settings.

Understanding Privilege Sets and Extended Privileges

  • Privilege Sets: Define what a user can do within the solution (e.g., view records, edit layouts).
  • Extended Privileges: Control access to specific features (e.g., WebDirect, FileMaker Pro).
  • Best Practices:
    • Use least privilege principles.
    • Regularly review privilege sets for compliance.

6. Inviting External Users for B2B Collaboration

Enabling External Identities in Azure AD

  1. External Identities: In Azure AD, select External Identities.
  2. Collaboration Settings:
    • Click on External collaboration settings.

Configuring Collaboration Settings

  1. Guest User Access:
    • Choose the appropriate level of access for guest users.
    • Recommended: Guest users have limited access to properties and memberships of directory objects.
  2. Guest Invite Settings:
    • Admins and users in the guest inviter role can invite: Set to Yes.
    • Members can invite: Set according to your organization’s policy (usually No).
    • Guests can invite: Typically No to prevent guests from inviting others.
  3. Collaboration Restrictions:
    • Allow invitations to be sent to any domain: Enables inviting users from any domain.
    • Deny invitations to the specified domains: Use to block specific domains (e.g., personal email providers).
    • Allow invitations only to the specified domains: Restrict invitations to approved domains.
  4. Save Changes: Click Save.

Inviting Guest Users

  1. Users Menu: In Azure AD, select Users.
  2. New Guest User:
    • Click + New guest user.
    • Choose Invite user.
  3. Enter User Information:
    • Name: Full name of the guest user.
    • Email address: Guest user’s email (must be associated with their Azure AD).
    • Personal Message: Optional message explaining the invitation.
  4. Assign Groups:
    • Under Groups, assign the guest user to the appropriate group(s).
  5. Send Invitation: Click Invite to send the invitation email.

Accepting Invitations as a Guest User

  1. Guest Receives Email: The guest user receives an email invitation.
  2. Accept Invitation:
    • Click Accept Invitation in the email.
    • Sign in with their Azure AD credentials.
  3. Consent to Permissions:
    • The guest may be prompted to consent to permissions requested by your application.
  4. Set Up MFA (If Required):
    • The guest user may need to set up MFA according to your policies.

7. Testing the Authentication Process

Logging in with Azure AD Credentials

  1. Launch Application:
    • Open your FileMaker solution or access via WebDirect.
  2. Azure AD Login Prompt:
    • The login dialog now includes an option to Login with Microsoft.
    • Click the Microsoft logo or Login with Microsoft button.
  3. Authenticate:
    • Enter Azure AD credentials when prompted.
    • For guest users, they use their own organization’s Azure AD credentials.

Verifying Multi-Factor Authentication

  1. MFA Prompt:
    • If MFA is enabled, the user is prompted to complete additional verification.
  2. Complete MFA:
    • Methods may include:
      • Authenticator App: Approve the sign-in request.
      • Phone Call or SMS: Enter a code received via text or call.
      • Hardware Token: Use a physical device.
  3. Successful Authentication:
    • Upon completion, access is granted.

Checking Access Levels and Permissions

  1. Verify Access:
    • Ensure that the user has the correct permissions within the application.
    • Test functionality corresponding to their privilege set.
  2. Test Different User Accounts:
    • Repeat the login process with users from different groups.
    • Confirm that permissions are enforced as expected.
  3. Troubleshoot if Necessary:
    • Common issues may include:
      • Incorrect group Object IDs.
      • Delays in group membership updates.
      • Misconfigured privilege sets.

8. Managing and Monitoring Access

Monitoring Sign-In Activity

  1. Azure AD Sign-In Logs:
    • In Azure AD, navigate to Sign-ins under Monitoring.
    • View sign-in activity, success, and failures.
  2. Audit Logs:
    • Access Audit logs to track changes and activities within Azure AD.

Managing Group Membership

  1. Update Group Members:
    • Add or remove users from groups as roles change.
  2. Dynamic Groups:
    • Ensure dynamic membership rules are up-to-date.
  3. Review Group Assignments:
    • Regularly verify that users are in the correct groups.

Revoking Access for Users

  1. Disable User Accounts:
    • For internal users, disable or delete their Azure AD account.
  2. Remove from Groups:
    • Remove users from groups to revoke specific permissions.
  3. Guest Users:
    • Delete guest user accounts to fully revoke access.

Advanced Topics

Implementing Multi-Factor Authentication (MFA)

Configuring MFA Policies in Azure AD

  1. Azure AD MFA Settings:
    • Navigate to Azure Active Directory > Security > Conditional Access.
  2. Create a New Policy:
    • Click + New policy.
    • Name: Provide a descriptive name (e.g., Require MFA for All Users).
    • Assignments:
      • Users and Groups: Select users or groups to require MFA.
      • Cloud Apps: Select All cloud apps or specific applications.
    • Access Controls:
      • Grant: Require Multi-factor authentication.
    • Enable Policy: Set to On.
  3. Save: Click Create to enforce the policy.

User Experience with MFA

  • First-Time Setup:
    • Users will be prompted to set up MFA methods.
    • Options may include mobile app verification, phone calls, or SMS.
  • Ongoing Use:
    • Users will need to complete MFA challenges when logging in, based on your policies.

Using Custom Domains and Branding

Adding Custom Branding to Sign-In Pages

  1. Company Branding:
    • In Azure AD, select Company branding under Azure Active Directory.
  2. Configure Branding:
    • Sign-in Page Image: Upload your logo.
    • Banner Logo: Add a banner if desired.
    • Background Color: Choose a color that matches your branding.
    • Sign-in Page Text: Add custom messages or instructions.
  3. Save: Click Save to apply changes.

Benefits

  • Enhanced User Experience: Familiar branding increases user trust.
  • Professional Appearance: Presents a cohesive company image.

Integrating with Other Identity Providers

Setting Up External Identity Providers

  1. External Identities:
    • In Azure AD, select External Identities > All identity providers.
  2. Add Identity Provider:
    • Click + New identity provider.
    • Choose from options like Google, Facebook, SAML, or WS-Fed.

SAML and WS-Fed Integration

  1. SAML Provider Configuration:
    • Metadata URL: Provide the metadata URL from the external IdP.
    • Sign-on URL: Specify the sign-on URL if necessary.
  2. WS-Fed Provider Configuration:
    • Similar steps, tailored to WS-Fed requirements.
  3. Benefits:
    • Allows users with non-Azure AD accounts to authenticate.
    • Useful for integrating with partners or other organizations.

Troubleshooting Common Issues

Authentication Failures

  • Incorrect Application IDs or Secrets:
    • Verify that the Application ID and Client Secret in FileMaker Server match those in Azure AD.
  • Token Errors:
    • Check that the groupMembershipClaims setting is correct in the app manifest.
  • Network Issues:
    • Ensure that the server is accessible over HTTPS and that firewalls allow necessary traffic.

Group Membership Not Recognized

  • Propagation Delays:
    • Changes in Azure AD may take time to propagate. Wait a few minutes and retry.
  • Incorrect Object IDs:
    • Confirm that the correct Object ID is used in FileMaker’s security settings.
  • User Not in Group:
    • Verify that the user is a member of the required group.

MFA Challenges

  • User Unable to Complete MFA:
    • Ensure that users have registered their MFA methods.
  • MFA Not Prompting:
    • Check conditional access policies to confirm that MFA is required for the user and application.

Security Best Practices

Regularly Updating Secrets and Certificates

  • Client Secrets:
    • Set expiration periods and renew secrets before they expire.
  • Certificates:
    • Use certificates for authentication where possible, rotating them regularly.

Monitoring for Suspicious Activity

  • Azure AD Reports:
    • Regularly review sign-in and audit logs.
  • Alerts:
    • Set up alerts for unusual activities, such as multiple failed login attempts.

Ensuring Compliance with Policies

  • Access Reviews:
    • Periodically review group memberships and access rights.
  • Policy Enforcement:
    • Use conditional access policies to enforce security requirements.
  • Data Protection:
    • Ensure that data handling complies with regulations like GDPR or HIPAA.

Additional Resources

  • Azure AD Documentation:
    • Azure Active Directory Documentation
  • FileMaker Security Guide:
    • FileMaker Security Guide
  • OAuth 2.0 and OpenID Connect:
    • OAuth 2.0 Authorization Framework
    • OpenID Connect Core 1.0
  • Azure MFA:
    • What is Azure Multi-Factor Authentication?
  • B2B Collaboration:
    • Azure AD B2B Documentation
  • Conditional Access Policies:
    • Azure AD Conditional Access
  • Dynamic Groups:
    • Dynamic Membership Rules for Groups in Azure Active Directory

Conclusion

Integrating Microsoft Azure Active Directory authentication into your solution enhances security, simplifies user management, and provides a seamless experience for both internal and external users. By leveraging Azure AD’s robust features, such as group-based access control, multi-factor authentication, and B2B collaboration, you can ensure that only authorized users gain access to your applications while reducing administrative overhead.

This comprehensive guide has walked you through the detailed steps required to set up and configure Azure AD authentication for your solution. By following these best practices and utilizing the advanced features available, you position your organization to meet the security challenges of today’s digital landscape effectively.

Note: Always keep security at the forefront when configuring authentication mechanisms. Regularly update and review your settings, stay informed about new features and updates from Microsoft, and consider consulting with security professionals to ensure compliance and optimal security posture.


Tagged: Account Active Directory Alerts API Audit Log Authentication Authorization Azure Best Book Claris Engage 2020 Cloud Compliance Credentials Documentation FileMaker Pro FileMaker Server Firewall GDPR Google Identity Install Integration Json Load Logging Login Management MFA Microsoft Monitoring Network OAuth Policy Practice Principle Privilege Provider Report Role Scalability Scenario Server SOC SSL SSO Step-by-Step Storing Test Troubleshoot Update UPS Web YouTube

Dimitris Kokoutsidis

Post navigation

September 18, 2020
Audit Log and Transactional Edits
September 18, 2020
Customizing the Zabbix Dashboard for FileMaker Server Monitoring