Configure Azure Active Directory Security Groups for use with SharePoint on-premises. Follow https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/ sharepoint-on-premises-tutorial and make the additional modifications listed below. When you get to the section Configure and test Azure AD single sign-on, there are some additional steps required to permission Azure Active Directory Users with Azure Active Directory Security Groups on SharePoint on-premise web applications. Addendum to #2: Configure SharePoint on-premises Single-Sign-on : https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on- premises-tutorial#configure-sharepoint-on-premises-single-sign-on Either add a mapping for Role as it is required to allow access to SharePoint on- premise with Azure Active Directory Security Groups: #Add Role Mapping $ap = Get-SPTrustedIdentityTokenIssuer "AzureAD" $ap.ClaimTypes.Add("http://schemas.microsoft.com/ws/2008/06/identity/claims/role") $mapRole = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming $ap.AddClaimTypeInformation($mapRole) $ap.Update() Alternatively, rather than add role mapping, include it when you configure SharePoint on-premises Single Sign-On: Add-PSSnapin "Microsoft.SharePoint.PowerShell" $realm = "<Identifier value from the SharePoint on-premises Domain and URLs section in the Azure portal>" $wsfedurl="<SAML single sign-on service URL value which you have copied from the Azure portal>" $filepath="<Full path to SAML signing certificate file which you have downloaded from the Azure portal>" $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath) New-SPTrustedRootAuthority -Name "AzureAD" -Certificate $cert $map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" -IncomingClaimTypeDisplayName "name" - LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Melissa Bajric February 2019
Transcript
Configure Azure Active Directory Security Groups for use with SharePoint on-premises.Follow https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial and make the additional modifications listed below.
When you get to the section Configure and test Azure AD single sign-on, there are some additional steps required to permission Azure Active Directory Users with Azure Active Directory Security Groups on SharePoint on-premise web applications.
Addendum to #2: Configure SharePoint on-premises Single-Sign-on:
Either add a mapping for Role as it is required to allow access to SharePoint on-premise with Azure Active Directory Security Groups: #Add Role Mapping$ap = Get-SPTrustedIdentityTokenIssuer "AzureAD"$ap.ClaimTypes.Add("http://schemas.microsoft.com/ws/2008/06/identity/claims/role")$mapRole = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming$ap.AddClaimTypeInformation($mapRole)$ap.Update()
Alternatively, rather than add role mapping, include it when you configure SharePoint on-premises Single Sign-On:Add-PSSnapin "Microsoft.SharePoint.PowerShell"$realm = "<Identifier value from the SharePoint on-premises Domain and URLs section in the Azure portal>"$wsfedurl="<SAML single sign-on service URL value which you have copied from the Azure portal>"$filepath="<Full path to SAML signing certificate file which you have downloaded from the Azure portal>"$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath)New-SPTrustedRootAuthority -Name "AzureAD" -Certificate $cert$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" -IncomingClaimTypeDisplayName "name" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "GivenName" -SameAsIncoming$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "SurName" -SameAsIncoming$map4 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming$map5 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
$ap = New-SPTrustedIdentityTokenIssuer -Name "AzureAD" -Description "SharePoint secured by Azure AD" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2,$map3,$map4,$map5 -SignInUrl $wsfedurl -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Addendum to #3: Create an Azure AD test user
Create an Azure AD Security Group in the Azure Portal:Click on Azure Active Directory, Groups, New group:
Fill in Group type, Group name, Group description, Membership type. Click on the arrow to select members, then search for or click on the member you will like to add to the group.
Click on Select to add the selected members, then click on Create.
Now its possible to search for and find the new group:
In order to assign Azure Active Directory Security Groups to SharePoint on-premise, it will be necessary to install and configure AzureCP in the on-premise SharePoint farm OR develop and configure an alternative custom claims provider for SharePoint. See the more information section at the end of the document for creating your own custom claims provider, if you don’t use AzureCP.
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#assign-the-azure-ad-test-user Assign the Azure AD Security Group in the Azure Portal:
Click on Azure Active Directory, Enterprise applications, then select the proper SharePoint on-premise application. It will appear however its named:
To grant access of the Azure Active Directory Security Group to the SharePoint on-premise web application, additional configuration is required:
1. Configure Security Groups and Permissions on the App Registration2. Configure the AzureCP on the SharePoint on-premise farm or an alternative custom claims provider solution. In
this example, we are using AzureCP3. Grant access to the Azure Active Directory Security Group in the on-premise SharePoint
1. Configure Security Groups and Permissions on the App Registration in the Azure Portal.
Click on Azure Active Directory, App registrations, View all applications:
Select the proper application:
Melissa Bajric February 2019
Click on Manifest:
Modify "groupMembershipClaims": "NULL",
To "groupMembershipClaims": "SecurityGroup",
Then, click on Save
Melissa Bajric February 2019
Click on Settings, then click on Required permissions:
Click on Add. Select an API
Melissa Bajric February 2019
We are going to add both Windows Azure Active Directory and Microsoft Graph, but it’s only possible to select 1 at a time.
Melissa Bajric February 2019
Select Windows Azure Active Directory, check Read directory data and click on Select:
Then, click on Done. Go back and add Microsoft Graph and select Read directory data for it, as well. Click on Select and click on Done.
Melissa Bajric February 2019
Now, under Required Settings, click on Grant permissions:
Click Yes to Grant permissions:
Melissa Bajric February 2019
Check under notifications to determine if the permissions were successfully granted. If they are not, then the AzureCP will not work properly and it won’t be possible to configure SharePoint on-premise with Azure Active Directory Security Groups.
2. Configure the AzureCP on the SharePoint on-premise farm*Please note that AzureCP is not a Microsoft product or supported by Microsoft Technical Support.Download, install and configure AzureCP on the on-premise SharePoint farm per https://yvand.github.io/AzureCP/
3. Grant access to the Azure Active Directory Security Group in the on-premise SharePointThe groups must be granted access to the application in SharePoint on-permise. Use the following steps to set the permissions to access the web application.
In Central Administration, click on Application Management, Manage web applications, then select the web application to activate the ribbon and click on User Policy:
Under Policy for Web Application, click on Add Users, then select the zone, click on Next. Click on the Address Book:
Then, search for and add the Azure Active Directory Security Group and click on OK:
Select the Permissions, then click on Finish:
Melissa Bajric February 2019
See under Policy for Web Application, the Azure Active Directory Group is added. The group claim shows the Azure Active Directory Security Group Object Id for the User Name:
Melissa Bajric February 2019
Browse to the SharePoint site collection and add the Group there, as well. Click on Site Settings, then click Site permissions and Grant Permissions. Search for the Group Role claim, assign the permission level and click Share:
Then, return to https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial#test-single-sign-on for #6: Testing single sign-on.
More Information:===============Microsoft Graph Permissions Reference: https://docs.microsoft.com/en-us/graph/permissions-reference Using Application Roles and Security Groups in your apps: https://www.youtube.com/watch?v=V8VUPixLSiM Tech Community: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-Active-Directory-now-with-Group-Claims-and-Application/ba-p/243862Azure AD SharePoint on-premise with multiple on-premise endpoints: https://sharepointwhoknew.wordpress.com/2019/02/01/sharepointazuressoapps/ Claims Providers: https://docs.microsoft.com/en-us/sharepoint/dev/general-development/how-to-create-a-claims-provider-in-sharepoint https://docs.microsoft.com/en-us/previous-versions/office/developer/sharepoint-2010/ff699494%28v%3doffice.14%29https://docs.microsoft.com/en-us/sharepoint/administration/plan-for-custom-claims-providers-for-people-picker
