Configure AAD security
You configure Azure AD security in three steps. First, you give EPP the details necessary for communication with the Azure AD service, then you map the specific information you need, and, finally, you turn on and schedule the AAD agent that extracts the information.
Prerequisite: Your Azure Active Directory is set up, configured, and populated with users.
To configure AAD security, complete the following steps in EPP.
Result: Azure AD users can now log in to EPP.
Azure Active Directory setting information
While these are not instructions for setting up a Microsoft Azure ™ Active Directory system, this information is useful for configuring an Azure AD system as a security source for EPP.
Note that the Azure Active Directory system is independent of any Virtual Machine. Therefore, it is not required that any VM be active in order to work with or access Azure AD.
The following Azure AD setting information corresponds to AAD security settings in EPP.
API URL
This is the location that is used by EPP to communicate with the Azure AD. EPP initially sets this to "https://graph.windows.net, but it can be changed if required.
Application ID
Azure AD requires an association with an application defined in the Azure system. This can be a placeholder for an application; it does not have to be an actual application.
In the Azure AD configuration, create a new application and give it a name. Once the application is created it will have an Application ID, which, in EPP, is the AAD Client ID. The application definition must have Azure Active Directory API selected and all read delegated permissions enabled.
Domain
This is the name given the directory created in the Azure AD system. The name is a combination of the Azure directory name and a suffix: (<directoryName>.<suffix>). The default suffix is “onmicrosoft.com”. So, for example, if your directory name is myDirectory, the AAD Domain would be “myDirectory.onmicrosoft.com”.
To find the domain name (either the default name or the name defined when the directory was created), in the Azure portal, go to the Active Directory, open your directory, and select domains.
User ID
This is the display name of a user defined in your Azure AD. Your Azure AD administrator must ensure that Azure AD users defined for use with EPP have passwords that do not expire. The behavior of Azure AD password expiration is controllable; the administrator can access Microsoft documentation for details.
Password
The password defined when the user is created in the Azure AD system must be a non-expiring password.
Authority
EPP initially sets this to https://login.microsoftonline.com/common, but it can be changed if required.
Version
EPP initially sets this to 1.6, but it can be changed if required.
Configure AAD settings
By default, EPP provides standard security for managing user IDs, names, and passwords. If user profiles are populated and managed via Azure AD service, configure AAD security instead.
Important: If you set up users and roles with AAD security mode enabled and then switch to Standard or LDAP mode, all current users except Admin will be deleted. Determine how your organization manages software users before selecting a security mode in EPP.
To configure AAD security settings, complete the following steps in EPP. You can also refer to AAD configuration settings.
-
Go to Admin > System Configuration > Security.
-
Select the AAD Settings tab.
-
Enter the AAD Graph API URL, which is the location used by EPP to communicate with the Azure AD.
-
Enter the AAD Client ID, the identifier string created by registering an application in Azure AD.
-
Enter the AAD Domain, the name defined when a directory is created in Azure AD.
-
Enter any User ID with global admin privileges from the account defined in a directory within Azure AD.
-
Enter the Password that corresponds with the user ID.
-
Enter the AAD Authority in order to receive an access token.
-
Enter the AAD API Version targeted by requests from EPP to the Azure system.
-
Enter the Directory ID found in Azure Active Directory > Properties > Directory ID.
-
Select Save and then Close.
Postrequisites:
Configure AAD mappings
You configure AAD mappings to determine which fields from the Azure AD service are populated within EPP's user profiles.
Prerequisite: Configure AAD settings
To configure AAD mappings, complete the following steps in EPP. You can also refer to AAD configuration settings.
-
Go to Admin > System Configuration > Security.
-
Select the AAD Mappings tab.
-
Enter the attribute associated with the First Name of the selected user. In Azure AD, this is the givenName attribute, which is the name string that is the part of the person's user or contact name that is not the surname.
-
Enter the attribute associated with the Last Name of the selected user. In Azure AD, this is the surname attribute.
-
Enter the attribute associated with the Locale Code. In Azure AD, this is the usageLocation attribute.
-
Enter the attribute associated with an Email address for the user indicated. In Azure AD, this is the mail attribute.
-
Select Save, and then Close.
Postrequisite: Configure AAD Extraction Agent
Configure AAD Extraction Agent
After you configure AAD settings and mappings, schedule an agent that extracts user information from the Azure AD service. This ensures that Azure AD user information remains current in EPP.
Prerequisites:
To configure AAD Extraction Agent settings, complete the following steps in EPP. You can also refer to AAD configuration settings.
-
Go to Admin > System Configuration > Security. Select the AAD Extraction Agent tab.
-
Select the Startup Type.
-
Select the Schedule Type.
-
If Basic, schedule the Frequency and Days to Run.
-
If Advanced, write a Cron Expression, which is an advanced way to create a schedule.
-
-
Select Start Agent.Step InformationNote:You can select the Extract Now button to immediately pull extract information from the Azure AD service, but this action does not impact the schedule you have defined.
-
Select Save, and then Close.Expected ResultResult: Azure AD users can now log in to EPP.
AAD configuration settings
The following lists provide setting information for configuring Azure Active Directory (AAD) security in Enterprise Printing Platform.
AAD Settings
AAD Graph API URL
This is the location used by EPP to communicate with the Azure AD. It's the root component upon which all EPP to Azure queries are constructed.
Default: https://graph.windows.net
AAD Client ID
Also known as the application ID. This is the identifier string created by registering an application in Azure AD. It provides an end point for authentication, such as 369e06d5-376f-4e73-8a49-81dcc3da4f39.
AAD Domain
The name defined when a directory is created in Azure AD. A default name is created, but it can be changed in Azure AD if desired. For example, you can change it to myDirectory.onMicrosoft.com
User ID
Any user ID with global admin privileges from the account defined in a directory within Azure AD.
Password
The password that corresponds with the user ID.
AAD Authority
The authorization point where credentials are sent in order to receive an access token that can be used to communicate and get user information from the Azure AD service. Normally this should be set to https://login.microsoftonline.com/common.
AAD API Version
The version of the Graph API targeted by requests from EPP to the Azure system. Normally this value should be set to 1.6.
Directory ID
The Directory ID can be found in Azure Active Directory > Properties > Directory ID.
AAD Mappings
First Name
The attribute associated with the first name of the selected user. In Azure AD, this is the givenName attribute, which is the name string that is the part of the user or contact name that is not the surname. The attribute value populates the First Name field in the EPP user profile.
Last Name
The attribute associated with the last name of the selected user. In Azure AD, this is the surname attribute. The attribute value populates the Last Name field in the EPP user profile.
Locale Code
The attribute associated with a language preference (should one exist). In Azure AD, this is the usageLocation attribute. The attribute value populates the language field in the EPP user profile. The language field in a user profile dictates the language used to display the user interface text for versions of EPP that support multiple languages (simplified Chinese, French, Japanese, and Spanish).
E-Mail
The attribute associated with an E-mail address for the user indicated. In Azure AD, this is the mail attribute. The attribute value populates the E-mail address field in the EPP user profile.
AAD Extraction Agent
Startup Type
The extraction agent startup behavior.
Default: Manual.
-
Automatic: The agent starts when EPP starts.
-
Manual: The agent is only started by selecting Start Agent.
-
Disabled: AAD Extractor Agent functionality is turned off until the Startup Type is reset to Automatic or Manual, or Start Agent is selected.
Schedule Type
The manner in which the schedule is created.
Default: Basic.
-
Basic: Schedule based on calendar days and a 24 hour clock.
-
Frequency: Daily frequency, time interval in minutes, and start and stop times for basic scheduling.
-
Days to Run: One or multiple days of the week on which to schedule the agent.
-
-
Advanced (Cron): Schedule based on a Cron expression, which is an advanced way to create a schedule.
Loading...
There was a problem loading this topic