Configure Microsoft Azure Active Directory for Passive Authentication
This topic provides basic information about how to set up a Microsoft Azure Active Directory (AD) as a realm you can use with the Security Cloud Control. We expect you to already be familiar with Azure AD; if not, consult documentation or a support resource before you get started.
Give your application the Microsoft Graph permission
Grant your Azure AD application the following permissions to Microsoft Graph as discussed in Authorization and the Microsoft Graph Security API on the Microsoft site:
-
Reader role
-
User.Read.All permission
-
Group.Read.All permission
This permission enables the Security Cloud Control to download users and groups from Azure AD the first time.
Required information from this step for setting up the Azure AD realm in the Security Cloud Control:
-
Name of the app you registered
-
Application (client) ID
-
Client secret
-
Directory (tenant) ID
Set up an event hub
Set up the event hub as discussed in Quickstart: Create an event hub using Azure portal on the Microsoft site. The Security Cloud Control uses the event hub audit log to download periodic updates to users and groups.
More information: Features and terminology in Azure Event Hubs.
Important | You must choose the Standard pricing tier or better. If you choose Basic, the realm cannot be used. |
Required information from this step for setting up the Azure AD realm in the Security Cloud Control:
-
Namespace Name
-
Connection string—primary key
-
Event Hub Name
-
Consumer group Name
Enable the audit log
Enable the audit log as discussed in Tutorial: Stream Azure Active Directory logs to an Azure event hub on the Microsoft site.
Configure Cisco ISE for Azure AD
To send user session information to the Security Cloud Control, configure Cisco ISE for Azure AD as discussed in Configure ISE 3.0 REST ID with Azure Active Directory.
What to do next
See How to Configure ISE for Microsoft Azure AD (SAML)Microsoft Azure AD.