Provision the Azure Service Principal Account for data synchronization

book

Article ID: 171105

calendar_today

Updated On:

Products

Email Security.cloud Web Security.cloud

Issue/Introduction

An administrator is using the LDAP Synchronization Tool (Schemus) and would like to set up the data sync to use the Microsoft Azure data source.

Environment

  • Windows 7 SP1 64-bit, Windows 8 R2 64-bit, or Windows Server 2012 64-bit
  • Install the 64-bit Windows version of the LDAP Synchronization Tool.

Resolution

In order to synchronize data from Azure, a Service Principal account must be created on the Office 365 portal. The Service Principal account can be created either using the Microsoft Windows Azure Management portal or by using the Windows Azure PowerShell modules.

Schemus will require the Service Principal account ID and associated secret information in order to access the Azure online Active Directory.

 

Using the Microsoft Windows Azure Management Portal

In order to create a Service Principal account using the Microsoft Windows Azure Management Portal, the following subscriptions are required:

  1. An Office 365 subscription;
  2. A Windows Azure subscription.

Note: A trial Windows Azure subscription is available, from which the Microsoft Windows Azure Management Portal can be accessed. In order to create a trial subscription, sign in to the Office 365 portal with an Administrator account at http://office.microsoft.com then go to the management portal https://manage.windowsazure.com.
At the time of writing, the trial is free of charge although credit card details may be required.

When signed into the Microsoft Windows Azure Management Portal, create the Service Principal account as follows:

  1. Scroll down in the left panel then click on Active Directory;
  2. Click on the directory name in the main panel;
  3. Click on Applications at the top of the main panel;
  4. Click on Add in the bar at the bottom of the window;
  5. Click Add an application my organization is developing;
  6. Enter Schemus for the name;
  7. Enter http://localhost for the sign in URL and app ID URI;
  8. Click on Schemus in the left panel;
  9. Click Access Web APIs in other applications;
  10. Select a duration for the key;
  11. Select Read directory Data from the drop-down next to Windows Azure Active Directory;
  12. Make a note of the Client ID;
  13. Click Save then make a note of the key ID, which is displayed in the field adjacent to the duration entered earlier.

Note: The key can not be accessed again after the page is closed, so be sure it is copied first.

 

Using PowerShell

In order to create a Service Principal in PowerShell, the following are required:

  1. An Office 365 subscription;
  2. Windows 7, Windows 8, Windows Server 2008 R2, or Windows Server 2012 with the default version of Microsoft.NET;
  3. PowerShell version 4.0 or later;
  4. Microsoft Online Services Sign-in Assistant;
  5. Windows Azure Active Directory Module for Windows PowerShell.

A Service Principal account can be created using the PowerShell commands below. This will create a principal named "Schemus" with the given password, which should be entered into the Symmetric Key field in the Schemus Azure configuration settings.

# import the Active Directory module and sign in
import-module MSOnline
$cred = get-credential
connect-msolservice -credential $cred

# import the Active Directory extended module, 
# required by New-MsolServicePrincipal
import-Module MSOnlineExtended -force

# create a Service Principal account
$sp = New-MsolServicePrincipal -ServicePrincipalNames @("Schemus") -DisplayName "Schemus" -Type "Password" -Value "SecretPassword01"

# grant Read access to the Office 365 Active Directory
Add-MsolRoleMember -RoleMemberType ServicePrincipal -RoleName "Directory Readers" -RoleMemberObjectId $sp.ObjectId

# display the information required by Schemus
$c = get-msolcompanyinformation
"Tenant Context ID: " + $c.objectId
"Principal ID: " + $sp.AppPrincipalId