4. Base Configuration

To set up connection between DNN and Azure AD you must accomplish configuration steps on both sides: “Azure AD” and “DNN”.

• On “Azure AD” side, an “Application” needs to be created. This “Application” will be acted as a bridge between “Azure AD” and external SaaS app, (in this case DNN).
• On “DNN” side, inside “AD-Pro Azure AD Connector” provider, “Azure AD” coordinates needs to be added.
• On “DNN” side OWIN needs to be enabled.

4.1. Config steps at the Azure side

Note

Any application that wants to use the capabilities of “Azure AD”, must first be registered in an “Azure AD” tenant.

In this section we will explain how to create “Application” in “Azure AD”, that will register your DNN website in “Azure AD”, after that communication between “Azure AD” and DNN website will be set up.

Application defines what the app can actually do in a specific target directory, who can use it, what resources it has access to, and so on. In our case application will expose Azure AD identities for DNN website. Secondly it allow access MIcrosoft Graph resource to get user profile.

Azure AD Connector works with Azure v2 endpoint. This endpoint supports both personal Microsoft accounts and work accounts from Azure Active Directory, but it comunicates only over HTTPS channel, so your DNN website must begin with the scheme HTTPS! The v2.0 endpoint does not support SAML or WS-Federation, it only supports Open ID Connect and OAuth 2.0. more info:

• https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-limitations#restrictions-on-protocols
• https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints
• https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Adal-to-Msal

4.1.1. Application registration

Every app that communicates with Azure AD, first needs to be registered in Azure Active Directory. The app registration process will collect a few values for DNN. An Application ID that uniquely identifies DNN website in Azure environment. A Redirect URI that is used to direct responses from Azure back to DNN website. And a few other scenario-specific values.

1. Sign in to “Microsoft Azure Portal” on https://portal.azure.com/

2. Go to Azure Active Directory and click on App Registrations link, see figure below.

   

3. Click on New application registration button, see figure below.

   

4. Enter name for your new application and click Register button, see figure below.

   

The bridge between DNN and Azure is created. Now it’s time to specify details, what is described in sections below.

4.1.2. Generate password

To increase security Azure AD app has an attribute called “Password”.

1. Sign in to “Microsoft Azure Portal” on https://portal.azure.com/

2. Go to Azure Active Directory and click on App Registrations link, see figure below.

   

3. Select Azure AD app from the list.

   

4. Select Certificates & secrets, then click on New client secret button, see figure below.

   

5. A popup should be displayed. Click on Add, optionaly description can be added, see figure below.

   

The password is created. Copy it for the futher use, see figure below.

Warning

Remember this is the only time when it will be displayed. Be sure to copy the key for use in DNN provider, as it is not accessible once you leave this page.

4.1.3. Redirect URI

The “Redirect URI” points to the DNN login page. Azure AD app will receive signals only from that url. To set up “Redirect URI” follow steps below.

1. Sign in to “Microsoft Azure Portal” on https://portal.azure.com/

2. Go to Azure Active Directory and click on App Registrations link, see figure below.

   

3. Select Azure AD app from the list.

   

4. Go to the Authentication tab, and paste DNN login URL inside REDIRECT URI text box, see figure below.

   

5. Click Save button to populate these changes in Azure AD.

4.1.4. Permissions

1. Sign in to “Microsoft Azure Portal” on https://portal.azure.com/

2. Go to Azure Active Directory and click on App Registrations link, see figure below.

   

3. Select Azure AD app from the list.

   

4. Go to the API Permissions``and click ``Add a permission button, see figure below.

   

5. Select Microsoft Graph section, see figure below.

   

6. From “Delegated Permissions” select Group.Read.All and User.Read (which probably is already set), see figure below.

   

7. Click Add permissions to save changes.

8. From “Application permissions” select Group.Read.All, see figure below.

   

9. Click Add permissions to save changes.

10. Now permission screen should look same as on figure below, please note that there is warning Not granted for....

    

11. Click on Grant admin consent for AltofyAD and click Yes to complete task, see figure below.

    

Task is completed.

4.1.5. Advanced settings

Make sure that under “Authentication” tab following settings are set as on figure below

Now the Azure Application is created and configured. It’s time to configure connection on DNN side.

4.2. Config steps at the DNN side

Note

Before you start configuration process make sure that “Application” in “AD Azure” is created, and you have coordinates like: “Tenant”, “Application ID” and “Application Key”. This task is described in previous section Config steps at the Azure side

Note

Before you start make sure that “AD-Pro Azure AD Connector” provider is activated, for more info see chapter Product Activation

4.2.1. Entering Azure coordinates in DNN

All settings on DNN side needs to be entered through the “AD-Pro Azure AD Connector” configuration panel. To do that follow steps below.

1. Sign in to the DNN website as a “DNN Host”.

2. Go to the “Extensions” menu, see figure below.

   

3. From the extensions category list select “Authentication Systems”, then click on pencil icon near the “AD-Pro Azure AD Connector”, see figure below.

   

4. Select “Site Settings” tab, where configuration panel exist with all settings for “AD-Pro Azure AD Connector” plugin, see figure below.

   

5. Open the “Azure Settings” tab.

   

6. Enter Azure AD coordinates (Tenant, Application ID and Application key) inside that form and click on “Submit Form” button to save these settings, see image below.

   

4.2.2. Setting up OWIN

Note

“AD-Pro Azure AD Connector” is using OWIN web interface to communicate with “Azure AD”. OWIN is by default disabled in DNN. This section will explain how to enable/disable OWIN feature.

When OWIN is disabled, “AD-Pro Azure AD Connector” will display following message at the login screen:

or following message in the configuration panel:

At the installation process of the “AD-Pro Azure AD Connector” provider, following entry is added to the web.config file, under section <configuration><appSettings>. This turns on OWIN for “Azure AD Connector”.

Recomended way of enabling OWIN in DNN web.config file is below

<add key="owin:AppStartup" value="AzureADConnector" />

Additionally if web.config contains key owin:AutomaticAppStartup, it’s value needs to be set to true, see below:

<add key="owin:AutomaticAppStartup" value="true" />

“Azure AD Connector” v1.4 and above, can work without owin:AutomaticAppStartup key at all.

To disable OWIN, simply remove (or comment) following line in web.config file.

<add key="owin:AppStartup" value="AzureADConnector" />

Note

Remember to reload DNN website in web browser, to populate changes made in web.config file.

More information about OWIN can be found here:

• http://owin.org/
• https://en.wikipedia.org/wiki/Open_Web_Interface_for_.NET

4.2.3. Setting up OWIN for old versions of “Azure AD Connector”

For “Azure AD Connector” v1.3 or older, different settings are needed to manipulate OWIN. To enable OWIN pipeline add following code snippet to the web.config file, inside section <configuration><appSettings>:

<add key="owin:AutomaticAppStartup" value="true" />

To disable OWIN pipeline add following code snippet to the web.config file, inside section <configuration><appSettings>:

<add key="owin:AutomaticAppStartup" value="false" />

4.3. Config steps at Azure side for (OLD VERSION)

Note

This chapter is for old “Azure AD Connector” versions, deprecated v1.0.1 and older.

For most recent info see section Config steps at the Azure side

Note

Any application that wants to use the capabilities of “Azure AD”, must first be registered in an “Azure AD” tenant.

In this section we will explain how to create “Application” in “Azure AD”, that will register your DNN website in “Azure AD”. Providing the URL to send replies after authentication, the URI to identify your DNN application and more, a communication between “Azure AD” and DNN website will be set up.

1. Sign in to your Azure portal.

2. Click on “Azure Active Directory”.

3. Go to “Enterprise applications” tab, see figure below.

   

1. Click on “New Application” link. This will create an “Application” that will be acted as a bridge between “Azure AD” and DNN website. Enter the name of a newly created “Application”. “Application” type set to Web app / API. For a “Sign-on URL” enter URL of your DNN website. See figure below for more info.

   

2. When “Application” is created, copy the “Application ID” string.

   Note

   “Application ID” is the first Azure coordinate that will be used by “AD-Pro Azure AD Connector”.

   

3. In permissions section, enable attribute Sign in and read user profile, see figure below.

   

4. Go to “Keys” section. Then enter the key description, and set the expiration time (in this example 2 years). Copy the key value.

   Note

   “Application Key” is the second Azure coordinate that will be used by “AD-Pro Azure AD Connector”.

   

   Warning

   Be sure to copy the key for use in your client application code, as it is not accessible once you leave this page.