Using Passport in a Federated Microsoft Entra ID Environment (formerly Azure AD)

By Gwynn Clark

Learn how to deploy Passport in a federated Microsoft Entra ID environment

Note: Microsoft Entra ID is the new name for Azure AD (Azure Active Directory)
When logging in at the Passport Login Window, the full email address should always be used in the username field to ensure the authentication session is connected to the IdP and not local authentication. To avoid confusion with using email addresses at the FileVault Login Window, ensure that the Managed user visibility box is unchecked on the Login Window Library Item. You can read more about this in our Passport Compatibility article.

In this article, you'll learn how to create a Home Realm Discovery (HRD) policy in Azure AD using PowerShell. An HRD policy allows Passport to use Azure AD as the source of truth for authenticating users when deploying Passport in a federated environment where Azure AD is acting as the service provider (SP) federated with an external identity provider (IdP).

Before You Begin

Ensure that:
  • You have an Azure account with an active subscription. If you don't already have one, you can create an account for free here.

  • You have access to an Azure user with one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

  • You have a Windows or Windows Server machine (can be virtual) with the latest Azure AD PowerShell cmdlet preview installed.

  • Both users and user passwords are already being synced from the federated identity provider.

    •  In an Azure AD and Active Directory hybrid setup, password hash sync must be enabled between Azure AD and Active Directory using Azure AD Connect.

    • In a cloud IdP scenario, be sure that both usernames and passwords are synced from the federated IdP.
  • You have already created the Kandji Passport Enterprise app in Azure, per the instructions in this support article.

  • You have created the Passport Library Item in Kandji using this support article.

Authentication Flow in a Federated Environment

The diagram below depicts the Passport authentication flow when Azure AD is acting as a service provider (SP) federated with another identity provider (IdP).

When a user attempts to authenticate via Passport, the request looks like this:

  1. Passport sends an authentication request to Azure AD.

  2. Azure AD forwards the auth request to the federated IdP.

  3. The auth request is validated by the IdP and sent back to Azure AD.

  4. Azure AD receives the validation but has no reason to forward it to Passport, at which point the user’s authentication attempt fails, and an error is delivered to Passport.


Authentication Flow with HRD Configured

The diagram below depicts the Passport authentication flow with an Azure AD Home Realm Discovery policy. When a user attempts to authenticate via Passport, the request looks like this:

  1. Passport sends an authentication request to Azure AD.

  2. Azure AD validates the authentication request using the HRD policy and responds back to Passport with successful user authentication of the user.

Create an HRD Policy

  1. Go to the Windows computer.

  2. Open PowerShell as an administrator.

  3. Connect to your Azure tenant with the command Connect-AzureAD. A web view will open, prompting you will enter your Azure AD credentials.

  4. Create a new policy with the command below. This will allow users to authenticate to a specific application with their username and password directly with Azure AD in a federated environment. If you have existing HRD policies in your environment, you can set the DisplayName to something like KandjiHRDPolicy.

    New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AllowCloudPasswordValidation`":true}}") -DisplayName KandjiHRDPolicy -Type HomeRealmDiscoveryPolicy
  5. Run the command Get-AzureADPolicy to list the policy that you've just created and copy the ObjectID string listed under the ID column in the output.

  6. Run the command Get-AzureADServicePrincipal to get the Service Principal (Azure Enterprise Application) ObjectID.

    1. If you know the name of the Enterprise Application, you can add the -SearchString your_app_name_here to the command above. Example: Get-AzureADServicePrincipal -SearchString "Kandji Passport"

  7. Run the following command to add the Kandji Passport Enterprise Application to the HRD policy. Replace <ObjectID of the Service Principal> with the Kandji Enterprise App ObjectIDcopied earlier. Replace <ObjectId of the Policy> with the HDR ObjectIDcopied earlier.

    Add-AzureADServicePrincipalPolicy -Id <ObjectID of the Service Principal> -RefObjectId <ObjectId of the Policy>
    1. If you do not create the right policy, you can use the following command to remove it and try again.

      Remove-AzureADServicePrincipalPolicy -id <ObjectId of the Service Principal> -PolicyId <ObjectId of the policy>
  8. Check the apps that are assigned with Get-AzureADPolicyAppliedObject -id <ObjectId of the Policy>.

  9. To disconnect the PowerShell session from Azure, use the command Disconnect-AzureAD.