Azure AD Authentication

Foldr server release 4.24.0.1 introduces support for native Azure AD authentication.  Earlier versions of the Foldr server appliance supported traditional self-hosted/on-premise Active Directory and authentication via Azure AD was only possible by enabling the Single Sign-On feature and using Azure as the IdP.

By using native Azure AD authentication, users can enter their Office 365 user into the Foldr web, mobile and desktop app’s sign in screen, they will then be redirected to Microsoft Online to enter their password and the Foldr app will sign in.  Office 365 locations such as OneDrive, SharePoint and Teams will be available immediately providing the Foldr admin has configured these locations in the backend admin portal (Foldr Settings).  If users have Office 365 MFA enabled on their accounts, this will be required when signing into Foldr.

Requirements

Externally accessible Foldr server running v4.24.0.1 or later with a valid SSL certificate
The Azure Tenant ID to create an Azure AD licence key for Foldr
App Registration created in Azure (see below)

Note – The password features in Foldr are not available when using Azure AD authentication.

Configuration steps in the Azure Portal

1.  Log into the Azure portal at https://portal.azure.com using a suitable administrative account

2.  Obtain the Azure Tenant ID for this instance from Azure Active Directory > Overview panel.  Submit the Azure AD licence key to Foldr support.  This ID is required to create the Foldr server licence key to enable Azure AD authentiation.

3.  Create an App Registration for Foldr, by clicking Azure Active Directory > App Registrations > + New Registration

In the New Registration screen, give the app a suitable name, leave the supported account types as default (Accounts in this organizational directory only) and configure a Redirect URI using the platform type ‘Web‘ with a Redirect URI configured as follows:

https://address-of-folder/services/microsoft/connect

Replacing address-of-foldr with the public FQDN of Foldr.

Finally, confirm by clicking Register.

4.  The Overview panel will be displayed.  From this, take a note of the ‘Application (client) ID‘ – this will be required later.

5.  From the Overview panel, click the Redirect URI link

Add a second Redirect URI for:

https://address-of-foldr/services/microsoft/signin

Replacing address-of-foldr with the public FQDN of Foldr.

6.  Click Certificates & secrets from the left-hand panel > + New Secret

7.  Enter a description, select a suitable expiration lifetime, and finally click ADD.

The new client secret will be displayed.

IMPORTANT – You should take a copy of the key at this point (the VALUE) as you cannot retrieve it again later, however new keys can be generated later, if required.

8.  Click  API Permissions > Add a permission

9.  Select Microsoft Graph

10. Click Delegated Permissions

Select the following Delegated permissions from the Directory, Files and User sections:

Directory.Read.All
Files.ReadWrite
Files.ReadWrite.All
User.Read

Click the Application Permissions box at the top of the Permissions selection panel (or go back to the App Registration overview and use API Permissions > Add a permission > Microsoft Graph > Application Permissions)

Select the following Application permissions from the Directory, GroupMember and User sections:

Directory.Read.All
GroupMember.Read.All
User.Read.All

Once the Permissions have been selected.  Click Add Permissions to confirm.

11.  The permission summary will now be shown showing the updated delegated and application permissions.

12.  Click the GRANT ADMIN CONSENT for <organisation> button.

Click Yes on the confirmation prompt.

13.  A success message will then be shown

Enabling Azure AD in Foldr

Ensure the Licence key has been applied to the system (Appliance > Status > General > Licence) before proceeding.

1. Click the Integrations tab and select Microsoft Azure under the Authentication section

2.  Enable the Integration by enabling the toggle

3.  Copy and Paste the Client ID and Application Key values created earlier in App Registration in Azure.

Client ID = Application (client) ID in Azure

Application Key = Client secret in Azure

4.  Click Save Changes

Add the Office 365 Storage Objects (OneDrive, SharePoint and Teams)

1.  Add the Office 365 storage locations that you wish to present to users (OneDrive, SharePoint sites and Teams) as required.  Navigate to the Files & Storage tab in Foldr Settings

2.  On the Storage tab, click + Add New

3.  Configure a storage item for OneDrive, by giving it a suitable name and using one of the following built-in variables as the Storage Address:

%onedrive% = All files and folders in the user’s OneDrive

%onedrivewithshared% = As above but in addition will include a folder containing items that are shared with the user in Office 365.  These are accessed in Foldr using a subfolder in the root of the user’s OneDrive labelled ‘Shared with Me’ as shown below.

%onedriveshared% =   Only shared items in Office 365 will be shown in this storage item in Foldr.

4.  Create additionl storage objects in Foldr Settings > Files & Storage for SharePoint sites as required using the same steps above but using a Storage Address of %sharepoint%(tenant.fqdn/sites/site-name)

A dedicated KB article is available regarding presenting specific SharePoint sites and document libraries

5.  Create additionl storage objects in Foldr Settings > Files & Storage for Teams as required using the same steps above but using a Storage Address of %teams%

The integration is now complete and users should be able to sign into Foldr using their Office 365 credentials.  If MFA is enabled on the account in Office 365, the user will need to pass this to sign into Foldr.

 

 

Need more help?

Get in touch and we'll be happy to assist you, [email protected]

© Minnow IT. Registered in England and Wales with company number 07970411.

Made with in Bristol, UK

<