Sitecore – Azure AD Integration with Sitecore Identity Server

This article talks about steps to be followed for integrating Azure AD with Sitecore Identity Server(SI). It doesn’t involve any code changes, just some setup in Azure portal and a few config changes in SI Server.

We will be needed to update the Client ID, Tenant ID in Sitecore.Plugin.IdentityProvider.AzureAd.xml file present in your {IndentityServerRoot}/sitecore/Sitecore.Plugin.IdentityProvider.AzureAd/Config folder.

As I had to experiment this on my personal setup, I had to create a tenant on my personal subscription.

Before setting up your tenant, one has to add Microsoft.AzureActiveDirectory as a resource provider for your subscription. You can do that by,

Open Subscriptions in the Azure Portal
Select your required Subscription if you have more than one subscription available.
On the Left Side Menu, select Resource providers and on resource providers list, select Microsoft.AzureActiveDirectory and select register.

Now, to create a Azure AD B2C tenant,

On Azure Portal home page click on Create a resource and search for Azure Active Directory B2C and then select create.
Create a new Azure AD B2C Tenant.
This will ask for an Organization details and Subscription/Resource Group.
Once created, Azure will switch your directory to the new one you created.

Now we’ll register a new app in the Azure AD B2C of this directory.

Give the app a name and since, we are going to use it for Sitecore Web Application, we can select the platform as web and for redirect uri, mention https://YourIdentityServerHostName/signin-oidc

Make sure you have enabled ID tokens.

In the Manifest, set groupmembershipclaims to “SecurityGroup”

After registering the app, you will be able to get the application id (Client ID) and Directory ID (tenant ID).

After filling these ids in the XML file, we can’t expect Sitecore Login via Azure AD to work for two reasons.

Your tenant will not any user except your default azure account. And to login via Azure AD, the email id generated based on your tenant sometime will be confusing. So, we’ll create a user to the tenant.
Even after successfully logging, sitecore wont know the role to be assigned to the user.

First, to create a user in your tenant,

Go to your tenant’s Azure Active Directory. Select Users option from the left menu. Click on New User and fill in the details.

In a real time the organizations will ideally use a separate process/tools to create users for experimenting purpose we are creating them manually.

The second to last step involves, creating a group in Azure AD. Say for eg, we’ll create a Sitecore Admin group in Azure AD and add the user to that group. When that user logs into sitecore via Azure AD, it will be automatically given Admin role based on our configuration.

This is useful, when you store/manage all the user details in one place. However there are certain points that needs to be noted.

Now coming back to the group creation,

Go to Azure AD app, in the left menu select Groups and click on New Group.
Give the Group a Name and description and add Owners, the user we created earlier and create the group.

You can include such group id in the claim transformation at Sitecore.Plugin.IdentityProvider.AzureAd.xml file. You can add a separate group for different role and map the group ID to Sitecore role.(Author role in this instance)