How to Configure Azure AD Attributes on Certificates
Attribute mapping in Azure AD (Microsoft Entra ID) is easier than you might think. With a simple SAML application, you can use customizable Azure attributes to enforce dynamic policy options on your 802.1X network.
What are Azure AD (Microsoft Entra ID) Attributes?
When a new object (such as a user or device) is provisioned to Azure AD it comes preconfigured with a number of default attributes based on the Azure AD Schema. The values of those attributes are determined by Azure’s synchronization rules.
Customizable attributes and schemas allow you to create “templates” for new objects that streamline the provisioning process. For example, a user assigned the “Marketing” department value can automatically be assigned new properties according to the synchronization rules when they are reassigned to the “Sales” department to reflect their new permissions.
Note: Azure documentation refers to “attributes” and “properties” interchangeably. “Claims” are also related, though have a slightly different format.
Why use Attributes for Certificate Authentication?
Attributes are a powerful addition to 802.1X authentication because they make it possible to automate group policy and user segmentation.
Using a VLAN to segment your organization into multiple networks of varying permissions is a vital part of the Zero Trust paradigm. There’s no reason that a developer should need access to payroll, nor would an HR employee need to access the organization’s software code. Restricting resources to only the necessary parties limits the amount of damage an intruder can cause if they breach your perimeter.
Below we provided a short video on how easy it can be to attach attributes to your users.
How to Configure Azure Attributes on Digital Certificates
Configuring an X.509 digital certificate to use attributes from your Azure directory can be much simpler than you think. It just requires you to configure a SAML app on Azure and then integrate it into your PKI. For this article, we’ll use SecureW2’s Managed Cloud PKI to illustrate the process.
To configure Azure for attributes on digital certificates via SAML, you will require:
Azure AD account
SecureW2 PKI
Admin privileges for both of the above
Preconfigured SAML application for Azure
The following is a brief technical overview:
Integrate Azure IDP with SecureW2 via SAML. In the SecureW2 Management Portal, go to Identity Management > Identity Providers and select “Add Identity Provider”. From the Type dropdown, choose SAML.
Create Custom Attributes in Azure. Sign into the Azure portal as an admin and navigate to Azure Active Directory under the Azure services menu. Select “External Identities” in the leftmost menu and then choose “Custom user attributes (Preview)”. You can simply push the “Add” button to create a custom attribute.
Recreate Custom Attributes in SecureW2 Management Portal. In the Identity Provider tab, select the SAML IDP for Azure you configured in the first step. Choose the “Attribute Mapping” tab and fill out the fields so that they are identical the the attributes you created in Azure.
What Attributes are Required for RADIUS Authentication?
At minimum, to authenticate to a RADIUS server you will need a Short Alternative Name (SAN) attribute attached to your certificates. For most users, it’s a User Principal Name (UPN), which is usually an email address. Machines just use a Domain Name System (DNS) attribute.
In practice, of course, an object will have many more attributes attached to it. This single-attribute configuration is useful for troubleshooting RADIUS connectivity issues, however.
What Attributes are Required for Wi-Fi Authentication?
The simplest Wi-Fi authentication configuration only requires 3 attributes:
UPN / DNS
Email
DisplayName
Here’s an excerpt from our documentation that illustrates these Azure attributes configured properly in the SecureW2 Management Portal.
Implement True Passwordless Azure Authentication with Attributes
SecureW2’s Azure integration is the industry’s first solution for totally passwordless authentication with cloud directories. Digital certificates equipped with comprehensive attributes and a robust security policy create a network that is both more secure and a better user experience, all while being easier to manage.
Utilize your Azure environment to the fullest extent with Azure attributes for policy enforcement. We have affordable solutions for organizations of all sizes. Click here to see pricing.
Patrick is an experienced SEO specialist at SecureW2 who also enjoys running, hiking, and reading. With a degree in Biology from College of William & Mary, he got his start in digital content by writing about his ever-expanding collection of succulents and cacti.
How to Configure Azure AD Attributes on Certificates
January 4, 2021Patrick Grubbs
We use cookies to provide the best user experience possible on our website. If you would like to learn more click here. Accept
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
