Home Knowledge Base SecureW2 Documentation Azure Event Hooks for Certificate Management

Azure Event Hooks for Certificate Management

Introduction

JoinNow allows administrators to seamlessly interface with the Azure Event Grid system, leveraging automated event notifications to trigger event-based actions.

By integrating with Azure event hooks, JoinNow can be configured to receive notifications for the following critical events:

  • Deactivation of User
  • Deletion of User.

JoinNow utilizes these events to let the administrator configure the following actions:

  • Revoke the certificate of the user
  • De-register WebAuth devices and
  • Invalidate VPN tokens

This guide provides the steps to configure Real-time Intelligence in the JoinNow Management Portal based on Azure events.

Prerequisites

The following are the prerequisites for setting up Event Hooks in Azure.

  1. An active subscription to the Azure portal.
  2. An account in the JoinNow Management Portal with Cloud Connector and JoinNow Real-Time Intelligence subscriptions.

Configuring Azure

Configuration of Event Hooks for Azure requires an Azure Identity Lookup provider to communicate with the Azure portal.

SecureW2’s Cloud RADIUS has the industry-unique ability to perform directory lookups at the moment of authentication. This enables more policy enforcement options and more robust authentication security. This section shows how to implement RADIUS Lookup in Azure and integrate Microsoft Azure with SecureW2.

The following are the high-level tasks required to configure Azure:

Creating an Application in Azure for Account Lookup

To register a new application in Azure, perform the following steps:

  1. Log in to the Microsoft Azure portal.
  2. Type App registrations in the search box and click App registrations.
  3. On the App registrations page, click New registration.
  4. On the Register an application page, enter the name of the application in the Name field.
  5. In the Supported account types section, specify who can use the application by selecting any one of the following options:
    1. Accounts in this organizational directory only (MSFT only – Single tenant)
    2. Accounts in any organizational directory (Any Microsoft Entra ID tenant– Multitenant)
    3. Accounts in any organizational directory (Any Microsoft Entra ID tenant– Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)
    4. Personal Microsoft accounts only
  6. Click Register. The following screen is displayed.
  7. Copy the Application (client) ID, Object ID, and Directory (tenant) ID values to your console.

Creating a Client Secret

To create a client secret, perform the following steps:

  1. On the left pane, go to Manage and click Certificates & secrets.
  2. Click New client secret.
  3. In the Add a client secret pop-up window, enter a description for the client secret in the Description field.
  4. From the Expires drop-down list, select the expiration date of the client secret.
  5. Click Add.
  6. The client’s secret is displayed under the Value column.

    NOTE: Ensure you save the client secret on your console properly, as this secret is non-recoverable.

Creating a Provider URL and Client ID

To create a provider URL and client ID, perform the following steps:

  1. Navigate to the Overview section.
  2. Copy the Application (client) ID and Directory (tenant) ID values to your console.
  3. Insert it into the following URL: https://login.microsoftonline.com/{Directory (tenant) ID}. This should look like this:
    https: //login.microsoftonline.com/561bc66f-1d86-4244-8bc4-5eb12cba45ac
  4. Save this for later.

Providing API Permissions

Finally, provide this application permission to access the data in our Entra ID.

  1. On the left pane, go to Manage and click API permissions.
  2. Click Add a permission.
  3. Click Microsoft Graph.
  4. Select Application Permissions.
  5. If the Access Token Grant Flow attribute is Authorization Code, then add Device.Read and Device.Read.All in your API Permissions to configure Device Identity Lookup.

  6. If the Access Token Grant Flow attribute is Client Credentials, then add Device.Read.All, Group.Read.All, and User.Read.All in your API Permissions to configure Device Identity Lookup.

  7. After adding the permissions, the configured APIs are displayed under the Configured permissions section.
  8. Click Grant admin consent for {your organization} to grant consent for the requested permissions.
  9. In the Grant admin consent confirmation pop-up window, click Yes.
  10. The configured APIs are granted consent, and the following screen is displayed.

Configuring JoinNow

After creating an App in Azure, you need to create an Identity Lookup Provider in SecureW2 to communicate with Azure.

Creating a Core Platform to Integrate with Azure Event Hooks

  1. Navigate to Integrations Hub > Core Platforms.
  2. Click Add.
  3. For the Name field, enter the name of the identity lookup provider.
  4. For the Description field, enter a suitable description for the identity lookup provider.
  5. From the Type drop-down list, select Entra ID.
  6. Click Save.
  7. The page refreshes and displays the Configuration, Attribute Mapping, and Groups tabs.
  8. Click the Configuration tab.
    1. From the Access Token Grant Flow drop-down list, select one of the following options:

      1. Client Credentials – This option eliminates the need for frequent token reauthorization from the Azure portal and is the recommended method.
      2. Authorization Code – This option requires reauthorization of the token from the Azure portal every 90 days.
    2. In the Provider URL field, enter the URL you created earlier using the Directory (tenant) ID: https://login.microsoftonline.com/{Directory (tenant) ID}. This should look like this: 
      https://login.microsoftonline.com/561bc66f-1d86-4244-8bc4-5eb12cba45ac
    3. In the Client Id field, enter the Application (client) ID that you retrieved from Azure Portal earlier (refer to the Creating an Application in Azure for Account Lookup section).
    4. In the Client Secret field, enter the Client secret you generated in the Azure Portal earlier (refer to the Creating a Client Secret section).
    5. Under the Lookup Configuration section, from the Device Lookup via drop-down list, select the required device lookup attribute from the options listed below:
      1. Entra ID Device ID  – The lookup is performed using Azure ADID.
      2. Entra ID Device Name – The lookup is performed using the device name. For additional search filters, select the required checkboxes:
        1. Is Managed – checks if the device is managed.
        2. Is Compliant – checks if the device is compliant

    6. Click Update.

Configuring Groups

  1. Click on the Groups tab.
  2. Click Add.

  3. In the Local Group field, enter a name for the group to identify it locally.
  4. In the Remote Group field, enter a name for the group configured in Entra ID.
  5. Click Create.

  6. Click Update.

Device Control Platform Integrations in JoinNow

  1. Navigate to Identity Management > Device Control Platforms.
  2. Click Add.
  3. In the Basic section, enter the name of the event hook in the Name field.
  4. In the Description field, enter a suitable description for the event hook.
  5. From the Provider drop-down list, select Entra ID.
  6. Click Save. The page refreshes, and the Configuration tab opens.
  7. In the Configuration section, from the Identity Provider list, select the Identity Lookup Provider created in the Creating a Core Platform to Integrate with Azure Event Hooks section.
  8. Azure offers notifications for two major events – User Deactivated and User Deleted. You can choose any of the following or all of the actions to trigger for User Deactivation or for User Deletion.
    1. Revoke the associated certificate: Revoke the certificate(s) associated with the deleted user.
    2. Deregister the associated Web Auth Device: Remove the associated device from a secure network connected via Web Auth Wi-Fi with the Cloud IDP feature. Further connection attempts are allowed only after re-authentication.
    3. Deregister the associated VPN Token: Deregister the VPN Token associated with the user. Further VPN connections need re-enrollment.
  9. Click Update. An Event hook will be created in the Azure portal.

Deployment

Once the above configurations are completed, deactivating or deleting a user in Azure will automatically revoke their corresponding certificates, de-register Web Authenticated devices, and deactivate VPN tokens, depending on the setup in the JoinNow Portal. These actions can be monitored through the Events section. This process prevents affected devices from reconnecting to the network or VPN.

For devices already connected to the network, the feature can be extended to block these devices and terminate their internet connection. This can be done by sending a block command via the External Connections menu configuration to the WiFi Controllers like Aruba, Cisco Meraki and Ubiquiti UniFi, which can dynamically block the internet connection to the devices.

More Microsoft Entra ID Explainers