Jump to content
Welcome to our new Citrix community!
  • SAML Authentication Between CVAD & Azure AD with Azure MFA & Citrix FAS


    cugcblogs

    manuelwinkelrnd.png by Manuel Winkel, CTA

    As a result of increasing projects, here is a small How To with the following points:

    • SAML Authentication (Azure AD as IdP & Citrix Gateway as SP)
    • Citrix Federated Authentication Service (FAS)
    • Microsoft Azure Multi-Factor Authentication with Conditional Access

    Requirements

    • Fully working Citrix Virtual Apps and Desktop Environment (StoreFront & DDC Minimum Version 7.9)
    • Citrix ADC with successful base configuration & activated Enterprise or Platinum license (Minimum Version 12.1 Build 50+ for native workspace app, for browser Minimum Version 11.1)
    • Configured Unified Gateway vServer
    • Internal and external DNS entries for Unified Gateway vServer (e.g. citrix.deyda.net)
    • Certificates for DNS entries (wildcard certificates are the easiest)
    • Existing Azure Tenant with Azure-AD base configuration (Domain, AAD Sync) & activated Azure AD Premium license
    • Installed Authenticator App on Test User Mobile Phone

    SAML Authentication (Azure AD as IdP & Citrix Gateway as SP)

    winkel032320-01.png.73ae4620be2e26a0aad6899fe34e1a9f.pngSAML Authentication with Azure AD as IdP and Citrix as SP

     

    Active Directory

    If the UPN is not the same in Azure AD and in the on-premises Active Directory, the UPN must be modified.

    • To do this, open the Active Directory Domains and Trusts tool.
    winkel032320-02.png.37acbdb3977020af0c25d44cc01c1baa.png
    • In the tool, right-click on the top item (Active Directory Domains and Trusts) and select Properties.
    winkel032320-03.png.5d67b59d3b4de8de12b9beeb650ba685.png
    • In the following window enter the desired domain (e.g. deyda.net) under Alternative UPN Suffixes and confirm the entry via Add.
    winkel032320-04.png.518e419caf7324ca083aae0d56038ca6.png
    • Check that the domain name has been inserted correctly and confirm with OK.
    winkel032320-05.png.40ec966a6b5c576e6c1b5940c960ad59.png
    • Now bulk edit or manually adjust the UPN of the required users to the Azure-AD domain.
    winkel032320-06.png.c5856634697d5220d8c9ffb6d5777fe7.png

    Azure Active Directory

    To connect our upcoming Service Provider, we now need to create a custom application in the Azure Active Directory.

    • To configure the Azure Active Directory, log in to portal.azure.com.
    winkel032320-07.png.b41262e8bc5a36cdf6b3eb890c7ec008.png
    • In the Azure Navigation Panel, we click on Azure Active Directory.
    winkel032320-08.webp.d900306ced00bbcc2eab98f6cc39763d.webp
    • In the Azure Active Directory window, click on Enterprise Applications.
    winkel032320-09.png.644b382706d10d15bc54bb682e187c96.png
    • Now click New Application.
    winkel032320-10.png.0322865f2553b39cebf3a848e238d790.png

     

    • And then on Non-gallery application.
    Non-Gallery Application Enterprise Application Azure
    • In the Add my application window, configure the name of the application visible for the end user, e.g. Citrix FAS and click Add.
    Non-Gallery Application Enterprise Application Azure Name SAML based
    • Wait for the application to be created. Information is obtained via the Notifications item at the top.
    Notifications New Application
    • Once the application has been created, click on Azure Active Directory > Enterprise Applications > All Applications and then on the application just created (e.g. Citrix FAS)
    Enterprise Application All Application Citrix FAS
    • In the enterprise application click on Single sign-on.
    Add Application Configure Single Signon
    • Under SSO method click on SAML.
    SSO_Methode SAML Single-Signon Citrix FAS

     

     

    Single-Signon SSO SAML Application
    • Click on the pencil icon in the upper area with the number 1 to edit the Basic SAML Configuration.
    Basic SAML Configuration Application Single-Signon

     

    • Confirm the input with Save.

     

    Basic SAML Configuration Entity ID Assertion URL

     

    • The settings under area 2 User attributes and claims can remain in the existing standard.

     

    User Atribute Unique User ID

     

    • Under SAML Signing Certificate (Area 3), download the Certificate (Base 64) for the Service Provider (Citrix ADC).

     

    SAML Signing Certificate Certificate (Base64) DownloadCertificate Base64 Signature Identity Provider

     

    • From area 4 (Set up Citrix FAS), copy the displayed URLs (Login URL, Azure AD Identifier & Logout URL) to a local file.

     

    SAML SSO Login URL Azure AD Identifier Logout URL

     

    • Click on the confirmation checkbox at the bottom and click Next.

     

    To allow users to use SAML authentication for Citrix, they must be assigned to the application.

     

    • Click on Users and groups.

     

    Azure AD Application Users and Groups

     

    • Now click on Add user.
    Add Users to Application

     

    • Now select from the list the users who should be granted access (or select all users) and confirm this with Assign.

     

    Assign User or Group to Application

     

    • I only authorized one test user (user01) for this.
    Assign User or Group to Application

    Citrix ADC

     

    Finally, the Citrix ADC must be configured to communicate with the Identity Provider (Azure-AD).

     

     

     

    Citrix ADC Logon Mask

     

    • To do this, we log in to the Admin web interface of the Citrix ADC and navigate to Traffic Management > SSL > Certificates > Server Certificates.

     

    Traffic Management SSL Certificates Server Certificats SAML

     

    • There, click Install to import the previously downloaded certificate from Azure Portal.

     

    Server Certificates Install Azure Portal Signature Certificate

     

    • Enter the following and confirm the entry with Install

       

      • Certificate-Key Pair Name (Unique name for the SAML signature certificate, e.g. SAML-Azure-AD)

      • Certificate File Name (Downloaded signature certificate, e.g. Citrix FAS.cer)

       

    Install Server Certificate NetScaler ADC

     

    • The installed certificate can not be found under Server or Client Certificates, but under Unknown Certificates.

     

    Traffic Management SSL SSL Certificates Unknown Certificates SAML FAS

     

    • Then we navigate to Security > AAA - Application Traffic > Virtual Servers to create the SAML Authentication Policy and Authentication vServer.

     

    NetScaler ADC SAML Security AAA - Application Traffic Virtual Servers

     

    • Under Authentication Virtual Servers, click Add to create a new vServer.

     

    Authentication Virtual Servers AAA - Application Traffic FAS SAML

     

    • Now enter the following:

       

      • Name (Name of the vServer, e.g. Azure-AD_auth_VS

      • IP Address Type (Non Addressable)

       

    • Click on OK.
    Authentication Virtual Server Basic Settings Non Addressable

     

    • In the following wizard click on No Server Certificate to connect the server certificate (not the IdP certificate).
    No Server Certificate SAML Authentication Virtual Server
    • Click in the Click to select area.

     

    Server Certificate Binding Wildcard

     

    • Select the Citrix ADC Server certificate (e.g. my wildcard certificate) and click Select.
    Server Certificate Binding Server Certificates Wildcard

     

    • Click on Bind.
    Server Certificate Binding Server Certificates Wildcard Bind
    • If the certificate is attached (1 Server Certificate) click Continue.
    Server Certificate SAML Authentication Virtual Server

     

    • Under the menu item Advanced Authentication Policies click on No Authentication Policy.

     

    Server Certificate SAML Authentication Virtual Server Advanced Authentication Policies Authentication Policy

     

    • Click on the + symbol under Select Policy.
    Policy Binding SAML Authentication Virtual Server Advanced Authentication Policies Authentication Policy

     

    • Enter the following:

      • Name (Name of the Authentication Policy, e.g. saml_auth_pol)

      • Action Type (SAML)

      • Expression (HTTP.REQ.IS_VALID)

         

    • Click on the + symbol next to Action.
    SAML Authentication Virtual Server Advanced Authentication Policies Authentication Policy Create

     

    • Now configure the Authentication SAML Server with the following parameters:

      • Name (Name of the SAML Authentication Server, e.g. saml_auth_server)

      • IDP Certificate Name (Certificate from the Azure-AD Application, e.g. SAML-Azure-AD)

      • Signing Certificate Name (Server Certificate of the Citrix Gateway, e.g. my wildcard certificate)

      • Reject Unsigned Assertion (Off)

         

    SAML Authentication SAML Server Advanced Authentication Policies Authentication Action

     

    • Click on More and edit the following settings

      • Signature Algorithm (RSA-SHA256)

      • Digest Method (SHA256)

         

    • Confirm the entry with Create.

     

    SAML Authentication SAML Server Advanced More Signature Algorithm Digest Method

     

    • Check the entries again and click Create.
    SAML Authentication SAML Server Advanced Authentication Policies Authentication Action

     

    • Under Policy Binding controls the inputs and changes the following:

       

      • Goto Expression (END)

       

    Confirm this with Bind.

    SAML Authentication SAML Server Advanced Authentication Policies Authentication Action END

     

    • If the Authentication Policy is connected click on Continue and Done.

     

    SAML Authentication SAML Server Advanced Authentication PoliciesSAML Authentication SAML Server

    In order to complete the configuration on the Citrix ADC, we only need to bind the newly created SAML Authentication Policy to our Gateway Virtual Server.

    • To do this, we navigate to NetScaler Gateway > Virtual Servers.

     

    Citrix ADC Gateway NetScaler Gateway Virtual Servers

     

    • Select the gateway vServer previously configured for FAS in StoreFront (e.g. https://citrix.deyda.net = UG_VPN_ug_10.0.0.8_443) and click Edit.
    NetScaler Gateway Virtual Servers Edit

     

    Unbind all connected LDAP or RADIUS authentication policy from the vServer.

     

    • Checks that neither a policy is connected in Basic Authentication nor in Advanced Authentication.
    NetScaler Gateway Virtual Servers Basic Authentication Advanced Authentication SAML IDP Policy

     

    • On the right side, click Authentication Profile under Advanced Settings.

     

    NetScaler Gateway Virtual Servers Basic Authentication Advanced Authentication SAML IDP Policy Authentication Profile
    • Click on the + symbol under Authentication Profile.
    NetScaler Gateway Virtual Servers Basic Authentication Advanced Authentication Profile
    • Enter a name (e.g. saml_auth_profile) under Create Authentication Profile and click on Click to select under Authentication Virtual Server.

     

    NetScaler Gateway Virtual Servers Basic Authentication Advanced Authentication SAML Authentication Profile

     

    • Select the previously created Authentication Virtual Server (Azure-AD_auth_VS) and click Select.
    NetScaler Gateway Virtual Servers Basic Authentication Advanced Authentication SAML Authentication Profile Authentication Virtual Servers

     

    • Confirm the entry by clicking on Create.
    NetScaler Gateway Virtual Servers Basic Authentication Advanced Authentication SAML Authentication Profile Authentication Virtual Servers

     

    • Click on OK and on Done.
    NetScaler Gateway Virtual Servers Basic Authentication Advanced Authentication SAML Authentication Profile Authentication Virtual Servers
    • Navigate to NetScaler Gateway > Global Settings to delete the single sign-on domain.
    NetScaler Gateway Global Settings

     

    • Click on Change Global Settings.

     

    NetScaler Gateway Global Settings Change Global Settings

     

    • Delete the possible entry under Single Sign-on Domain.
    NetScaler Gateway Global Settings Change Global Settings Single Sign-on Domain

     

    • If necessary, the policies of the Gateway vServer must also be adjusted for Single Sign-on Domain.
    NetScaler Gateway Polices Session CacheNetScaler Gateway Polices Session Cache

    Citrix Federated Authentication Service (FAS)

    Certificate Authority

    • Next, a PKI environment must be created, if there is none Microsoft Enterprise PKI in the domain. Go for this on the machine that should receive this role. In my example, it is the domain controller itself.

      Server Manager
      Click through the wizard to the point Server Roles and select the item Active Directory Certificate Services.

     

     

    Add Roles and Features Wizard
    Active Directory Certificate Services

     

    • Under the heading Role Services select the following points:
      • Certification Authority

      • Certification Authority Web Enrollment

         

    AD CS Role Services

     

    • If pop-up windows with additional features appear, also confirm these with Add Features.

     

    Certification Authority Web Enrollment Add Features

     

    • Complete the installation with Install.
    Confirm installation selections

     

    • Now select the Notifications item in Server Manager
    • Click on Configure Active Directory Certificate Services.

     

    Notifications Configure ADCS

     

    • In the following configuration, the default settings can be confirmed with Next.
    AD CS Configurations Credentials

     

    • Configuration used by me:

      • Setup Type (Enterprise CA)

      • CA Type (Root CA)

      • Private Key (Create a new private key)

      • CA Name (Name of the CA, e.g. Deyda-CA)

      • Validity Period (5 Years)
    • Confirm the configuration with Configure.
    Configuration AD CS Confirmation

    Now the domain controller must be issued a certificate of the local CA.

    • To do this, open the MMC on the domain controller.

     

    start run mmc

     

    • Click on File and Add / Remove Snap-in ...
    Add Remove Snap-in

     

    • Now click on Certificates and on Add.
    Certificates

     

    • In the following window select Computer account and confirm it with Next.
    Certificates snap-in Computer account

     

    • Finally, close the window with OK.

     

    Certificates Local Computer

     

    • Right-click on Personal and then on All Tasks > Request New Certificate...
    Request New Certificate
    • In the Certificate Enrollment window, select Active Directory Enrollment Policy and click Next.
    Certificate Enrollment Before you beginCertificate Enrollment Active Directory Enrollment Policy
    • Select Domain Controller Authentication and confirms this with Enroll.
    Domain Controller Authentication Enroll

    Citrix Federated Authentication Service

     

    Now we can install and configure the FAS server. In my example, I install the FAS Part on the StoreFront server.

     

    • For this mount the ISO of the used Virtual Apps & Desktops version and start autoselect.exe.
    • Then start the installation by clicking on Federated Authentication Service in the following window.
    Federated Authentication Service Citrix Virtual Apps and Desktops 7 1912 LTSR

     

    • Click on "I have read, understand, and ... " and confirm it with Next.

     

    • Now confirm the following default settings with Next.

     

    Citrix Virtual Apps and Desktops 7  Core Components

     

    • And click Next again.
    Citrix Virtual Apps and Desktops 7  Firewall

     

    • Starts the installation with Finish.
    Citrix Virtual Apps and Desktops 7  SummaryInstalling prerequisites and components

     

    • Maybe have to restart the server.
    Citrix Virtual Apps and Desktops 7  Finish
    • To perform the basic configuration of the FAS through the GPO, copy the ADMX / ADML files from the specified path of the FAS server.

     

    C:\Program Files\Citrix\Federated Authentication Service\PolicyDefinitions

     

    Federated Authentication Service GPO Policy Definitions
      • Add them to the PolicyDefinitions Store of the Active Directory.
    Federated Authentication Service GPO Policy Definitions Active Directory
      • Create a new one or edit an existing GPO, which will be activated on the following systems:
          • FAS ServerStoreFront ServerVDA Worker

    GPO Group Policy FAS

    • In the GPO go to the path:

    Computer Configuration \ Policies \ Administrative Templates \ Citrix Components \ Authentication

    HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Citrix \ Authentication \ UserCredentialService \ Addresses

    Or / And

    HKEY_LOCAL_MACHINE \ SOFTWARE \ WOW6432Node \ Policies \ Citrix \ Authentication \ UserCredentialService \ Addresses

    Registry Editor HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Citrix \ Authentication \ UserCredentialService \ Addresses

      • Now start the Citrix Federated Authentication Service Tool with the "run as administrator" parameter

    Citrix Federated Authentication Service Tool with the "run as administrator" parameter

      • Here is the list of FAS servers that have been configured via GPO. Click on OK.
    Connect to the Federated Authentication Service

    The following window configures the FAS.

      • Click on Deploy in the frame Deploy certificate templates

    Citrix FAS Administration Console Deploy certificate templates

      • Click on OK, so that the configuration is carried out automatically, in the background.
      • After successful setup, a green tick appears next to the frame.
      • Then click on Publish in the second fram Set up a certificate authority
    Citrix FAS Administration Console Set up certificate authority

      • Under Certificate Authority, select the CA configured / created for FAS (e.g. DC01.deyda.local\CA-DEYDA) and click OK.
    Setup certificate authority FAS Server

      • Upon successful setup, also a green tick appears next to the second frame.
      • Now click on Authorize at the third frame Authorize this service
    Authorize this service FAS Server

      • Here select the FAS CA and click OK.
    FAS Server Authorize service Certificate Authority

      • Next to the third frame now appears a blinking circle, because the certificate request must be approved.
    Waiting for Approval Pending Certificate

      • Reconnect to the server with the FAS CA and open the Server Manager.
      • In Server Manager, click Tools > Certification Authority.

    Server Manager CA Certification Authority

      • In the Certification Authority console, click on Pending Requests.
    certsrv Certification Authority Local FAS

      • There right click on the request of the FAS server (e.g. DEYDA \ CTX01) and click on All Tasks > Issue.
    Pending Requests Issue All Tasks

      • Thereafter, the certificate appears under Issued Certificates.
    Certification Authority Issued Certificates FAS Server

    The now approved certificate normally expires in 2 years.

    It is therefore recommended to include this certificate in the monitoring so that the certificate is renewed before its expiry..

    Here are the PowerShell commands to get the expire date (Replace CTX01.deyda.local with FAS server).

    Add-PsSnapin Citrix.Authentication.FederatedAuthenticationService.V1

    Get-FasAuthorizationCertificate -FullCertInfo -address CTX01.deyda.local

      • After approving, also a green tick appears next to the third frame
      • Now click on Create in the frame Create a Rule
    Authorize this Service Citrix Federated Authentication Service

      • Click on Next to create the default rule
    Create a rule fas Create the default rule

      • In the Template section select Citrix_SmartcardLogon and click Next
    Create a rule fas Template Citrix_SmartcardLogon

      • In the Certificate authority section select the FAS CA (e.g. DC01.deyda.local\CA-DEYDA) and click Next
    Create a rule fas Certificate Authority CA

      • Select Allow in-session use if to support double-hop scenarios.
      • Click on Next
    Create a rule fas In-session use Allow in session use

      • Under Access control click on Manage StoreFront access permissions
    Create a rule fas Access control Manage StoreFront access permissions

      • In the following window delete the default group Domain Computers.
    Permissions for StoreFront Servers Domain Computers

      • Then add theStoreFront servers and give them the Assert Identity (Allow) right.
      • Confirm this with OK.

    Permissions for StoreFront Servers StoreFront Servers

      • Confirm with Next
    Create a rule fas Access control Manage StoreFront access permissions

      • Under Restrictions define the user and the VDA for which certificate authentication via FAS should be allowed
    Create a rule fas Restrictions Manage user permissions Manage VDA permissions

     

      • Click on Manage user permissions

    Restrict the users who can log in to Citrix via SAML. By default, the group Domain Users is stored here, which can stay that way.

     

    Permissions for Users

      • Click on Manage VDA permissions

    Under Manage VDA permissions narrow down the list of Citrix Workers to which log in via SAML. By default this stands on Domain Computers, which can stay that way.

    Citrix Federated Authentication Service Configuration Security Access Control Lists Permission for VDAs FAS

    After everything is defined click on Next and in the last window on Create

    Summary Fas Create a rule

      • Now all points have a green tick

    Citrix FAS

    StoreFront

    Now we configure the StoreFront server so that it can talk to the FAS server.

      • Go to the Citrix StoreFront console and make a note of the store to configure for FAS (e.g. Store).

    StoreFront Stores FAS PowerShell

      • Starts PowerShell as administrator on a StoreFront server.
    Windows PowerShell Run as administrator StoreFront FAS

      • Execute the following commands in PowerShell (change the store path in line 2 to store name):

    Get-Module "Citrix.StoreFront.*" -ListAvailable | Import-Module

    $StoreVirtualPath = "/Citrix/Store"

    $store = Get-STFStoreService -VirtualPath $StoreVirtualPath

    $auth = Get-STFAuthenticationService -StoreService $store

    Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"

    Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

      • If to deactivate them again, e.g. for troubleshooting, use the following command:

    Get-Module "Citrix.StoreFront.*" -ListAvailable | Import-Module

    $StoreVirtualPath = "/Citrix/Store"

    $store = Get-STFStoreService -VirtualPath $StoreVirtualPath

    $auth = Get-STFAuthenticationService -StoreService $store

    Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "standardClaimsFactory"

    Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider ""

      • Now open the Citrix StoreFront console again
      • Click on Manage Authentication Methods in the panel on the right side.
    Manage Authentication Methods StoreFront Citrix

      • Enable Pass-through from Citrix Gateway, if it is not enabled.
    Citrix StoreFront Manage Authentication Methods Pass-through from Citrix Gateway

      • Then click on the gear on Pass-through from Citrix Gateway and on Configure Delegated Authentication.
    Citrix StoreFront Manage Authentication Methods Pass-through from Citrix Gateway Configure Delegated Authentication

      • In the following window, check the box next to Fully delegate credential validation to Citrix Gateway
      • Click OK two times to close the windows.
    Citrix StoreFront Manage Authentication Methods Pass-through from Citrix Gateway Configure Delegated Authentication Fully delegate credential validation to Citrix Gateway

      • Click, back in the main window of the StoreFront console, on Manage Citrix Gateways.
    Manage Authentication Methods StoreFront Citrix

    In Manage Citrix Gateways, add a new gateway or edit an existing one to connect to the Citrix Gateway which will later be used as SP.

     

    Manage Citrix Gateways ADD EDIT FAS
      • In my case, I edited an existing Gaeway via Edit and configured the following under Authentication Settings:
          • Version (10.0 (Build69.4) or later)
          • VServer IP address (IP address of the Gateway VIP, e.g. 10.0.0.8)
          • Logon type (Domain)
      • Confirm the settings with Finish.
    StoreFront Authentication Settings Callback URL

    Important here is that also in the internal DNS the callback address citrix.deyda.net is deposited.

    DNS Lookup Fallback URL

      • In the main menu of the StoreFront console, click on Configure Remote Access Settings
      • Check that the item Allow users to access only resources delivered through StoreFront (No VPN tunnel) is activated.
    Configure Remote Access Settings - Store Service Enable Remote Access

    Delivery Controller

    The XML Trust must still be activated on the Delivery Controller if this is not already activated.

     

      • To do this start a PowerShell as administrator on a Delivery Controller.
    Deliver Controller Citrix PowerShell Run as administrator
      • Now run the following command.

    asnp citrix.*

    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true FAS Delivery Controller

    In the newer version of CVAD (>1906) a Citrix Cloud window follows after executing the PowerShell commands, for the Citrix Cloud credentials.

    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true FAS Delivery Controller Citrix Cloud

    Microsoft Azure Multi-Factor-Authentication with Conditional Access

     

    You can find more detailed background information on this topic here.

    MFA-Service-Auth-1.png

    Conditional Access

      • Click on Azure Active Directory > Security
    Azure Active Directory Security

      • Click on Conditional Access
    Conditional Access

      • Click on Named locations
    Conditional Access Named locations

      • Click on New location
    Conditional Access Named locations New location

      • Configure the following for the Azure Worker
          • Name (e.g. Azure Worker)
          • Define the location using (IP ranges)
          • Mark as trusted location (Checked)
          • IP ranges (IP range of the Worker, e.g. 10.0.0.1/24)
      • Click on Create
    Conditional Access Named locations New named location

      • Click under Policies on New policy
    Conditional Access Policies New policy

      • In the new window, enter a Name for the policy (e.g. External MFA)
      • Click on Users and groups
      • Click under Include on All users
    Conditional Access Policies New Name Users and groups Include Exclude

      • Under Exclude click on Users and Groups
      • Click on Select excluded users
      • On the following window select the users that should not receive an MFA message, like the Break Glass User and the Sync Accounts
      • Confirm with Done
    Conditional Access Policies New Name Users and groups Include Exclude Break Glass On-Premises Directory Synchronisation

      • Click on Cloud apps or actions
      • Click on Select apps and select the previously created Enterprise App (e.g. Citrix FAS)
      • Confirm with Done
    Conditional Access Policies New Name Cloud apps or actions Select apps
      • Click on Conditions > Locations
      • Click under Configure on Yes
    Conditional Access Policies New Conditions Locations Selected locations

      • Click under Exclude on Selected locations
      • Select the previously created Location (e.g. Azure Worker)
      • Confirm with Done
    Conditional Access Policies New Conditions Locations Selected locations Azure Worker

      • Click under Access controls on Grant
      • Select Grant access and Require multi-factor authentication
      • Confirm with Select
    Conditional Access Policies New Conditions Grant Require MFA Authentication

      • Click under Enable policy on On
      • Confirm with Create
    2020-03-23_15h03_23.png

    Convert users from per-user MFA to Conditional Access based MFA

     

    Before the following script works, a connection to Azure AD must be established. Execute the following lines.

    # Install and Connect to Azure AD

    Install-Module MSOnline

    $Msolcred = Get-credential

    Connect-MsolService -Credential $MsolCred

     

    Save the following code into a PS1 file and execute it to swivel the MFA method.

    # Sets the MFA requirement state

    function Set-MfaState {

    [CmdletBinding()]

    param(

    [Parameter(ValueFromPipelineByPropertyName=$True)]

    $ObjectId,

    [Parameter(ValueFromPipelineByPropertyName=$True)]

    $UserPrincipalName,

    [ValidateSet("Disabled","Enabled","Enforced")]

    $State

    )

    Process {

    Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)

    $Requirements = @()

    if ($State -ne "Disabled") {

    $Requirement =

    [Microsoft.Online.Administration.StrongAuthenticationRequirement]::new()

    $Requirement.RelyingParty = "*"

    $Requirement.State = $State

    $Requirements += $Requirement

    }

    Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName `

    -StrongAuthenticationRequirements $Requirements

    }

    }

    # Disable MFA for all users

    Get-MsolUser -All | Set-MfaState -State Disabled

     

    List of configured MFA users

    # Identify registered users

    Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName | Sort-Object userprincipalname

    List of unconfigured MFA users

    # Identify non-registered users

    Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName | Sort-Object userprincipalname

    Authentication App

    We now log in to MFA Setup (https://aka.ms/mfasetup) with our test user to configure the Authentication App on the mobile device.

     

    If the test user does not yet have a configured second factor, the following message appears. The configuration can be started with Next.

     

    Office365 Anmeldung Weitere Informationen

      • In the next window, select the type of the Second Factor (e.g, Mobile App)
      • To simplify the configuration, select to receive notifications for verification and click Next
    Office365 Zusätzliche Sicherheitsüberprüfung
     

      • In the following window, a QR code is displayed, with which the Authentication App can be configured
    http://deyda.net/wp-content/uploads/2019/03/2019-03-18-14_23_36-Window.png

      • Open the Authenticator app on the device
      • Click on the + symbol to add another account
      • Select Business or School Account in the Accounts window
      • Use the following menu item Scan QR Code to scan the existing QR Code

      • Now the test user is displayed in the account list

      • In the browser confirm the configuration of the MFA service with Next and Finish

    Result

    If we now open the FQDN of the gateway (https://citrix.deyda.net) via browser.

    NetScaler with Unified Gateway

    We will be forwarded directly to Azure-AD and can authenticate ourselves there.

    Microsoft Login

    We get our Citrix resources listed and can start them.

     

    Citrix StoreFront

    Successfull Logon

     

    You can visit me on my website: https://www.deyda.net or follow me on twitter: Manuel Winkel.


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...