Retrieve User Group Lists from Azure AD
Lists of user groups can be retrieved from Azure Active Directory (Azure AD) for authentication purposes when a web security policy is enforced for cloud users through Skyhigh Security Web Security Gateway Service (WGCS).
The lists are retrieved in string format to provide a value for an authentication property, which can be used in web security rules to allow or block web access depending on user groups.
You can create these rules on Web Gateway and enable them for cloud use, so that they also apply to WGCS.
To retrieve information from an Azure AD, you must configure options for communication between it and Web Gateway.
User requests for web access from outside your local network
When users of your organization request web access from outside your local network, for example, while traveling or working at home, you can enforce a web security policy for this access using WGCS. Skyhigh Security Client Proxy then redirects these requests to WGCS.
Client Proxy also adds information about the name and group of the user who sent the request that is redirected. It retrieves the user group information from lists of domain groups that are provided by Windows.
But Windows caches these lists only for a short time, so this information cannot be used in rules for a web security policy on WGCS or Web Gateway.
To let WGCS filter requests from users working outside your local network, you can use group information that is stored in an Azure AD. WGCS can, however, not access information stored in a Windows AD, as it is used on-premises by Web Gateway. So, when creating rules on Web Gateway that you also want to enable for WGCS, you must retrieve any user group information from an Azure AD.
Authentication property for retrieving Azure AD user groups
The Authentication.GetAzureUserGroups property is used in rules that require the retrieval of user group information from an Azure AD.
For example, if you want to allow web access only for users belonging to allowed groups that are listed in an Azure AD, a suitable rule might look like this:
Authentication.GetAzureUserGroups<Azure AD> none in list Allowed User Groups –> Block<Authorized only>
The property has settings, which you must configure as part of the activities that are required to enable communication between Web Gateway and the Azure AD.
The property also has a parameter, which is the user name that Web Gateway submits when attempting to access the Azure AD.
Communication between Web Gateway and Azure AD
To let Web Gateway retrieve user group information from an Azure AD, you must complete several activities for enabling communication between the two devices.
This includes registering Web Gateway as an application (app) at the Microsoft Application Registration Portal and providing credentials for obtaining permission to read user group information in an Azure AD.
On Web Gateway, you must configure settings that specify the credentials for the read access and other information that is required for the communication process.
Enable communication between Web Gateway and Azure AD
To retrieve user group lists from an Azure AD, you must enable communication between it and Web Gateway.
- Make Web Gateway known to the Microsoft environment of the Azure AD.
- Register Web Gateway as an application (app) at the Microsoft Application Registration Center.
The registration includes obtaining an application ID and setting up a password for Web Gateway. - Configure permissions for the newly registered application granting read access to the user group lists in the Azure ID.
- Register Web Gateway as an application (app) at the Microsoft Application Registration Center.
- On Web Gateway, configure settings to connect to the Azure AD.
- Create a new instance of the Azure Directory settings and name it appropriately, for example,
Azure AD
.
Create these settings under Policy | Settings and add them as settings for the Authentication.GetAzureUserGroups property. - Configure options for the following:
- Application that you registered for Web Gateway
- Search for user group information in the Azure ID
- Network setup
- Save your changes.
- Create a new instance of the Azure Directory settings and name it appropriately, for example,
You can now create rules to perform authentication based on lists of user groups that are retrieved from Azure AD.