User group mapping in Microsoft Entra ID

You can use Microsoft Entra ID (formerly Azure Active Directory) to authenticate users in an organization.

To configure user group mapping in Entra ID and in an identity federation:

1. Start configuring an application in Azure.
2. Create a federation in Yandex Cloud Organization.
3. Add the application's SAML certificate to the federation.
4. Complete configuring the application.
5. Configure group mapping on the application side.
6. Configure group mapping on the federation side.
7. Test the authentication operation.

Getting startedGetting started

Make sure you have access to the following services on the Azure portal:

• Enterprise applications.
• Microsoft Entra ID.

Start configuring an application in AzureStart configuring an application in Azure

The identity provider's (IdP) role is played by Microsoft Azure with Single Sign-On (SSO) configured. To create an application and begin configuring it:

1. Go to the Azure portal.

2. Under Azure services, select Enterprise applications.

3. On the left-hand panel, select Enterprise applications → All applications.

4. Click New application.

5. On the Browse Microsoft Entra gallery page, click Create your own application.

6. In the window that opens:

   1. Name your app, e.g., yandex-cloud-saml.
   2. Select Integrate any other application you don't find in the gallery.
   3. Click Create.

   You will be taken to your new app's page.

7. In the left-hand panel, select Single sign-on.

8. Select the SAML single sign-on.

   The SAML-based sign-on page will open.

9. Download the application's SAML certificate used to sign messages from Entra ID:

   1. Find SAML certificates → Assertion signing certificate.
   2. Use the link in the Certificate (Base64) field to download the certificate.

10. Save the credentials you will need later to configure your identity federation:

    1. Find the yandex-cloud-saml configuration section.

       If you have chosen a different application name, the section name will be different from the one provided.

    2. Save the following credentials:

       • Login page URL in the following format:

         https://login.microsoftonline.com/<tenant_ID>/saml2
         

       • Microsoft Entra ID in the following format:

         https://sts.windows.net/<tenant_ID>/
         

Create a Yandex Cloud Organization federationCreate a Yandex Cloud Organization federation

1. Go to Yandex Cloud Organization.

2. In the left-hand panel, select Federations .

3. Click Create federation.

4. Enter a name for the federation, e.g., demo-federation. It must be unique within the folder.

5. You can also add a description, if required.

6. In the Cookie lifetime field, specify the time before the browser asks the user to re-authenticate.

7. In the IdP Issuer field, paste the Microsoft Entra ID you got when configuring the Azure app.

8. In the Link to the IdP login page field, paste the login page URL you got when configuring the Azure app.

9. Enable Automatically create users to automatically add a new user to your organization after authentication. Otherwise, you will need to manually add your federated users.

   A federated user is created automatically only when they log in to a cloud for the first time. If you removed a user from the federation, you can only add them back manually.

10. (Optional) To make sure that all authentication requests from Yandex Cloud contain a digital signature, enable Sign authentication requests.

11. Enable Mandatory re-authentication (ForceAuthn) in IdP to set true for the ForceAuthn parameter in a SAML authentication request. If enabled, the IdP will request the user to re-authenticate once the Yandex Cloud session expires.

12. Click Create federation.

13. Use the link in the Sign authentication requests field to download the certificate (if the option was enabled earlier).

    You will need this certificate later when configuring SAML-based sign-on for the Azure app.

Add the Azure app's SAML certificate to the federationAdd the Azure app's SAML certificate to the federation

To enable Cloud Organization to verify the app's SAML certificate during authentication, add the certificate to the federation:

1. Go to Yandex Cloud Organization.

2. In the left-hand panel, navigate to Federations and select the federation to add the certificate to: demo-federation.

3. At the bottom of the page, click Adding a certificate.

4. Enter certificate name and description.

5. Enable Text and paste the data of the certificate obtained earlier.

Complete the Azure app configurationComplete the Azure app configuration

1. Navigate to the browser tab on which you were configuring SAML-based sign-on for the yandex-cloud-saml application.

2. Specify the redirect URL:

   1. Find the Basic SAML configuration section.

   2. In the section, click Edit.

   3. Specify the same redirect URL in both the ID (entity) and Response URL (assertion consumer service URL) fields.

      The redirect URL must be in the following format:

      https://console.cloud.yandex.ru/federations/<federation_ID>
      

      How to get the federation ID

      1. Go to Yandex Cloud Organization.

      2. In the left-hand panel, select Federations .

      3. Copy the ID of the federation you are configuring access for.

   4. Click Save in the right-hand panel.

3. (Optional) If you enabled Sign authentication requests when creating a federation in Yandex Cloud Organization, add the federation certificate to the application:

   1. Find SAML certificates → Verification certificates (optional) and click Edit.
   2. Enable Require verification certificates.
   3. Click Send certificate.
   4. Upload the certificate in PEM format.
   5. Click Save in the right-hand panel.

4. Click Save.

Configure group mapping on the Azure app sideConfigure group mapping on the Azure app side

Create a userCreate a user

1. Go to the Azure portal.

2. Under Azure services, select Microsoft Entra ID.

3. In the left-hand panel, select Users → All users.

4. Click New user. Select Create new user from the drop-down menu.

5. Go to the Basics tab.

6. In the User principal name field, enter a name for the user (e.g., az_demo_user) in combination with the domain (e.g., example.com).

7. In the Mail nickname field, specify an email address. By default, the nickname matches the username.

   You may specify a different nickname:

   1. Uncheck Derive from user principal name.
   2. Enter the mail nickname you prefer.

   For example, you can use ivan_ivanov for the az_demo_user@example.com user.

8. In the Display name field, enter a display name for the user that will appear in the interface, e.g., Ivan Ivanov.

9. In the Password field, provide the user password to be used for the first log in. By default, the password is generated automatically.

   You can specify the password manually:

   1. Uncheck Auto-generate password.
   2. Enter the password you prefer.

10. Make sure the Account enabled option is checked on the Basics tab.

11. Click Review and create.

Create a group and add a user to itCreate a group and add a user to it

1. Go to the Azure portal.

2. Under Azure services, select Microsoft Entra ID.

3. Create a group:

   1. In the left-hand panel, select Groups → All groups.
   2. Click Create group.
   3. From the Group type drop-down list, select Security group.
   4. In the Group name field, enter a name for your group, e.g., az_demo_group.
   5. Under Members, click the No members selected link.
   6. In the window that opens, check the az_demo_user@example.com user and click Select.
   7. Click Create.

4. Get the ID of the group you created:

   1. In the left-hand panel, select Groups → All groups.

   2. Find az_demo_group in the list and copy its ID from the Object ID column.

      The ID has the following format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.

Configure access permissions for your groupConfigure access permissions for your group

Configure the application for the new group to have access it.

1. Go to the Azure portal.
2. Under Azure services, select Enterprise applications.
3. On the left-hand panel, select Enterprise applications → All applications.
4. Select the yandex-cloud-saml application you created earlier.
5. On the left-hand panel, select Users and groups.
6. Click Add user or group.
7. In the Groups field, click None selected.
8. In the window that opens, check the az_demo_group group and click Select.
9. Click Assign.
10. Click Save.

Configure group mappingConfigure group mapping

1. Go to the Azure portal.

2. Under Azure services, select Enterprise applications.

3. On the left-hand panel, select Enterprise applications → All applications.

4. Select the yandex-cloud-saml application you created earlier.

5. In the left-hand panel, select Single sign-on.

6. Find the Attributes and claims section and click Edit. Next, you will configure the necessary claims.

7. Click Add a group claim.

8. Under Which groups associated with the user should be returned in the claim?, select Security groups.

9. Select Group ID from the Source attribute drop-down list.

10. Expand the Advanced options section and make the following changes:

    1. Enable Change the name of the group claim.
    2. In the Name (optional) field, enter member.

11. Click Save in the right-hand panel.

12. Click Save.

Configure group mapping on the federation sideConfigure group mapping on the federation side

1. Go to Yandex Cloud Organization.

2. Create a user group named yc-demo-group in Yandex Cloud Organization and authorize it to view resources in the cloud or a separate folder (the viewer role).

3. In the left-hand panel, select Federations.

4. Select demo-federation you created previously and navigate to the IdP group tab.

5. Enable group mapping in the Mapping group in IdP field.

6. In the Group name field, enter the az_demo_group ID you got in Entra ID earlier.

   Warning

   You selected group ID as the source attribute when configuring group mapping on the Azure side.

   Therefore, enter the group ID, not its name.

7. In the IAM group field, select the yc-demo-group group you created in Yandex Cloud Organization from the list.

8. Click Save.

Test authenticationTest authentication

1. Open your browser in guest or private browsing mode.

2. Use this URL to log in to the management console:

   https://console.cloud.yandex.com/federations/<federation_ID>
   

   How to get the federation ID

   1. Go to Yandex Cloud Organization.

   2. In the left-hand panel, select Federations .

   3. Copy the ID of the federation you are configuring access for.

   If you have set up everything correctly, the browser will redirect you to the authentication page in Entra ID.

3. Enter the credentials of the az_demo_user@example.com user you created earlier in Entra ID and click Sign in.

   On successful authentication, the IdP server will redirect you to the URL (https://console.cloud.yandex.ru/federations/<federation_ID>) you specified in the SAML settings for the Azure app, and then to the management console home page.

4. Make sure the signed in user belongs to yc-demo-group and has the viewer permissions for resources according to the role assigned to the group.