User group mapping in Microsoft Entra ID
- Getting started
- Start configuring an application in Azure
- Create a Yandex Cloud Organization federation
- Add the Azure app's SAML certificate to the federation
- Complete the Azure app configuration
- Configure group mapping on the Azure app side
- Configure group mapping on the federation side
- Test authentication
You can use Microsoft Entra ID
To configure user group mapping in Entra ID and in an identity federation:
- Start configuring an application in Azure.
- Create a federation in Yandex Cloud Organization.
- Add the application's SAML certificate to the federation.
- Complete configuring the application.
- Configure group mapping on the application side.
- Configure group mapping on the federation side.
- Test the authentication operation.
Getting started
Make sure you have access to the following services on the Azure portal
- Enterprise applications.
- Microsoft Entra ID.
Start configuring an application in Azure
The identity provider's (IdP) role is played by Microsoft Azure with Single Sign-On (SSO) configured. To create an application and begin configuring it:
-
Under Azure services, select Enterprise applications.
-
On the left-hand panel, select Enterprise applications → All applications.
-
Click New application.
-
On the Browse Microsoft Entra gallery page, click Create your own application.
-
In the window that opens:
- Name your app, e.g.,
yandex-cloud-saml
. - Select Integrate any other application you don't find in the gallery.
- Click Create.
You will be taken to your new app's page.
- Name your app, e.g.,
-
In the left-hand panel, select Single sign-on.
-
Select the SAML single sign-on.
The SAML-based sign-on page will open.
-
Download the application's SAML certificate used to sign messages from Entra ID:
- Find SAML certificates → Assertion signing certificate.
- Use the link in the Certificate (Base64) field to download the certificate.
-
Save the credentials you will need later to configure your identity federation:
-
Find the yandex-cloud-saml configuration section.
If you have chosen a different application name, the section name will be different from the one provided.
-
Save the following credentials:
-
Login page URL in the following format:
https://login.microsoftonline.com/<tenant_ID>/saml2
-
Microsoft Entra ID in the following format:
https://sts.windows.net/<tenant_ID>/
-
-
Note
The configuring of SAML-based sign-on for the application will continue after you create an identity federation.
Do not close the configuration tab in your browser.
Create a Yandex Cloud Organization federation
-
Go to Yandex Cloud Organization
. -
In the left-hand panel, select Federations
. -
Click Create federation.
-
Enter a name for the federation, e.g.,
demo-federation
. It must be unique within the folder. -
You can also add a description, if required.
-
In the Cookie lifetime field, specify the time before the browser asks the user to re-authenticate.
-
In the IdP Issuer field, paste the Microsoft Entra ID you got when configuring the Azure app.
-
In the Link to the IdP login page field, paste the login page URL you got when configuring the Azure app.
-
Enable Automatically create users to automatically add a new user to your organization after authentication. Otherwise, you will need to manually add your federated users.
A federated user is created automatically only when they log in to a cloud for the first time. If you removed a user from the federation, you can only add them back manually.
-
(Optional) To make sure that all authentication requests from Yandex Cloud contain a digital signature, enable Sign authentication requests.
-
Enable Mandatory re-authentication (ForceAuthn) in IdP to set
true
for the ForceAuthn parameter in a SAML authentication request. If enabled, the IdP will request the user to re-authenticate once the Yandex Cloud session expires. -
Click Create federation.
-
Use the link in the Sign authentication requests field to download the certificate (if the option was enabled earlier).
You will need this certificate later when configuring SAML-based sign-on for the Azure app.
Add the Azure app's SAML certificate to the federation
To enable Cloud Organization to verify the app's SAML certificate during authentication, add the certificate to the federation:
-
Go to Yandex Cloud Organization
. -
In the left-hand panel, navigate to Federations
and select the federation to add the certificate to:demo-federation
. -
At the bottom of the page, click Adding a certificate.
-
Enter certificate name and description.
-
Enable Text and paste the data of the certificate obtained earlier.
Complete the Azure app configuration
-
Navigate to the browser tab on which you were configuring SAML-based sign-on for the
yandex-cloud-saml
application. -
Specify the redirect URL:
-
Find the Basic SAML configuration section.
-
In the section, click Edit.
-
Specify the same redirect URL in both the ID (entity) and Response URL (assertion consumer service URL) fields.
The redirect URL must be in the following format:
https://console.cloud.yandex.ru/federations/<federation_ID>
How to get the federation ID
-
Go to Yandex Cloud Organization
. -
In the left-hand panel, select Federations
. -
Copy the ID of the federation you are configuring access for.
-
-
Click Save in the right-hand panel.
-
-
(Optional) If you enabled Sign authentication requests when creating a federation in Yandex Cloud Organization, add the federation certificate to the application:
- Find SAML certificates → Verification certificates (optional) and click Edit.
- Enable Require verification certificates.
- Click Send certificate.
- Upload the certificate in PEM format.
- Click Save in the right-hand panel.
-
Click Save.
Configure group mapping on the Azure app side
Create a user
-
Under Azure services, select Microsoft Entra ID.
-
In the left-hand panel, select Users → All users.
-
Click New user. Select Create new user from the drop-down menu.
-
Go to the Basics tab.
-
In the User principal name field, enter a name for the user (e.g.,
az_demo_user
) in combination with the domain (e.g.,example.com
). -
In the Mail nickname field, specify an email address. By default, the nickname matches the username.
You may specify a different nickname:
- Uncheck Derive from user principal name.
- Enter the mail nickname you prefer.
For example, you can use
ivan_ivanov
for theaz_demo_user@example.com
user. -
In the Display name field, enter a display name for the user that will appear in the interface, e.g.,
Ivan Ivanov
. -
In the Password field, provide the user password to be used for the first log in. By default, the password is generated automatically.
You can specify the password manually:
- Uncheck Auto-generate password.
- Enter the password you prefer.
-
Make sure the Account enabled option is checked on the Basics tab.
-
Click Review and create.
Create a group and add a user to it
-
Under Azure services, select Microsoft Entra ID.
-
Create a group:
- In the left-hand panel, select Groups → All groups.
- Click Create group.
- From the Group type drop-down list, select
Security group
. - In the Group name field, enter a name for your group, e.g.,
az_demo_group
. - Under Members, click the No members selected link.
- In the window that opens, check the
az_demo_user@example.com
user and click Select. - Click Create.
-
Get the ID of the group you created:
-
In the left-hand panel, select Groups → All groups.
-
Find
az_demo_group
in the list and copy its ID from the Object ID column.The ID has the following format:
XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
.
-
Configure access permissions for your group
Configure the application for the new group to have access it.
- Go to the Azure portal
. - Under Azure services, select Enterprise applications.
- On the left-hand panel, select Enterprise applications → All applications.
- Select the
yandex-cloud-saml
application you created earlier. - On the left-hand panel, select Users and groups.
- Click Add user or group.
- In the Groups field, click None selected.
- In the window that opens, check the
az_demo_group
group and click Select. - Click Assign.
- Click Save.
Configure group mapping
-
Under Azure services, select Enterprise applications.
-
On the left-hand panel, select Enterprise applications → All applications.
-
Select the
yandex-cloud-saml
application you created earlier. -
In the left-hand panel, select Single sign-on.
-
Find the Attributes and claims section and click Edit. Next, you will configure the necessary claims.
-
Click Add a group claim.
-
Under Which groups associated with the user should be returned in the claim?, select
Security groups
. -
Select
Group ID
from the Source attribute drop-down list. -
Expand the Advanced options section and make the following changes:
- Enable Change the name of the group claim.
- In the Name (optional) field, enter
member
.
-
Click Save in the right-hand panel.
-
Click Save.
Configure group mapping on the federation side
-
Go to Yandex Cloud Organization
. -
Create a user group named
yc-demo-group
in Yandex Cloud Organization and authorize it to view resources in the cloud or a separate folder (theviewer
role). -
In the left-hand panel, select Federations
. -
Select
demo-federation
you created previously and navigate to the IdP group tab. -
Enable group mapping in the Mapping group in IdP field.
-
In the Group name field, enter the
az_demo_group
ID you got in Entra ID earlier.Warning
You selected group ID as the source attribute when configuring group mapping on the Azure side.
Therefore, enter the group ID, not its name.
-
In the IAM group field, select the
yc-demo-group
group you created in Yandex Cloud Organization from the list. -
Click Save.
Test authentication
-
Open your browser in guest or private browsing mode.
-
Use this URL to log in to the management console:
https://console.cloud.yandex.com/federations/<federation_ID>
How to get the federation ID
-
Go to Yandex Cloud Organization
. -
In the left-hand panel, select Federations
. -
Copy the ID of the federation you are configuring access for.
If you have set up everything correctly, the browser will redirect you to the authentication page in Entra ID.
-
-
Enter the credentials of the
az_demo_user@example.com
user you created earlier in Entra ID and click Sign in.On successful authentication, the IdP server will redirect you to the URL (
https://console.cloud.yandex.ru/federations/<federation_ID>
) you specified in the SAML settings for the Azure app, and then to the management console home page. -
Make sure the signed in user belongs to
yc-demo-group
and has the viewer permissions for resources according to the role assigned to the group.