Azure AD Setup Guide¶
This guide walks through setting up Azure AD as the identity provider for internal users (employees, contractors, and sales associates).
Prerequisites¶
- Azure subscription with appropriate licensing
- Global Administrator permissions in Azure AD
- Access to Microsoft 365 admin center
- PowerShell 5.1+ with Azure modules
Step 1: Basic Azure AD Configuration¶
1.1 Enable Security Defaults¶
Security First
Enable security defaults immediately to protect against common attacks.
# Connect to Azure AD
Connect-AzureAD
# Enable security defaults
$policy = Get-AzureADPolicy | Where-Object {$_.Type -eq "SecurityDefaults"}
Set-AzureADPolicy -Id $policy.Id -Definition @'
{
"SecurityDefaults": {
"IsEnabled": true
}
}
'@
1.2 Configure Company Branding¶
# Set company branding
Set-AzureADTenantDetail `
-CompanyName "OVES" `
-TechnicalNotificationMails "it-admin@oves.com" `
-MarketingNotificationEmails "marketing@oves.com"
Step 2: User Management¶
2.1 Create Organizational Units (Groups)¶
# Create security groups for different user types
$groups = @(
@{Name="OVES-Employees"; Description="Full-time employees"},
@{Name="OVES-Contractors"; Description="Contract workers"},
@{Name="OVES-Sales"; Description="Sales team members"},
@{Name="OVES-Admins"; Description="System administrators"}
)
foreach ($group in $groups) {
New-AzureADGroup `
-DisplayName $group.Name `
-Description $group.Description `
-SecurityEnabled $true `
-MailEnabled $false
}
2.2 Create User Accounts¶
# Employee creation template
$userParams = @{
DisplayName = "John Doe"
UserPrincipalName = "john.doe@oves.com"
AccountEnabled = $true
PasswordProfile = @{
Password = "TempPassword123!"
ForceChangePasswordNextLogin = $true
}
Department = "Engineering"
JobTitle = "Software Developer"
UsageLocation = "US"
}
$newUser = New-AzureADUser @userParams
# Add to appropriate group
$group = Get-AzureADGroup -Filter "DisplayName eq 'OVES-Employees'"
Add-AzureADGroupMember -ObjectId $group.ObjectId -RefObjectId $newUser.ObjectId
Step 3: Multi-Factor Authentication¶
3.1 Enable MFA for All Users¶
# Import MSOnline module
Import-Module MSOnline
Connect-MsolService
# Get all users
$users = Get-MsolUser -All
# Enable MFA for each user
foreach ($user in $users) {
$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$auth.RelyingParty = "*"
$auth.State = "Enabled"
$user.StrongAuthenticationRequirements = @($auth)
Set-MsolUser -UserPrincipalName $user.UserPrincipalName -StrongAuthenticationRequirements $auth
}
3.2 Configure Authentication Methods¶
{
"authenticationMethodsPolicy": {
"policyVersion": "1.5",
"registrationEnforcement": {
"authenticationMethodsRegistrationCampaign": {
"snoozeDurationInDays": 1,
"state": "enabled",
"excludeTargets": [],
"includeTargets": [
{
"id": "all_users",
"targetType": "group"
}
]
}
},
"authenticationMethodConfigurations": [
{
"@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
"id": "MicrosoftAuthenticator",
"state": "enabled"
}
]
}
}
Step 4: Conditional Access Policies¶
4.1 Require MFA for All Users¶
{
"displayName": "Require MFA for all users",
"state": "enabled",
"conditions": {
"users": {
"includeUsers": ["All"]
},
"applications": {
"includeApplications": ["All"]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": ["mfa"]
}
}
4.2 Block Legacy Authentication¶
{
"displayName": "Block legacy authentication",
"state": "enabled",
"conditions": {
"users": {
"includeUsers": ["All"]
},
"clientAppTypes": [
"exchangeActiveSync",
"other"
]
},
"grantControls": {
"operator": "OR",
"builtInControls": ["block"]
}
}
4.3 Require Compliant Device for Admins¶
{
"displayName": "Require compliant device for admins",
"state": "enabled",
"conditions": {
"users": {
"includeGroups": ["OVES-Admins-GroupId"]
},
"applications": {
"includeApplications": ["All"]
}
},
"grantControls": {
"operator": "AND",
"builtInControls": ["mfa", "compliantDevice"]
}
}
Step 5: Application Integration¶
5.1 Register Odoo Application¶
# Create app registration for Odoo
$app = New-AzureADApplication `
-DisplayName "OVES Odoo" `
-Homepage "https://odoo.oves.com" `
-ReplyUrls @("https://odoo.oves.com/auth_oauth/signin") `
-AvailableToOtherTenants $false
# Create service principal
$sp = New-AzureADServicePrincipal -AppId $app.AppId
# Configure SAML settings
Set-AzureADApplication -ObjectId $app.ObjectId `
-SamlMetadataUrl "https://odoo.oves.com/auth_saml/metadata"
5.2 Configure Claims Mapping¶
{
"ClaimsMapping": {
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "user.mail",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "user.givenname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "user.surname",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups": "user.assignedroles"
}
}
Step 6: Secret Management with Azure Key Vault¶
6.1 Create Key Vault¶
# Create resource group
New-AzResourceGroup -Name "OVES-KeyVault-RG" -Location "East US"
# Create Key Vault
$vault = New-AzKeyVault `
-VaultName "OVES-Secrets-Vault" `
-ResourceGroupName "OVES-KeyVault-RG" `
-Location "East US" `
-EnabledForDeployment `
-EnabledForTemplateDeployment `
-EnabledForDiskEncryption
6.2 Store Application Secrets¶
# Store Odoo database connection string
$dbConnectionString = ConvertTo-SecureString "Server=...;Database=...;User=...;Password=..." -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName "OVES-Secrets-Vault" -Name "OdooDbConnection" -SecretValue $dbConnectionString
# Store API keys
$apiKey = ConvertTo-SecureString "your-api-key-here" -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName "OVES-Secrets-Vault" -Name "ExternalAPIKey" -SecretValue $apiKey
6.3 Configure Access Policies¶
# Grant access to specific groups
$group = Get-AzureADGroup -Filter "DisplayName eq 'OVES-Admins'"
Set-AzKeyVaultAccessPolicy `
-VaultName "OVES-Secrets-Vault" `
-ObjectId $group.ObjectId `
-PermissionsToSecrets @("Get", "List", "Set") `
-PermissionsToKeys @("Get", "List") `
-PermissionsToCertificates @("Get", "List")
Step 7: Monitoring and Auditing¶
7.1 Enable Sign-in Logs¶
# Configure diagnostic settings for sign-in logs
$diagnosticSetting = @{
Name = "OVES-SignIn-Logs"
ResourceId = "/tenants/your-tenant-id"
WorkspaceId = "/subscriptions/your-sub/resourceGroups/your-rg/providers/Microsoft.OperationalInsights/workspaces/your-workspace"
Enabled = $true
Category = @("SignInLogs", "AuditLogs", "NonInteractiveUserSignInLogs")
}
7.2 Set Up Alerts¶
{
"alertRules": [
{
"name": "Multiple Failed Sign-ins",
"condition": "SigninLogs | where ResultType != 0 | summarize count() by UserPrincipalName | where count_ > 5",
"frequency": "PT5M",
"severity": "High"
},
{
"name": "Admin Activity",
"condition": "AuditLogs | where Category == 'RoleManagement'",
"frequency": "PT1M",
"severity": "Medium"
}
]
}
Step 8: Backup and Disaster Recovery¶
8.1 Export Configuration¶
# Export all groups
Get-AzureADGroup | Export-Csv "Azure-AD-Groups-Backup.csv" -NoTypeInformation
# Export all users
Get-AzureADUser | Export-Csv "Azure-AD-Users-Backup.csv" -NoTypeInformation
# Export applications
Get-AzureADApplication | Export-Csv "Azure-AD-Apps-Backup.csv" -NoTypeInformation
8.2 Document Recovery Procedures¶
Disaster Recovery
Create detailed procedures for: - Emergency admin access - Key Vault recovery - Application re-registration - User account restoration
Validation Checklist¶
- [ ] Security defaults enabled
- [ ] All users have MFA enabled
- [ ] Conditional access policies active
- [ ] Odoo SAML integration working
- [ ] Key Vault secrets accessible
- [ ] Monitoring and alerts configured
- [ ] Backup procedures documented
- [ ] Emergency access tested
Troubleshooting¶
Common Issues¶
MFA Setup Problems¶
# Reset MFA for a user
Set-MsolUser -UserPrincipalName "user@oves.com" -StrongAuthenticationRequirements @()
SAML Integration Issues¶
- Verify Reply URLs match exactly
- Check certificate expiration dates
- Validate claim mappings in tokens
Key Vault Access Denied¶
# Check current access policies
Get-AzKeyVaultAccessPolicy -VaultName "OVES-Secrets-Vault"
Next: Continue with Keycloak Setup or jump to Odoo Integration.