With recent additions to Azure Active Directory, I was very interested to see if would be possible to now deploy a Sitecore environment and use the Azure Active Directory services to act as domain controller but also as source for content management users.
As part of my series of articles on a lightweight Sitecore infrastructure, I’m going to show how to configure Sitecore to use an Azure Active Directory Domain as a source for Sitecore content authors.
Using this approach, you can avoid the need for provisioning and managing the Domain Controller infrastructure that you’d normally need to manage users in an infrastructure.
In addition, in the future this will allow you to easily integrate and replicate you local domain to a cloud domain and have content authors automatically provisioned to Sitecore.
Before you can get started, make sure you have an Azure Active Directory domain with Domain Services enabled. See my previous article for a step-by-step guide on how to set this up.
Creating the Sitecore Content Management environment
With the Azure Active Directory domain created and the Domain Services enabled as described in my previous article, most of the plumbing is out of the way. I’m going to spend a little time showing how to set up a new Azure Content Management environment as there’s a new option available that allows even closer integration of Azure VM’s with Azure Active Directory, namely Domain-Join.
If you already have a Sitecore Content Management environment set up, you can skip this and move to the next paragraph.
- The first step is to create a new Sitecore Content Management environment. For demonstration purposes, this will be a simple single server installation.
- We navigate to the new Azure portal, https://portal.azure.com/, and from there choose to create a new Compute VM, based on the Windows Server 2012 R2 Datacenter template:
- Choose the Classic deployment model:
- Configure the basic VM settings.
- Under Optional Configuration – Network, choose the Virtual Network in which the Domain Services are active.
- Under Optional Configuration – OS Settings, choose the option Domain Join and enter the details of the domain admin user created earlier (see the previous article):
- Create the VM and wait for the VM to provision. Note. if this process takes longer than 10 minutes, it’s likely that there’s something wrong in your domain-join settings, for example a typo in the DNS IP addresses on the Virtual Network.
- After provisioning you can log on using the local administrator user and see that the VM is part of the Azure Active Directory domain and that the group created earlier is also part of the Administrators group:
- After this, you can also log in using the domain administrator created earlier using the format:
- username: user@domain
- password: <password>
Using Azure Active Directory for Sitecore content author user management
We all know the Sitecore Active Directory module for integrating a Sitecore environment with your local Active Directory. The great news is that with Domain Services, this module now also works with Azure Active Directory domains. The trick lies in the LDAP connection string.
Before we integrate Sitecore with the Azure Active Directory domain, let’s create a few content author users and assign them to a content author group.
- Start by navigating to the Azure portal, https://portal.azure.com/, and signing in.
- Navigate to your Azure Active Directory domain:
- Navigate to the Users tab:
- Choose the option to add a new user:
- Fill out the user profile and complete the user profile:
- Next, navigate to the Groups tab and choose the option to create a new group and fill out the form:
- After creating the group, choose the option to add members and select the previously created content author users:
- The last step is to change the password of the user created earlier. This can be done by logging on with the user at http://myapps.microsoft.com/. This will cause the password hash to be stored in the Azure Directory Services.
Integrating the Sitecore Active Directory module with the Azure Active Directory domain
With the domain in place, and users and groups created, we can now configure the Sitecore Active Directory module to synchronize with the Azure Active Directory domain.
- Start by installing the Sitecore Active Directory module as you would normally:
Configure the various parts of the module as described in the module’s Administrator’s Guide. When you get to the point that you need to configure the LDAP connection string, use the following format:
- <add name=”SitecoreAzureLabAD” connectionString=”LDAP://sitecoreazurelab.onmicrosoft.com/OU=AADDC Users,DC=sitecoreazurelab,DC=onmicrosoft,DC=com” />
- Use the domain name as defined in the Azure Active Directory
- Make sure that the OU is set to ‘AADDC Users’. This is the OU in which the users are created and is the only OU available in the Azure Active Directory domain.
- Important. Your environment must be able to resolve the Azure Active Directory domain name. As my environment is joined to the same domain and the DNS is configured to use the domain controllers, this is automatic in my case.
- Complete the configuration as per the manual, configuring the AD provider in the web.config, sitecore.config and domains.config.
If you want to further filter which users are synchronized, this is an interesting article:
- Browse tot Sitecore to trigger the start the synchronization with the domain.
After the synchronization has completed, you’ll be able to find the new users in the Sitecore User Manager:
Roles are a trickier point. They are synchronized but for some reason, the name is not shown correctly. When I get some time I’m going to see if I can debug this and post an update:
But the members in the role are correct so we can assign it to standard Sitecore roles:
You can grant access to the users or role as you would normally, for example you can add the synchronized role to a built-in Sitecore role:
After that, users can log in using the credentials created earlier:
And you’ll see that user privileges are neatly translated using the Sitecore role assignment:
So that’s it: Sitecore user management integrated with an Azure Active Directory domain negating the need for Active Directory servers.