Join an Entra ID Directory tenant | AD Bridge
You can set up AD Bridge to authenticate to Active Directory or Microsoft Entra ID. Using both platforms is not supported at this time.
Requirements
Required components for Entra ID authentication:
- Azure Tenant
- Entra ID App Registration: To join a tenant, an application client ID and secret are required. The application also defines the access permissions for the endpoint.
- Linux desktop
- Ubuntu
- Red Hat Enterprise Linux
Authentication requirements
Here are a few things to understand about authentication:
- For an Entra ID user login, the user must belong to an Entra ID group. Both need to be provisioned with UID and GID.
- A user GID must match a provisioned group that they are a member of.
- UPN needs to match the Entra ID primary domain.
- Valid product license.
- The user that initiates the SSH session must be the same user that authenticates with the device code.
Endpoint setup
AD Bridge only supports being joined to Entra ID or Active Directory.
To join AD Bridge to Entra ID:
-
Create a local file with the app registration secret value.
vi secret-file -
Join Azure tenant with tenantjoin-cli with the tenant-id and app-id from the Linux Endpoint App.
/opt/pbis/bin/tenantjoin-cli join --tenant-id ########-####-####-####-############ --app-id ########-####-####-####-############ --app-secret-file secret-file -
pbis status displays the tenant, and the provider that the agent is joined to.
pbis status -
tenantjoin-cli query displays the secret in use and it's expiration.
/opt/pbis/bin/tenantjoin-cli query -
Before logging in as an Entra ID user, you must apply a tenant license through /opt/pbis/bin/setkey-cli –key XXXXX-XXXXX-XXXXX-XXXXX-XXXXX.
[bc-admin@bc-hrm4 ~] /opt/pbis/bin/setkey-cli --key XXXXX-XXXXX-XXXXX-XXXXX-XXXXX Key: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX Type: Azure tenant license Server (allows unlimited concurrent user logons) Term (limited time restriction) Site (unlimited usage for domain) Entitlements: Smart Card Group Policy Audit/Reporting AD Management Tools Expires: 2023-06-24 [bc-admin@bc-hrm4 ~]$ -
Log in to the endpoint with the Entra ID user. This displays a device code and a URL.
-
In a browser, navigate to the URL and follow the prompts. You must enter the device code.
ssh USER@TENANT@HOSTNAME
The authorization polling interval is every 5 secs with 12 tries (60 seconds total).
Query for Entra ID users or groups
Users who are joined to an Azure tenant can use the ad-cache command to query for Entra ID users. You can use the --tenant flag to display users or groups that are included with the tenant.
Example: Users
/opt/pbis/bin/ad-cache --enum-users --tenantAzure user object [1] \(cdc32650-cbe0-43d9-8cc8-b0f2875a6441) ============ Enabled: yes UID: 1193502009 UPN: [[email protected]](mailto:[email protected]) Given name: <null> Surname: <null> Display Name: freshuzer Last Password Change: 2023-06-09T12:39:12Z Primary GID: 4244230445 Primary Group ObjectId: 04ea9c38-4913-4d02-9265-174d589daeb1 Shell: /bin/sh Home Dir: >/home/local/adbridge.dev/freshuzer Total Azure users found: 1 Total users found across all >authentication providers: 1
Example: Users
/opt/pbis/bin/ad-cache --enum-groups --tenantAzure group object [1] \(04ea9c38-4913-4d02-9265-174d589daeb1) ============ GID: 4244230445 Display Name: Pure Uzers Group Description: <null> Security Identifier: S-1-12-1-82484280-1291995411-1293378962-2981010776 Total Azure groups found: 1 Total groups found across all authentication providers: 1
Updated about 1 month ago
