The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    

Provision Identities from Azure AD

Cisco Umbrella supports the provisioning of user and group identities from Azure Active Directory (Azure AD). This integration can be used in conjunction with the following deployments:

  • Umbrella DNS:
    • To enable user identity support for the Umbrella roaming client and AnyConnect Roaming Security module.
  • Umbrella SWG:
    • To enable user identity support for the AnyConnect SWG module.
    • To provision user and group identities for use with SAML-based end-user authentication.

The Azure AD integration eliminates the need to deploy an on-premise Umbrella Active Directory Connector for these use cases.

Note: An on-premise Umbrella AD connector is required for virtual appliance or IP-to-user mapping deployments because Azure AD does not store the private IP – AD user mappings that are required for these deployments.

Table of Contents

Prerequisites

  • A valid Azure Active Directory subscription with a premium Azure AD license.
  • No concurrent provisioning from on-premise Active Directory and Azure Active Directory.
    • If you are using the on-premise Umbrella AD Connector to import user and group identities to Umbrella, and now wish to import the same identities from Azure Active Directory, ensure that the on-premise Umbrella AD connector is switched off or that the OpenDNS Connector service on the connector machine is stopped.
      Note Concurrent synchronization of the same user and group identities from the Umbrella AD Connector and the Cisco Umbrella Azure AD application is not supported and will lead to inconsistent policy enforcement.
  • Import of the ObjectGUID attribute from Azure Active Directory.
    The on-premise Umbrella AD Connector and Cisco AnyConnect and Umbrella roaming clients rely on the ObjectGUID attribute for user identification. Ensure that the ObjectGUID attribute of users is synchronized from Azure Active Directory to Umbrella if this condition is true:
    • You have endpoints that are authenticating against on-premise Active Directory and are running the Cisco AnyConnect agent or Umbrella roaming client. Follow the instructions on Microsoft’s website to set up the import of the ObjectGUID attribute for users.

Before setting up the import of the ObjectGUID, ensure that the on-premise Umbrella AD Connector that is synchronizing these identities is switched off or that the OpenDNS Connector service on the connector machine is stopped.

Note: If you have previously configured either a policy against groups imported from on-prem AD and are now importing the same groups from Azure AD, you must reconfigure the policy to map it to the Azure AD groups instead of the on-prem AD groups. On-prem AD group names are displayed with the preceding domain name—for example, Domain1\ADGroup1—whereas for Azure AD, only group names—for example, ADGroup1—are displayed on the policy page.

Limitations

  • A maximum of 200 groups can be provisioned from Azure AD to Umbrella. There is no restriction on the number of users you can be provision from Azure AD to Umbrella.
  • To ensure that all users are provisioned, create a dynamic ‘All Users’ group per the instructions in the Microsoft documentation and assign this group to the Cisco Umbrella app. You can assign other additional groups as required for group-based Umbrella policy enforcement.
  • After the initial provisioning of users and groups, Azure AD synchronizes changes to Umbrella at 40-minute intervals. It can take up to one hour for Umbrella to list these changes.
  • Depending on the number of users and groups, it can take several hours for these identities to become available.

Note: Azure AD does not support nested group memberships for group-based assignment to any SaaS application.

Configure Automatic Provisioning from Azure AD

  1. Navigate to Deployments > Core Identities > Users and Groups.
  2. Expand Azure Active Directory and click API Keys.
  1. Expand Azure Active Directory on the API Keys page and click Generate Token.
    Umbrella only displays the generated token once. Copy and save the URL and the token. These values must be added to the Tenant URL and Secret Token fields in the Provisioning tab of the Cisco Umbrella application in the Azure portal.
  2. Follow the instructions on Microsoft’s website to deploy the Cisco Umbrella app on Azure AD and provision users.
    You can view the users and groups provisioned from Azure AD on the Users and Groups page.

Note: We recommend refreshing the SCIM token at least once every 180 days for security reasons. Refresh the token through Umbrella's API Keys page. Ensure that you immediately copy the new token to the Cisco Umbrella app on Azure AD so that provisioning is not impacted. Refreshing the SCIM token is the responsibility of the user. Umbrella does not perform this action.


Alerts < Provision Identities from Azure AD > Provision Identities from Okta

Updated about a month ago

Provision Identities from Azure AD


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.