Set Up Access to the Azure AD Tenant

Azure Active Directory (AAD) information can be configured in each of the User Workspace Management Consoles in the following ribbon-bar groups:

  • Environment Manager – “Manage”

  • Application Control – “Global Settings”

  • Performance Manager – “Resources Setup”

Tenant

The tenant information is saved on a per-configuration basis and contains the following:

Tenant ID: The tenant ID must be either a GUID or the tenant primary domain name, e.g. mydomain.onmicrosoft.com. and can be found within the AAD portal.

Application (client) ID: The application id (GUID) as found on the application registration on the portal.

Certificate Thumbprint: The thumbprint of the certificate uploaded to the portal. The console can also retrieve the thumbprint by browsing to the .cer or .pfx file.

The consoles will not allow any AAD conditions/rules/resource management groups to be created unless the tenant information has been entered. When adding such AAD user/group conditions and rules, the picker will cause the console to prompt for the identity of an Azure AD user. This user must have the privilege to read all the users and groups in the tenant or the picker will not work. Default AAD user permissions do allow this.

Using separate Application Registrations has no obvious benefit but does have maintenance costs.

Conditions, Rules, and Limitations

In Environment Manager, four conditions can be used on endpoints that are joined to AAD domains. The join can be a full-join or a hybrid-join (where the endpoint is a member of an on-premises AD domain synchronized to the AAD domain by AAD Connect). These conditions are:

  • AAD Computer Group Membership

  • AAD User Group Membership

  • AAD User Name

  • AAD Client Computer Group Membership

Application Control allows for the creation of AAD user and AAD group, and Performance Manager allows resource management to be based on a specific AAD user or group. AAD conditions and rules require the certificate used for encryption to be installed in the Local Computer/Personal certificate store with its private key on the endpoint. There is no functionality to deploy certificates to endpoints from the consoles. If the certificate is not present an error is logged and no AAD condition or rule will succeed.

AAD conditions and rules only evaluate on the endpoint if it is joined to the Azure AD domain, either directly or as a hybrid join (using Azure AD Connect on an on-premises AD domain). If this is not the case, the conditions and rules will fail with an error.

Unlike AD conditions, Azure AD conditions are only evaluated at the following times:

  • At startup, computer group memberships are evaluated. These conditions are evaluated when the network becomes available. Adding an AAD Computer group condition to the computer startup trigger may not work as expected, as the group information may be stale or missing.

  • At user login, user group and client computer group conditions are evaluated, and computer group memberships re-evaluated.

Any changes in group memberships will only become apparent at the next login.

The AAD username condition/rule assumes that on a hybrid join, the user’s on-premises user principal name (UPN) matches the Azure AD name. This requires the on-premises UPN suffix to be registered and verified as a custom domain name in the Azure tenant.

Data Collection and Logging

Azure AD data is collected by the executable AADDataCollector.exe, which is run with appropriate parameters at startup and logon. This executable runs once and exits during these times. Following are the data collected and their locations on disk:

  • A list of AAD groups the computer belongs to (including nested groups), used by the AAD Computer Group condition.

    %PROGRAMDATA%\AppSense\{Product}\AADComputerGroups.store

  •  The list of groups the current user (with SID {sid}) belongs to (Including nested groups). Used by AD User Group rules and conditions.

    %LOCALAPPDATA%\AppSense\{Product}\AADUserGroups_{sid}.store

  • Groups that the connected device (i.e the source computer for a remote connection) belongs to. Used by the AAD Client Computer Group condition. This condition only function if the connected computer is in the same Azure Domain as the endpoint, and its NETBIOS name matches its device name in AAD.The list of groups the current user (with SID {sid}) belongs to (Including nested groups). Used by AD User Group rules and conditions.

    %LOCALAPPDATA%\Local\AppSense\{Product}\AADDevice_{devicename}_{sid}.store

Files are structured in the same way as session variable files and consist of name/value pairs. In this case, the name is the group object ID and the value is the group name. Saving the group name allows wildcard and regular expression queries to be evaluated by conditions in Environment Manager.

The AADDataCollector executable emits logging which is read by its caller and logged in turn. If logging is enabled for Environment Manager for example, logs from the collector appear when ‘EmSystem’ and ‘EmUser’ logging are enabled.