Microsoft 365 (Azure AD)

The business login method Microsoft 365 enables you to authenticate guests, students, teachers and visitors with Microsoft accounts and groups. Authentication is possible via:

  • All Microsoft accounts: including personal, work and school accounts (common)
  • Only work and school accounts (organizations)
  • Only personal accounts (consumers)
  • Only accounts associated to a Tenant-ID (tenant)

Azure AD Setup

In order to begin the configuration of this module, log-in with existing Microsoft account on the Azure portal

After log-in, navigate to Azure Active Directory and then click on the similar-named icon in the center of the page.

image

This will open a Azure AD overview page, which includes a Tenant-ID.

image

From here on, navigate to App registrations and register a new app:

image

Here you can name the new app and also configure it’s authentication restrictions. In the Redirect URI part, configure Web and then the domain name of your Surf-LAN. By default this is https://hotspot.internet-for-guests.com, but in case a custom Surf-LAN certificate is used, this domain has to be adjusted accordingly. Proceed by clicking on Register.

image

After confirming the creation of the new app, the site will display it’s generated data. This includes the Application ID which is necessary later on and should be written down.

image

Afterwards, it is required to set-up a so called secret. In order to do so, navigate to Certificates & secrets and click on New client secret:

image

By now you should have written down the following data fields:

  • Tenant-ID
  • Application ID
  • Secret (Value)

System Setup

With this data begin to configure the Microsoft 365 (Azure AD) login method, which can be found in the WebAdmin menu Login methods/Business accounts. Here, paste the App ID and Client Secret into the appropriate fields and choose the Allowed account types.

If required, you can allow only accounts associated with your Tenant-ID.

image

Groups Setup

It is also possible to distinguish authentication by Groups. To enable it, select Azure AD Group from the dropdown-menu Ticket Template Mapping. This will expand further configurations in which you can assign Group IDs and the according Ticket Template which should be available for each group.

image

Groups can be managed in the Azure Portal in the menu All Groups.

image

VLANs and Routes

Furthermore, the module can be configured to distinguish in between Source-VLANs, e.g. if students originate from a different VLAN than teachers, a different Ticket Template will be aassigned to them.

image