Microsoft 365 (Azure AD)
The business login method Microsoft 365 enables you to authenticate guests, students, teachers and visitors with Microsoft accounts and groups. Authentication is possible via:
- All Microsoft accounts: including personal, work and school accounts (
common
) - Only work and school accounts (
organizations
) - Only personal accounts (
consumers
) - Only accounts associated to a Tenant-ID (
tenant
)
Azure AD Setup
In order to begin the configuration of this module, log-in with existing Microsoft account on the Azure portal
After log-in, navigate to Azure Active Directory and then click on the similar-named icon in the center of the page.
This will open a Azure AD overview page, which includes a Tenant-ID.
From here on, navigate to App registrations and register a new app:
Here you can name the new app and also configure it’s authentication restrictions. In the Redirect URI part, configure Web and then the domain name of your Surf-LAN. By default this is https://hotspot.internet-for-guests.com
, but in case a custom Surf-LAN certificate is used, this domain has to be adjusted accordingly. Proceed by clicking on Register.
After confirming the creation of the new app, the site will display it’s generated data. This includes the Application ID which is necessary later on and should be written down.
Afterwards, it is required to set-up a so called secret. In order to do so, navigate to Certificates & secrets and click on New client secret:
By now you should have written down the following data fields:
- Tenant-ID
- Application ID
- Secret (Value)
System Setup
With this data begin to configure the Microsoft 365 (Azure AD) login method, which can be found in the WebAdmin menu Login methods/Business accounts. Here, paste the App ID and Client Secret into the appropriate fields and choose the Allowed account types.
If required, you can allow only accounts associated with your Tenant-ID.
Groups Setup
It is also possible to distinguish authentication by Groups. To enable it, select Azure AD Group from the dropdown-menu Ticket Template Mapping. This will expand further configurations in which you can assign Group IDs and the according Ticket Template which should be available for each group.
Groups can be managed in the Azure Portal in the menu All Groups.
VLANs and Routes
Furthermore, the module can be configured to distinguish in between Source-VLANs, e.g. if students originate from a different VLAN than teachers, a different Ticket Template will be aassigned to them.