Microsoft 365 (Azure AD)

The business login method Microsoft 365 enables authentication for guests, students, teachers and visitors with Microsoft accounts and groups. Authentication is possible via:

• All Microsoft accounts: including personal, work and school accounts (common)
• Only work and school accounts (organizations)
• Only personal accounts (consumers)
• Only accounts associated to a Tenant-ID (tenant)

Azure AD Setup #

In order to begin the configuration of this login method, log-in with existing Microsoft account on the Azure portal

After log-in, navigate to Azure Active Directory and then click on the similar-named icon in the center of the page.

This will open a Azure AD overview page, which includes a Tenant-ID.

From here on, navigate to App registrations and register a new app:

Here a name for the new app can be chosen and its authentication restrictions configured. In the Redirect URI part, configure Web and then the domain name of the Surf-LAN. By default this is https://hotspot.internet-for-guests.com, but in case a custom Surf-LAN certificate is used, this domain has to be adjusted accordingly. Proceed by clicking on Register.

After confirming the creation of the new app, the site will display its generated data. This includes the Application ID which is necessary later on and should be written down.

Afterwards, it is required to set-up a so called secret. In order to do so, navigate to Certificates & secrets and click on New client secret:

By now the followind Data should be noted down for safekeeping:

• Tenant-ID
• Application ID
• Secret (Value)

System Setup #

With this data begin to configure the Microsoft 365 (Azure AD) login method, which can be found in the WebAdmin menu Login methods/Business accounts. Here, paste the App ID and Client Secret into the appropriate fields and choose the Allowed account types.

If the situation requires it, only accounts associated with the Tenant-ID are allowed.

Groups Setup #

It is also possible to distinguish authentication by Groups. To enable it, select Azure AD Group from the dropdown-menu Ticket Template Mapping.
This will expand further configurations in which Group IDs and the according Ticket Template can be assigned.

Groups can be managed in the Azure Portal in the menu All Groups.

VLANs and Routes #

Furthermore, the login method can be configured to distinguish in between Source-VLANs, e.g. if students originate from a different VLAN than teachers, a different Ticket Template will be aassigned to them.