Azure AD Integration
Connect IronWifi to Microsoft Azure Active Directory (Entra ID) to authenticate WiFi users with their corporate credentials, sync users and groups, and apply Conditional Access policies to your wireless network.
Features
- User Synchronization - Import users from Azure AD
- Group Synchronization - Sync security groups
- SAML Authentication - Enterprise single sign-on
- PEAP-MSCHAPv2 - WPA-Enterprise with Azure credentials
Prerequisites
- Azure AD administrator account
- IronWifi account with Connector access
- Azure subscription (free tier works)
SAML Single Sign-On
Step 1: Create Azure Enterprise Application
- Log into Azure Portal
- Navigate to Azure Active Directory > Enterprise applications
- Click New application
- Select Create your own application
- Name: "IronWifi"
- Select Non-gallery application
- Click Create
Step 2: Configure SAML
- In the application, click Single sign-on
- Select SAML
- Edit Basic SAML Configuration:
| Field | Value |
|---|---|
| Identifier (Entity ID) | {Entity ID from IronWifi} |
| Reply URL (ACS URL) | {ACS URL from IronWifi} |
| Sign on URL | {Splash Page URL} |
- Click Save
Step 3: Configure Attributes
Edit Attributes & Claims:
| Claim | Source Attribute |
|---|---|
| emailaddress | user.mail |
| givenname | user.givenname |
| surname | user.surname |
Step 4: Download Certificate
- In SAML Signing Certificate
- Download Certificate (Base64)
- Copy Login URL and Azure AD Identifier
Step 5: Configure IronWifi
- Navigate to Connectors > Add Connector
- Select Azure AD (SAML)
- Enter:
- IdP SSO URL (Login URL)
- IdP Entity ID (Azure AD Identifier)
- Upload certificate
- Click Save
Step 6: Assign Users
In Azure:
- Go to the IronWifi application
- Click Users and groups
- Add users or groups
User Synchronization
Connect via Microsoft Graph
- In Azure, register an application
- Grant API permissions:
- User.Read.All
- Group.Read.All
- Directory.Read.All
- Create client secret
- In IronWifi, configure connector with:
- Tenant ID
- Client ID
- Client Secret
Sync Settings
Configure what to synchronize:
- All users or filtered
- Include disabled accounts
- Group membership
- Custom attributes
WPA-Enterprise with Azure AD
PEAP-MSCHAPv2
For WPA-Enterprise authentication using Azure credentials:
warning
This requires Azure AD Premium P1/P2 or Microsoft 365 licensing that includes Azure AD Premium features.
- Enable Password Hash Synchronization in Azure AD Connect
- Configure IronWifi connector for RADIUS authentication
- Set user authentication source to Azure AD
Certificate-Based (EAP-TLS)
For certificate authentication:
- Deploy certificates via Intune or MDM
- Configure IronWifi for EAP-TLS
- Map certificate attributes to users
Conditional Access
Integrate with Azure AD Conditional Access:
Considerations
- Captive portal authentication respects Conditional Access policies
- MFA prompts may appear during login
- Location-based policies apply
- Device compliance can be enforced
Configuration
- In Azure AD, create Conditional Access policy
- Include the IronWifi application
- Configure conditions (location, device, risk)
- Set access controls
Hybrid Environments
For organizations with on-premises AD:
Azure AD Connect
Sync on-premises users to Azure AD:
- Deploy Azure AD Connect
- Configure sync options
- Enable password hash sync or pass-through auth
- IronWifi authenticates via Azure AD
Pass-Through Authentication
Use on-premises credentials:
- Enable Pass-Through Authentication
- Deploy authentication agents
- Users authenticate against on-premises AD via Azure
Troubleshooting
SAML Errors
Invalid Signature:
- Re-download certificate from Azure
- Verify certificate hasn't expired
- Check for correct encoding (Base64)
User Not Found:
- Verify user assigned to application
- Check attribute claims mapping
- Confirm username format
Sync Issues
Permission Denied:
- Verify Graph API permissions
- Re-consent application
- Check admin consent was granted
No Users Syncing:
- Verify filter settings
- Check network connectivity
- Review connector logs
Best Practices
- Use groups - Manage access via Azure AD groups
- Enable auto-sync - Keep users current
- Monitor sign-ins - Review Azure AD sign-in logs
- Test thoroughly - Verify with test users first
- Document - Record configuration for compliance