Configuring Azure Active Directory

Configure Azure AD as a SAML (2.0) identity provider for Trend Micro Vision One to use.

Azure Active Directory (Azure AD) is Microsoft's multi-tenant cloud based directory and identity management service.

To use Azure Active Directory, you must have a valid subscription with an Azure AD edition license (Free, Basic, or Premium) that handles the sign-in process and eventually provides the authentication credentials to the Trend Micro Vision One management console.

  1. Sign in to the Azure management portal at https://portal.azure.com using your Azure AD administrator account.
  2. On the Microsoft Azure main page, click Azure Active Directory. On first use, click More services and find Azure Active Directory.
  3. In the left navigation, click Enterprise applications.

    The Enterprise applications | All Applications screen appears.

  4. Click New application.

    The Browse Azure AD Gallery screen appears.

  5. Click Create your own application.
  6. Type a display name for the application.

    For example, type XDR.

  7. Select Integrate any other application you don't find in the gallery.
  8. Click Create.
  9. (Optional) Assign users and roles:
    Important:

    If you intent to enable Web Sensor in Trend Micro Vision One, Trend Micro recommends that you skip step 9. Instead, go to Properties in the left navigation and disable the User assignment required? toggle. Then proceed to step 10.

    If you require user assignment, you will need to assign each user individually to enable Web Sensor.

    1. Under the Getting Started section, click Assign users and groups.

      The Users and groups screen appears.

    2. Click Add user.

      The Add Assignment screen appears.

    3. Click Users.

      A new frame for Users appears on the right side of the screen.

    4. Click the users you want to assign, and then click Select.

      The number of selected users appear under Users and the Assign button is enabled.

    5. Click Assign.

      The Users and groups screen appears.

    6. In the left navigation, click Overview.

      The Overview screen appears.

  10. Under the Getting Started section, click Set up single sign on.

    The Single sign-on screen appears.

  11. Click SAML.

    The SAML-based Sign-on screen appears.

  12. Click Upload metadata file.

    The Upload metadata file window appears.

  13. Click Select a file.

    A browse file window appears.

  14. Browse and open the metadata.xml file that you downloaded in a previous step.

    The browse file window closes.

  15. In the Upload metadata file window, click Add.

    The Basic SAML Configuration window appears.

  16. Type the Trend Micro Vision One Sign on URL, Logout URL and Reply URL (Assertion Consumer Service URL).

    The value for all three fields is the same and can be obtained from the metadata.xml file downloaded from Trend Micro Vision One.

    Open the metadata.xml file in a text editor, and then copy the value of the Location attribute from the AssertionConsumerService element. Use the copied value for the Sign on URL, Logout URL and Reply URL (Assertion Consumer Service URL).

    In the following example, the value is https://example.com/xdr-url.

    ...
        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/xdr-url" index="0"/>
      <SPSSODescriptor>
    <EntityDescriptor>
  17. Type the Trend Micro Vision One Identifier (Entity ID).

    The Identifier URL can be obtained from the metadata.xml file downloaded from Trend Micro Vision One.

    Open the metadata.xml file in a text editor, and then copy the value of the entityID attribute from the EntityDescriptor element. Use the copied value for the Identifier (Entity ID).

    In the following example, the value is https://example.com/ID.

    <?xml version="1.0"?>
    <EntityDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
    entityID="https://example.com/ID" 
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    ...
  18. In the User Attributes & Claims section, ensure that the Unique User Identifier is configured to the following: user.userprincipalname
  19. Click Save.

    The settings are saved.

  20. After the settings have been saved, click the close icon in the Basic SAML Configuration window.

    The Basic SAML Configuration closes and the SAML-based Sign-on window appears.

  21. If prompted to test single sign on now, click No, I'll test later.
  22. Under the SAML Signing Certificate section, click Download for Federation Metadata XML, and then save the file.
    Note:

    Import this metadata file to Trend Micro Vision One.