We are excited to announce a major milestone in Citrix Cloud. This week, customers will be able to start using Azure Active Directory for administrator sign-ins to Citrix Cloud.
From the early days of Citrix Cloud, we envisioned advanced authentication options to meet the growing needs of our customers. Just a few of the requests we’ve heard from customers include:
- Leveraging their own Active Directory, where they can audit, control password policies, and easily disable accounts if necessary.
- Configuring multi-factor authentication for a higher level of security against stolen sign-in credentials.
- Providing a branded sing-in page so that users know they are signing in to the right place.
- Support federation to an identity provider of choice, including AD-FS, Okta, Ping, and others.
Azure Active Directory enables all of these use cases and more. And now, with the integration just released, you can leverage these capabilities across all of the services in Citrix Cloud. Here’s how!
Preparing Active Directory and Azure Active Directory
To use this new functionality, a customer must have an Azure account set up with Microsoft. Every Azure account comes with Azure Active Directory for free, which can be used with Citrix Cloud. If you don’t already have an Azure account, create one to get started.
Citrix Cloud requires administrator accounts to have their “mail” property set inside of Azure AD. There are two ways to configure this:
- Sync accounts from a traditional Active Directory into Azure Active Directory, using Microsoft’s AAD Connect tool.
- Configure non-synced Azure AD accounts with Office 365 email.
The first method is how customers typically configure Azure AD today, even if they are using Office 365. When syncing accounts from Active Directory, you must ensure that the “E-mail” property of users is set in AD. You can do so by using the “Active Directory Users and Computers” tool within Windows.
Note: Citrix Cloud currently requires that admins added from Azure AD have different email addresses than admins who sign in using a Citrix-hosted identity.
Once you’ve done this, AAD Connect will automatically synchronize the accounts so that Azure AD knows each user’s email address, and you’ll be able to add those users as administrators within Citrix Cloud.
Connecting a Citrix Cloud customer to Azure Active Directory
The next step is to connect your Citrix Cloud customer account to your Azure AD account.
- Sign in to Citrix Cloud. (Or, if you haven’t already, sign up today!)
- Click on the “hamburger menu” in the upper left corner and select “Identity and Access Management.”
- Click on the “Connect” button to connect to Azure Active Directory.
- Type a short, URL-friendly identifier for your company. Note: this must be globally unique within Citrix Cloud. Then, click “Connect.”
- Your browser will be redirected to Azure’s sign-in page. Sign in to the Azure account that you want to connect to.
- Azure will prompt you for the permissions that Citrix Cloud needs. Because Citrix Cloud needs to know the administrator’s name and email address, it requires access to the signed-in user’s profile. In order to browse for other users and add them as admins, Citrix Cloud also needs to be able to read information about those other users in your Azure AD. Accept the consent form to continue.
- Citrix Cloud is now connected to your Azure AD, and ready to add admins!
Adding admins to a Citrix Cloud customer from Azure AD
Getting connected to Azure AD allows identity to flow between Azure and Citrix Cloud, but to truly make use of that, you must grant access to those identities.
- From the “Identity and Access Management” page in Citrix Cloud, click on “Administrators”.
- You’ll notice a new drop-down: “Add administrators from…”. (If you don’t see this drop-down, double-check to make sure you are connected to Azure AD by following the instructions above.) Choose the Azure AD option.
- Type in the search box to search for a user, and invite them as an admin. The user will receive an email containing a link to accept the invitation.
- After clicking the email link, the user signs in to the company’s Azure Active Directory. This both verifies their email and completes the connection of their Azure AD user account with Citrix Cloud.
Signing in to Citrix Cloud using Azure AD
After an Azure AD user is connected, there are two ways for that user to sign in to Citrix Cloud.
- Navigate to the customer-specific admin sign-in URL that was chosen when the customer connected to Azure AD. (citrix.cloud.com/go/…)
- Or, navigate to the global admin sign-in URL, citrix.cloud.com, and click on “Sign in with my company credentials”.
Type in the customer-specific URL fragment, as configured when the customer connected to Azure AD, and click “Continue”.
Enabling advanced Azure AD capabilities
Consult Microsoft documentation about the various capabilities available in each of the Azure AD tiers of service. Azure AD provides advanced multi-factor authentication, world-class security features, federation to 20 different identity providers, self-service password change and reset, and more. Turning these features on for your Azure AD users enables Citrix Cloud to leverage those capabilities automatically through the integration.
A great resource for comparing the Azure AD service level capabilities and pricing is available here: https://azure.microsoft.com/en-us/pricing/details/active-directory/.
To sum up…
The ability of Citrix Cloud to leverage Azure Active Directory provides a significant improvement in the security, manageability, and user experience for admins. We strongly encourage all Citrix Cloud customers to begin leveraging this capability to take advantage of these capabilities right away. We hope this guide proves a helpful resource along the way!