Connect Azure Active Directory as an identity provider

By default, Citrix Cloud Japan uses the Citrix identity provider to manage the identity information for all users in your Citrix Cloud Japan account. You can change this to use Azure Active Directory (AD) to authenticate Citrix Cloud Japan administrators as well as workspace subscribers.

By using Azure AD with Citrix Cloud Japan, you can:

  • Use your own Active Directory so you can control auditing, password policies, and easily disable accounts when needed.
  • Configure multi-factor authentication for a higher level of security against the possibility of stolen sign-in credentials.
  • Use a branded sign-in page so your users know they’re signing in at the right place.
  • Use federation to an identity provider of your choice including ADFS, Okta, and Ping, among others.

Azure AD applications and permissions

Citrix Cloud Japan includes an Azure AD app that allows Citrix Cloud Japan to connect with your Azure AD without the need for you to be logged in to an active Azure AD session. For more information about the Azure AD applications and permissions that Citrix Cloud Japan uses to connect with your Azure AD, see Azure Active Directory permissions for Citrix Cloud Japan.

Prepare your Active Directory and Azure AD

Before you can use Azure AD, be sure you meet the following requirements:

  • You have a Microsoft Azure account. Every Azure account comes with Azure AD free of charge. If you don’t have an Azure account, sign up at https://azure.microsoft.com/en-us/free/?v=17.36.
  • You have the Global Admin role in Azure AD. This role is required to give Citrix Cloud Japan your consent to connect with Azure AD.
  • Administrator accounts have their “mail” property configured in Azure AD. To do this, you can sync accounts from your on-premises Active Directory into Azure AD using Microsoft’s Azure AD Connect tool. Alternatively, you can configure non-synced Azure AD accounts with Office 365 email.

Sync accounts with Azure AD Connect

  1. Ensure the Active Directory accounts have the Email user property configured:
    1. Open Active Directory Users and Computers.
    2. In the Users folder, locate the account you want to check, right-click and select Properties. On the General tab, verify the Email field has a valid entry. Citrix Cloud Japan requires that administrators added from Azure AD have different email addresses than administrators who sign in using a Citrix-hosted identity.
  2. Install and configure Azure AD Connect. For complete instructions, see Integrate your on-premises directories with Azure Active Directory on the Microsoft Azure web site.

Connect Citrix Cloud Japan to Azure AD

When connecting your Citrix Cloud Japan account to your Azure AD, Citrix Cloud Japan will need permission to access your user profile (or the profile of the signed-in user) as well as the basic profiles of the users in your Azure AD. Citrix requests this permission so it can acquire your name and email address (as the administrator) and enable you to browse for other users and add them as administrators later.

  1. Sign in to Citrix Cloud Japan at https://citrix.citrixcloud.jp.
  2. Click the menu button in the top-left corner of the page and select Identity and Access Management.
  3. Locate Azure Active Directory, click the ellipsis button, and then select Connect.
  4. When prompted, enter a short, URL-friendly identifier for your company and click Connect. The identifier you choose must be globally unique within Citrix Cloud Japan.
  5. When prompted, sign in to the Azure account with which you want to connect. Azure shows you the permissions that Citrix Cloud Japan needs to access the account and acquire the information required for connection.
  6. Click Accept to accept the permissions request.

Add administrators to Citrix Cloud Japan from Azure AD

  1. From the Citrix Cloud Japan management console, from the Identity and Access Management page, click the Administrators tab.
  2. Select Add administrator/group.
  3. In Administrator details, select Azure AD.
  4. Type the name of the user you want to add and then click Next. Inviting Azure AD guest users is not supported.
  5. In Set access, configure the appropriate permissions for the administrator.
  6. Review the administrator details. Select Back to make any changes.
  7. Select Send invitation. Citrix Cloud Japan sends an invitation to the user you specified and adds the administrator to the list.

After clicking the email link, the user signs in to the company’s Azure Active Directory. This verifies the user’s email address and completes the connection between the Azure AD user account and Citrix Cloud Japan.

Add Azure AD administrator groups to Citrix Cloud Japan

You can add administrators to your Citrix Cloud Japan account using Azure Active Directory (AD) groups. You can then manage service access permissions for all administrators in the group.

This feature is supported for use only with Citrix DaaS (formerly Virtual Apps and Desktops service). Administrators in the group don’t have access to manage any other services in the Citrix Cloud Japan account.

For more information, see Manage administrator groups.

Sign in to Citrix Cloud Japan using Azure AD

After the Azure AD user accounts are connected, administrators can sign in to Citrix Cloud Japan using one of the following methods:

  • Navigate to the administrator sign-in URL that you configured when you initially connected the Azure AD identity provider for your company. Example: https://citrix.citrixcloud.jp/go/myorganization
  • From the Citrix Cloud Japan sign-in page, click Sign in with my company credentials, type the identifier you created when you initially connected Azure AD, and click Continue.

Enable Azure AD authentication for workspaces

After you connect Azure AD to Citrix Cloud Japan, you can allow your subscribers to authenticate to their workspaces through Azure AD.

Important:

Before enabling Azure AD workspace authentication, review the Azure Active Directory section for considerations for using Azure AD with Citrix Workspace.

  1. From the Citrix Cloud Japan menu in the upper-left corner, select Workspace Configuration.
  2. Select the Authentication tab and then select Azure Active Directory.
  3. Click Confirm to accept the workspace experience changes that will occur when Azure AD authentication is enabled.

Enable advanced Azure AD capabilities

Azure AD provides advanced multi-factor authentication, world-class security features, federation to 20 different identity providers, and self-service password change and reset, among many other features. Turning these features on for your Azure AD users enables Citrix Cloud Japan to use those capabilities automatically.

Reconnect to Azure AD for the updated app

In April 2022, the Azure AD app used in Citrix Cloud Japan was updated to use the GroupMember.Read.All permission, which replaces the Group.Read.All permission.

If you connected your Azure AD to Citrix Cloud Japan before April 2022 and you want to use the latest updated app, you need to disconnect your Azure AD from Citrix Cloud Japan and then reconnect it. Using the latest app is optional. If you choose not to update the app, your existing connection still functions normally.

Requirements

Before you reconnect your Azure AD, verify that you meet the following requirements:

  • You must be a Global Admin in Azure AD. When reconnecting your Azure AD, you grant application-level permissions to Citrix Cloud Japan through the Global Admin role in Azure AD. This allows Citrix Cloud Japan to reconnect to Azure AD on your behalf. For more information, see Azure Active Directory Permissions for Citrix Cloud Japan.
  • You must be an administrator with full access permissions under the default Citrix identity provider. If you are signed in to Citrix Cloud Japan with your Azure AD credentials, the reconnection fails. If you don’t have any administrators using the Citrix identity provider in your account, you can temporarily add one and delete it after reconnecting your Azure AD. For instructions, see Invite individual administrators.
  • If you are using Azure AD to authenticate workspace subscribers, select a different identity provider temporarily. Citrix Cloud Japan doesn’t allow you to disconnect your Azure AD if it’s also used as an authentication method for Citrix Workspace. For more information, see Choose or change authentication methods in the Citrix Workspace documentation.

To reconnect Azure AD

  1. Sign in to Citrix Cloud Japan as an administrator with full access permissions under the Citrix identity provider.
  2. From the Citrix Cloud Japan menu, select Identity and Access Management and then select Authentication.
  3. Locate Azure Active Directory and select Disconnect from the ellipsis menu at the far right of the page.
  4. From the ellipsis menu, select Connect.
  5. When prompted, sign in to your Azure account using your Global Admin credentials. Azure shows you the permissions that Citrix Cloud Japan needs to access the account and acquire the information required for the connection.
  6. Select Accept to accept the permissions request.