Connect Azure Active Directory to Citrix Cloud
Citrix Cloud supports using Azure Active Directory (AD) to authenticate Citrix Cloud administrators and workspace subscribers.
By using Azure AD with Citrix Cloud, you can:
- Leverage your own Active Directory, so you can control auditing, password policies, and easily disable accounts when needed.
- Configure multifactor authentication for a higher level of security against the possibility of stolen sign-in credentials.
- Use a branded sign-in page, so your users know they’re signing in at the right place.
- Use federation to an identity provider of your choice including ADFS, Okta, and Ping, among others.
Azure AD app and permissions
Citrix Cloud includes an Azure AD app that allows Citrix Cloud to connect with Azure AD without the need for you to be logged in to an active Azure AD session. As of August 2018, this app was upgraded to improve performance and allow you to be ready for future releases. If you previously connected your Azure AD to Citrix Cloud (before August 2018), you might need to update your Azure AD connection in Citrix Cloud. For more information, see Reconnect to Azure AD for the upgraded app in this article.
For more information about the Azure AD applications and permissions that Citrix Cloud uses to connect with your Azure AD, see Azure Active Directory permissions for Citrix Cloud.
Learn more about supported identity providers with the Introduction to Citrix Identity and Authentication education course. The “Planning Citrix Identity and Access Management” module includes short videos that walk you through connecting this identity provider to Citrix Cloud and enabling authentication for Citrix Workspace.
Prepare your Active Directory and Azure AD
Before you can use Azure AD, be sure you meet the following requirements:
- You have a Microsoft Azure account. Every Azure account comes with Azure AD free of charge. If you don’t have an Azure account, sign up at https://azure.microsoft.com/en-us/free/?v=17.36.
- You have the Global Admin role in Azure AD. This role is required to give Citrix Cloud your consent to connect with Azure AD.
- Administrator accounts have their “mail” property configured in Azure AD. To do this, you can sync accounts from your on-premises Active Directory into Azure AD using Microsoft’s Azure AD Connect tool. Alternatively, you can configure non-synced Azure AD accounts with Office 365 email.
Sync accounts with Azure AD Connect
- Ensure that the Active Directory accounts have the Email user property configured:
- Open Active Directory Users and Computers.
- In the Users folder, locate the account you want to check, right-click and select Properties. On the General tab, verify the Email field has a valid entry. Citrix Cloud requires that administrators added from Azure AD have different email addresses than administrators who sign in using a Citrix-hosted identity.
- Install and configure Azure AD Connect. For complete instructions, see Getting started with Azure AD Connect using express settings on the Microsoft Azure website.
Connect Citrix Cloud to Azure AD
When connecting your Citrix Cloud account to your Azure AD, Citrix Cloud needs permission to access your user profile (or the profile of the signed-in user) in addition to the basic profiles of the users in your Azure AD. Citrix requests this permission so it can acquire your name and email address (as the administrator) and enable you to browse for other users and add them as administrators later. For more information about the application permissions that Citrix Cloud requests, see Azure Active Directory permissions for Citrix Cloud.
You must be a Global Admin in Azure AD to complete this task.
- Sign in to Citrix Cloud at https://citrix.cloud.com.
- Click the menu button in the top-left corner of the page and select Identity and Access Management.
- Locate Azure Active Directory and select Connect from the ellipsis menu.
- When prompted, enter a short, URL-friendly identifier for your company and click Connect. The identifier you choose must be globally unique within Citrix Cloud.
- When prompted, sign in to the Azure account with which you want to connect. Azure shows you the permissions that Citrix Cloud needs to access the account and acquire the information required for connection. Most of these permissions are read-only and allow Citrix Cloud to gather basic information from your Microsoft Graph such as groups and user profiles. If you integrated Citrix Endpoint Management or XenMobile Server with Microsoft Intune, you must grant Microsoft Intune-related read-write permissions. For more information, see Azure Active Directory Permissions for Citrix Cloud.
- Click Accept to accept the permissions request.
Add administrators to Citrix Cloud from Azure AD
- In Citrix Cloud, from the Identity and Access Management page, click the Administrators tab.
- From the Add administrators from menu, select the Azure AD option.
- In the search box, start typing the name of the user you want to add and invite them to the account as described in Manage Citrix Cloud administrators. Citrix Cloud sends the user an email containing a link to accept the invitation.
After clicking the email link, the user signs in to the company’s Azure Active Directory. This verifies the user’s email address and completes the connection between the Azure AD user account and Citrix Cloud.
Add Azure AD administrator groups
Citrix Cloud supports adding administrators using Azure AD groups. Administrators that you add using groups don’t need to be explicitly invited. However, these administrators can only manage the Virtual Apps and Desktops service. For more information, see Add Azure AD administrator groups to Citrix Cloud
Sign in to Citrix Cloud using Azure AD
After the Azure AD user accounts are connected, users can sign in to Citrix Cloud using one of the following methods:
- Navigate to the administrator sign-in URL that you configured when you initially connected the Azure AD identity provider for your company. Example:
- From the Citrix Cloud sign-in page, click Sign in with my company credentials., type the identifier you created when you initially connected Azure AD (for example, “mycompany”), and click Continue.
Enable Azure AD authentication for workspaces
After you connect Azure AD to Citrix Cloud, you can allow your subscribers to authenticate to their workspaces through Azure AD.
Before enabling Azure AD workspace authentication, review the Azure Active Directory section for considerations for using Azure AD with workspaces.
- In Citrix Cloud, click the menu button in the top-left corner and select Workspace Configuration.
- From the Authentication tab, select Azure Active Directory.
- Click Confirm to accept the workspace experience changes that will occur when Azure AD authentication is enabled.
Enable advanced Azure AD capabilities
Azure AD provides advanced multifactor authentication, world-class security features, federation to 20 different identity providers, and self-service password change and reset, among many other features. Turning these features on for your Azure AD users enables Citrix Cloud to leverage those capabilities automatically.
To compare Azure AD service level capabilities and pricing, see https://azure.microsoft.com/en-us/pricing/details/active-directory/.
Reconnect to Azure AD for the upgraded app
If you’ve previously connected your Azure AD to Citrix Cloud (before May 2019), Citrix Cloud might not be using the most current app to connect with Azure AD. As a result, Citrix Cloud might prompt you to reconnect your Azure AD and grant additional permissions. To add Azure AD groups to your library offerings, improve logon performance, and realize other benefits, you must grant Citrix Cloud additional permissions through the Global Admin role in Azure AD. To do this, you must be a Global Admin in Azure AD. By reconnecting to Azure AD, you grant application-level permissions to Citrix Cloud and allow Citrix Cloud to reconnect to Azure AD on your behalf.
For more information about the type of Azure AD permissions that Citrix Cloud requests, see Azure Active Directory Permissions for Citrix Cloud.
Reconnecting your Azure AD to Citrix Cloud requires you to sign in to Citrix Cloud using a Citrix Cloud administrator account under the Citrix identity provider. If you are signed in to Citrix Cloud with your Azure AD credentials, the reconnection fails. If you are using an Azure AD administrator account with Citrix Cloud and you don’t have any administrators using the Citrix identity provider in your account, you can add one temporarily to perform this reconnection and delete it afterward.
To perform the reconnection, sign in to Citrix Cloud with your Citrix Cloud administrator credentials. When prompted to reconnect, you can sign in to Azure with your Global Admin credentials.
In this article
- Azure AD app and permissions
- Prepare your Active Directory and Azure AD
- Connect Citrix Cloud to Azure AD
- Add administrators to Citrix Cloud from Azure AD
- Add Azure AD administrator groups
- Sign in to Citrix Cloud using Azure AD
- Enable Azure AD authentication for workspaces
- Enable advanced Azure AD capabilities
- Reconnect to Azure AD for the upgraded app