This post demonstrates how to integrate Facebook Workplace with Azure AD and enable single sign on, and CASB protection for keywords that users post in a Facebook Workplace site.
The process would be exactly the same for any SAAS application and this post demonstrates the power of CASB integration with SAAS applications. For example , when using CASB to protect SAAS applications like GMAIL, Salesforce, Service Now, CASB can block real time key words and inspect files for sensitive information types defined by an organisation and integrate with Azure Information Protection.
There is a Microsoft tutorial on how to integrate Azure AD with Facebook workplace but I found the guide difficult to follow.
So I will try and structure this post in order to block a keyword from being posted to Facebook Workplace.
- Sign up for a Facebook Workplace account and sign in. Then click on the admin panel , security and authentication settings.
- Click on the Add new SSO Provider
- After you click on the link displayed above , scroll down and copy the audience URL which is the unique identifier.
- Next we add a new tab in the browser and go to Azure Active Directory , Enterprise Applications and add Facebook Workplace from the gallery.
- Add the users or security group that will have access to this published application within Azure AD
- Create a conditional access policy and do the following
Select Facebook Workplace as the app
Select the users in scope for testing
Select session control and select the settings displayed in the image below
There is obviously a lot more protection that can be applied with this conditional access policy, like location protection , azure hybrid joined machines etc.. For the purpose of this blog we are simply demonstrating the interaction with CASB and conditional access session policies.
- As I always use Chrome until Edge Chromium is GA , the next step is to to open a new tab and install the My Apps Secure Sign-in Extension for Chrome and sign in with the credentials that you are signed into the Azure Portal with.
- Within Azure AD , Select Facebook Workplace and select single sign on and select SAML
- Edit basic saml configuration and paste in the following urls
A:Identifier (Entity ID) : The audience url captured in step 3
B:Reply URL (Assertion Consumer Service URL) : https://my.workplace.com/work/saml.php
C:Sign On Url : https://my.workplace.com/work/saml.php
- Exit the SAML basic configuration and then move to step 5 in the SAML configuration and click on ‘Setup WorkPlace for Facebook’
- When we click on ‘Setup WorkPlace by Facebook’ , The browser will redirect the session to the Facebook WorkPlace authentication settings and click on the ‘Single Sign On (SSO) button
- Wait a few seconds and the Chrome add in we discussed in step 7 will display the following screen which will auto populate the Azure SAML configuration automatically into Facebook WorkPlace.
- The next pop up requests the admin to test SSO and then save the changes.
- The next window will re-direct the Facebook Workplace login url through CASB
- Click on close on the next page
- Next really important step , Go back to the Facebook Workplace tab and select save changes
- Next steps are to create the Cloud App Security Policy to block a key word using this template :Block sending of messages based on real-time content inspection
- The activities in the policy are displayed below
- The content inspection config of the policy uses contoso as the keyword
- The action is to block and notify the user with the organisation’s terms and conditions for usage of cloud apps or a custom response
- Finally , Facebook WorkPlace will be available for the users in scope to use the application in the https://myapps.microsoft.com portal
Final note , SAAS applications that support SCIM will be much easier to on-board into Azure Active Directory and CASB. I hope this blog post shows how easy it is to on-board SAAS apps into Azure AD and CASB.