Using Azure Active Directory Accounts

Managed Backup provides the Azure Active Directory(AD) Bridge feature that comes as a specialized gateway solution developed to simplify cloud storage deployment in large corporate networks. It allows authenticating Windows domain users as Managed Backup users. End users log onto their Windows computers and start using Managed Backup without specifying their domain credentials which makes the authentication safer.

System Requirements

A computer for the AD Bridge installation must have a Microsoft .Net 4.0 or later installed.

AD Bridge Licensing

No license is required. AD Bridge itself is available free of charge and can be downloaded from the Downloads section in Management Console.

This chapter covers the following topics:

  • Download AD Bridge
  • Enable AD Authentication for Backup Agent
  • AD Bridge Installation and Configuration
  • Use Backup Agent with AD Bridge

Download AD Bridge

  1. Open Management Console.
  2. Click Downloads.
  3. On the Builds tab, click Download AD Bridge v{version_number}.

Enable Azure AD Authentication for Backup Agent

Before using Backup Agent with the Azure Active Directory authentication, enable the appropriate option in the Management Console.

Note that for the Azure AD Authentication feature, the Advanced Rebranding feature is required. Advanced Rebranding is only available for providers who have purchased an Advanced Rebranding license

  1. Open the Management Console.
  2. In the Settings menu, select Global Agent Options.
  3. In the Authentication group, select Show Windows Authentication (AD Bridge) option check box.

  1. In the Default Authentication drop-down list, select the required authentication method (Windows auth (AD Bridge), for example).
  2. Once you are done, click Save Changes.

Installation and Configuration

  1. Run the downloaded installation package on one of the domain computers.

Note: AD Bridge comes without rebranding and the default installation path is as follows: C:\Program Files\MBS\ADBridge

  1. Once the installation is completed, run the application.
  2. Specify AD Bridge settings.

On the General tab, specify your Managed Backup provider credentials:

  • Login. Your Managed Backup login email or sub-administrator with the "Active Directory Server" permission enabled
  • Password. Password with this login email

Select the AD groups to link to Managed Backup. To manage AD groups, use Add, Edit, and Remove buttons.

  • Service Port. Specify the service port number
  • Use SSL. Select this check box to use the SSL protocol, then upload the SSL certificate
  • In the Endpoint field, specify the URL for configuring MBS users
  • Use LDAP over SSL for AD requests. Sometimes network security policy requires this protocol. Select this check box to enable it for AD requests
  • Register SCP. Register a Service Connect Point in Active Directory for AD Bridge (optional). So that MBS Agents will automatically detect the AD Bridge endpoint.

Note: registering SCP requires master permissions to Active Directory.

  1. Once you are done, click OK or Apply.

  2. Click OK to apply the settings.

Using Backup Agent with AD Bridge

To start using AD authentication:

  1. Install the Backup Agent instance on a customer's domain computer.
  2. Select the "Use Windows authentication (AD Bridge)" option:

You may need to enter the AD Bridge endpoint manually if it was not registered in Active Directory using "Register SCP" during AD Bridge configuration.

  1. Click OK.

Alternatively, you can auto-configure the installation and authentication process if you deploy the following script via Windows GPO:

net use s: \\dc\share
mkdir c:\backup
cd c:\backup
powershell -Command "Invoke-WebRequest http://s3.amazonaws.com/yourBuildURL.exe -OutFile cbl.exe"
cbl.exe /S /autoregadbridge="http://ADBRIDGE-PC:8900/ADGateway/Service/"

Make sure if all arguments specified in the script are relevant.

Once the Backup Agent is configured, a corresponding MBS user is automatically created. MBS user name is the name of a customer's domain account: