It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Cloud Control

Single Sign-On with Microsoft Azure Active Directory (OAuth)

  • Last updated on

Customers with a configured Microsoft Azure Active Directory (Azure AD) in Barracuda Cloud Control can now log into Barracuda Cloud Control using their Microsoft Azure credentials. This means that customers using multi-factor authentication (MFA) with Microsoft Azure can now use that same process for signing into Barracuda Cloud Control. This provides users with a secure, smooth login experience to Barracuda Cloud Control.

Upon signing into Barracuda Cloud Control, Microsoft Azure users will be redirected to Microsoft for authentication. After users are authenticated with Microsoft, they are signed into Barracuda Cloud Control.

What is Single Sign-On?

With Azure AD Single Sign-On (SSO), users sign in once using their primary organizational account to securely access web and SaaS applications. SSO enables users to authenticate applications using their single organizational account.

The SSO environment protects defined resources (websites and applications) by requiring the following steps before granting access:

  1. Authentication: Authentication verifies the identity of a user using login credentials.
  2. Authorization: Authorization applies permissions to determine if this user may access the requested resource.

Users are signed into Barracuda Cloud Control automatically if they are already signed into Microsoft Azure. This reduces the number of times a user must enter their credentials into their applications, increasing their productivity. To learn more, see the Microsoft article What is single sign-on (SSO).

How to Configure Single Sign-On with Microsoft Azure Active Directory

The following steps must be done by a Barracuda Cloud Control User Administrator. For more information about users and user privileges in Barracuda Cloud Control, see How to Add Users and Configure Product Entitlements and Permissions.

  1. Log into Barracuda Cloud Control as the account administrator, and go to Home > Admin > Directories.
  2. Click the Add Directory button.
    addDirectory.png
  3. Select Azure Active Directory.
  4. On the INFO tab, specify a new Directory Name. For example, “Office 365”.
  5. Click CONNECT TO MICROSOFT to sign into Microsoft and authorize Barracuda Cloud Control to connect to your Azure AD.
    1. Log in with your Microsoft Azure / Office 365 administrator credentials.
    2. Accept the permissions required for Barracuda Cloud Control to access your Azure AD.
    addAzure.png
  6. Activate/Enable the Authentication option to have users authenticate to Barracuda Cloud Control using their Microsoft Azure credentials. If this option is disabled, users will not be redirected to Microsoft for authentication and will authenticate with Barracuda Cloud Control.

    Barracuda strongly recommends creating an additional administrator account using an independent domain that does not use Active Directory (AD) authentication. This allows you access to your Barracuda product account if your AD server goes down or fails.

    After you are redirected back to Barracuda Cloud Control, your domains are queried and shown on the AZURE DOMAINS tab.

  7. Click Save.
  8. After a successful sync of the new directory, users in the directory can now enter their company-provided email address in the Barracuda Cloud Control login page. When Barracuda Cloud Control detects that the email address matches one of the users in the Azure AD setup, Barracuda Cloud Control will redirect the user in their web browser to Microsoft to complete authentication and return the user to Barracuda Cloud Control.
User Authentication Flow Chart

bcc_azure_auth.png

Authentication with Barracuda Products and Known Issues

At this time, single sign-on support with Microsoft Azure AD is only supported by Barracuda Cloud Control (BCC). All authentication and product access must use the BCC login page and redirect to Microsoft for authentication.

If you access a Barracuda product login page outside of BCC, for example, sentinel.barracudanetworks.com, authentication is only handled using the default BCC authentication method which requires an email address and password.  Organizations that have MFA configured with Microsoft will encounter login failures because users do not redirect to Microsoft for authentication, and we are unable to meet Microsoft’s MFA requirement. To avoid this issue, log into BCC at https://auth.barracudanetworks.com/  and then access the desired Barracuda product. If this is not feasible, contact Barracuda Technical Support to apply a patch on your account that bypasses the MFA requirement from Microsoft and allow you to login with just an email address and password.

Troubleshooting

This table contains troubleshooting information on possible issues and how to fix them.

FailurePossible CausesPossible Solutions
Error after returning from Microsoft when connecting to a new Active Directory.
  • User setting up a new Active Directory is not an Administrator in their company's Azure AD.
  • User did not consent to the required permissions when prompted by Microsoft.
  • Ensure user is an Administrator in their company's Azure AD.
  • Ensure user consents to the required permissions when redirected to Microsoft during the connection process.
Error fetching domains after initial connection to Microsoft.
  • Temporary authentication failure from Microsoft.
  • Attempt to reauthorize with Microsoft and retry.
Error returned during syncing of users and groups.
  • User revoked consent within their Microsoft Azure AD portal.
  • Temporary authentication failure from Microsoft.
  • Attempt to reauthorize with Microsoft on the Directories page.
  • Force a resynchronization of the AD on the Admin > Groups page.

Error returned during sign-in attempt for Azure AD user.

Examples of user-facing errors:

  • Failed to authenticate with Microsoft, please try again.
  • Invalid information returned from Microsoft during authentication, please try again.
  • Failed to finish authentication with Microsoft, please try again.
  • User canceled the authentication request.
  • Temporary authentication failure from Microsoft.
  • Ensure user fully completes the authentication process when redirected to Microsoft during the login process.
  • Retry authentication again in a few minutes.
Last updated on