Ubiquiti UID and Microsoft 365: SSO with your VPN
My home network has been Ubiquiti Unifi stuff for years now and I am quite happy with their products. It didn't fail me during numerous video conferencing calls since March 2020 (you know why…). Now that I am increasingly away from home, I do use the L2TP VPN solution more often to acces my home resources. Unfortunately, this solution has a separate set of credentials. I would really like just one identity to ru… access all my Microsoft 365 apps, data and in this case my network.
There are obviously other solutions that I could use to achieve the same goal. Within Unifi you can use a different RADIUS server. With Microsoft 365, you need to use Azure AD Domain Services and a NPS server to achieve integration. That is overkill, I (still) don't want to add that additional overhead and complexity. Why not talk directly to Azure AD? And this is what other vendors offer. And then I noticed the UID option within my Unifi Dream Machine. Could I connect Ubiquiti UID and Microsoft 365?
What is Ubiquiti UID?
UID stands for Unifi Identity, and this is Ubiquiti's many purposes platform combining all Unifi products in one big cloud-based management solution. This means you can offer the Unifi capabilities to your end users. Not just Wifi/VPN, but also Unifi Access (door/key management) and even other applications and some MDM. It's an interesting mix, but for now I am focusing on the VPN stuff and general steps to achieve my goal: integrate my Microsoft (or Azure AD) identity with my Unifi VPN.
Ubiquiti has good documentation on setting this all up, so I will only mention the general steps and link to their pages. The first step is to get a UID workspace. In the USA UID is already generally available, but in Canada and Europe they offer an early preview. You can request a workspace, I got mine within hours and it looks like https://<name>.ui.com/portal. The next step is to connect to your on-premises Unifi OS console via the UID agent application, which you must install on your device.
The mobile app is key
You can enable the desired services within the UID agent application, but the exact configuration must be done via UID Manager Portal, which can be reached via https://<name>.ui.com/cloud or via the UID portal. I did not really change much and the UID VPN already worked, via the UID mobile app.
The UID mobile app is a very user-friendly way to deploy the available services. With a click on a button the user can enable a VPN, connect to Wi-Fi open doors and more. Now the question becomes how you provision this app? After downloading and installing the app (which you could do via your MDM solution) the only thing to configure is the workspace name and then the user needs to authenticate. More on that below.
The UID adds a VPN configuration into your mobile device, so do note that other VPN connections cannot be active at the same time. I also use MS Defender with Web Protect, that won't be active during your UID VPN. Be aware of that.
There is also a separate authenticator app called UI Verify, which uses push notifications when authenticating with the UID portals. You can set other MFA methods however, but I'm not sure whether you can fully dispense of yet another Authenticator app on your phone. You can configure MFA requirements via policies, but I haven't investigated this much.
Enabling SSO with Microsoft 365
Now the big question: how do I use the same credentials from my Microsoft 365 account? So, for this to work you require access to the additional feature called "Identity Providers". This was not available, and I had to request this as this is an early preview for my region. I don't remember where I had to do this, it's somewhere in the UID Cloud Management. In any case, when your feature expansion is successful, I followed the instructions to connect UID and Microsoft 365/Azure AD via an Enterprise Application. You still need to provision users within UID, it does need and user object that must match with your Microsoft 365 users. Luckily, this can be achieved via an easy import step.
And what is the user experience? The user must install the app obviously or you could deploy that via your MDM solution. At first startup, the user must enter the UID workspace name for your organization. When that is done, the user needs to authenticate. Because you've set up SSO, you can select the Microsoft 365 option instead of username/password. And depending on your security settings, you might require UID MFA. But after that you have access to your UID capabilities! See my YouTube short for an example.
Yes, with UID and the expansion to include Identity Providers I can achieve my goal of having just one identity and gain access to my internal network. I hope my writeup gave you an idea of the possibilities of UID with Microsoft 365. But be aware that this is an early preview for me, and the expansion is only a trail. Specifically, the Identity Provider capability looks like it is going to be a paid subscription on a per user/per month basis, which is not surprising as that is often the case for more enterprise level integration.
This was only a quick view to see what you could do with it. Your millage may vary, especially with the end-user experience as my device wasn't fully out-of-the-box (Intune Managed and all). I've left a lot with standard settings, and some require some additional attention to increase security. For one, the VPN configuration has a temporary user password of only eight characters, I would've preferred at least sixteen but as the user never has to type it in why not the maximum of thirty? Or use certificates. Also, my tenant was configured to allow passwordless logon and it was enabled on this phone for the account I tested. Those are things that factor in.
There are a lot more capabilities with UID and there is a lot of overlap if you already have Intune/Endpoint Management for instance. But if you have invested in Ubiquiti Unifi hardware and were waiting for an integration with Microsoft 365 (or Google or other SAML providers), this might be worth checking out. At least now I can have a VPN based on single identity! 😀
Note: This is not a paid/unpaid endorsement of Ubiquiti, Unifi or UID. Just a quick product review and experiences out of personal interest, specifically on what is possible with Ubiquiti UID combined with Microsoft 365 and the end-user experience.