Set up Evo on Azure AD

This will walk you through the process of setting up Evo Secure Login & Elevated Access on a system that is connected to an Azure Active Directory instance.

You will use your Break Glass user to perform this initial setup process. Once your other user(s) are synced in and provided the correct permissions you can then log in to your newly synced account and complete administration there.

To start, log into your Azure Tenant with a Global Administrator account.

Select the groups menu and create a new Group.

Name this group anything you'd like but it should be identified by your customer name if possible

After you create the group, add any users that you would like to manage with Evo.

If you are planning on using Elevated Access, please add the account that you would like to be able to elevate into as part of the group. Make sure that the account is not being used by any other system/process. Creating a new Global Admin user is preferable.

Once all users have been added into the group, you are all set to start the setup process on your Evo Portal.

Tenants are your customers and directories are the sources that you connect customers to.

Start by selecting the New Tenant option on the right side of the screen

Once selected, give your Tenant (Customer) a name. Select the type of directory (In this case Azure AD).

Give your directory a name, something that you'll be able to easily identify for each of your customers.

From here you'll want to return to your Azure portal for your tenant and find the Tenant ID.

On the landing page, go to Microsoft Entra ID.

Obtain the tenant ID string to enter into the Evo Portal. Copy your tenant ID and paste it in back in the Evo Portal.

An option to sync passwords back to Evo is shown next. This is an important consideration to make.

For users of Secure Login (MFA), a users passwords need to match between Evo and Azure or the login will fail. The password sync option is a one directional sync back from Evo to Azure. It does not sync passwords from Azure back into Evo. If you select this option, you should use Evo to manage your password resets for all of your Evo users.

If you do not select the option, you will need to manage users passwords in both locations and make sure they match.

If however you are only using Elevated Access to log in to machines with elevated prompts, your passwords do not necessarily have to match between Evo and Azure and they can differ between both sites.

The federation section is optional and typically not set up immediately. Considerations for Federation can be found here.

Once complete, click next at the bottom right to continue setup. The next step will open an authorization window to initialize the connection between Evo and your Azure tenant.

Log in as a Global Administrator and approve the connection between the two locations.

Once completed, move onto the next screen.

If the connection succeeds, a list of groups will be shown on screen that represent all of the groups in your Azure Tenant (This may take a few minutes depending on Azure sync cycles)

Select the group(s) you created with the users that you want to sync over to Evo with the checkboxes and then click next.

The next screen in the Tenant setup will be for creating an access token. This token will be used for the Evo Login Agent installer.

Give your token a name, ideally one that will help you distinguish this token from others you can create in the future.

Give it an expiration date. At this date, all communication between agents installed with this token and the Evo Cloud will be cut off. Evo Admins will get notices that the token is about to expire and you can extend the date by coming back to the Evo Portal and changing the expiration date.

After you select the date click Create Access Token.

Once you leave this screen the Token values will disappear and the secret value cannot be retrieved. Be sure to save the token details in a password manager or some vehicle that will allow you to retrieve the token details later on.

This can also be done later on in the tenant menu and Access Tokens by just clicking next.

Select next to move to the next portion.

If using Elevated Access and your users have synced in already, you can now designate an account to act as the Shared Account.

You will select the account that you are looking to elevated into and select options for rotating the password.

Password rotations can be done as often as one hour or as little as every 30 days.

Select the account you want to use and select Complete. If no users have been synced in, you can do this at a later time.

Now that the authorization step is done, we need to apply additional permissions to the Azure tenant.

Return to your Azure tenant portal now that the Evo Security app has been installed.

In the top search bar, you'll want to search for Microsoft Entra Roles and Administrators.

Select that option to bring up the Roles list.

On the Roles Menu, search for or select Global Administrator and click on the role.

A list of users/applications that have the Global Administrator assignment will appear. Select the Add Assignment option to pull up the Assignments page.

Search for Evo and look for the Enterprise Application (In most cases you won't initially see the Evo app listed as the initial search will look for primarily users.)

Once you search you should see the Evo Enterprise Application present. Select the application and then click add to add a new Assignment to the Evo Security app.

Select add to complete the assignment addition.

Next we're going to grant Admin Consent to the Application

You can return to the main overview page or stay on the same screen you are on. Next search for and select Enterprise Applications

Search for and select the Evo Security application

You'll now see the Application homepage. Under the Security tab, select the Permissions option

On the permissions page, you'll see an option to grant admin consent for the directory. Select that option and a new window will appear and complete the authorization flow one more time.

Select a Global Administrator for the tenant and then accept the consent grant.

Once this is completed you can now return to the Evo Portal to complete your setup process.

Next we're going so set up licenses for these users.

Now that your tenant has been created and directory created, users should start to sync in or already be synced in. You can select the Tenant from the homepage and the tenant menu should appear below.

Once your tenant shows up in that field, select the Users tab and make sure all expected users have been synced over.

If users don't show up make sure they don't exist in a different tenant already

Now that users have appeared we need to get licenses moved over to the appropriate tenants. Evo licenses are pooled and need to be allocated per tenant.

Go to the Settings tab and Billing to make the adjustments.

Select your tenant at the bottom by clicking the pencil icon on the right side.

Select the number of licenses that you want to add to the tenant and click Save.

Now that your licenses are part of the tenant you can now add them to users.

Select the user by clicking on the checkbox next to their name and select the Assign Licenses option that shows up on the bottom of the screen.

If the user only requires MFA login you can assign them a Secure Login license. If they are going to be using Elevated Access to elevate onto machines on this tenant give them an Elevated Access license (Comes with Secure Login included)

Now that the user is licensed, we need to set up MFA on their account.

Select the user by clicking on their name which will pull up their profile summary on the right side.

Select the View Full Profile option to pull up their user details.

From here you can also allocate licenses. You'll want to enable MFA as well for the account by selecting the slider.

For users that are going to be needing roles and permissions to work with items in the Evo Portal you'll also want to convert them to Admins by selecting the option on the right. These are only admins within Evo, not anywhere else. Once they are converted and set up, you can now send a welcome email to that user.

If the users email is a legitimate email you can just click the option to send the welcome email. If you need to send it to another address, an option to do so is within the window.

That user should now receive a welcome email that will look like this:

Depending on the Password Sync option selected during the tenant creation process the first item will look slightly different depending on the behavior of the password choice selected.

Set your password and select the save option.

Once that is completed do not attempt to log in just yet (Doing so will send a one-time code to your email address, this indicates your user is set up but the MFA is not set up on a mobile device)

Download the Evo Secure Login App for the appropriate device.

After that is complete, select the option to scan the QR code. The QR code will appear on screen. If this is the users first QR code follow the instructions on screen for scanning and setting up security questions.

Once that is completed you should now be able to log in to your Evo Portal with your email address and Azure-based credentials. Once you do so, you should get a prompt to respond to your push authentication or enter your 6 digit TOTP code for access.

After that you should be logged in to the Evo Portal with your Azure credentials.

If you are working with an end user, this process is complete.

Depending on your user designation in Evo (User or Admin) you will see a different version of the Evo Portal.

End users will only see an option to download the Evo Secure Login application and show their QR code. An Evo Admin will see the administration portal (But don't have permissions to do anything yet).

The next steps are associated with Evo Admins and users of Elevated Access.

For users of Elevated Access (And anyone else who will be managing Evo functionality) you will need to assign a Role to dictate what can be accessed.

In your Evo Portal, select the Onboarding section at the top and Select Roles and Permissions

You'll want to create a role that is appropriate for your Users. To start you can create an All Access Role.

Select the New option on the right to start the Role Creation process.

When you pull up the role menu you'll see any groups that have been added (Azure groups are not added here by default) and all of your admin users underneath.

Groups can be used to more easily assign roles in the future to newly added users. Be aware that if you assign a group you will assign all underlying admin users those group permissions.

You can also select individual administrators to have the roles assigned.

Once you select the appropriate parties you can select the roles you'd like to give them.

More details on individual roles can be found here.

After you select the roles, click save to finish the role creation process.

Now that you have your role assigned, you'll need to designate the account that you are going to elevate into. This will be the Shared Account that was added to the Azure group earlier on in the process.

Under the Tenant menus, select Vault and then Domain Accounts. Add a new Domain Account by selecting New on the right.

After you select it, select the Domain Account Type Select from Synced Directory. Identify your directory and your users will appear beneath the menu.

Select the account(s) you want to use as the shared account. Once done, specify the password rotation frequency. You can do as often as 1 hour or as infrequently as every 30 days (Most users select one day).

After that, click save and your domain account is added. You'll now see your domain account on-screen.

Underneath the password column you'll see an Eyeball. This will expose the domain account password. After adding it will take some time to rotate the password. You will want to be sure that the password has rotated before attempting to use Elevated Access.

You will not be able to use Elevated Access until the password has rotated so be sure that it rotates before testing Elevated Access.

Next you will need to specify which Elevated Access users are able to use the Shared Account.

Under the Global Menu up top, select Onboarding and then select Elevation Assignment.

Create a new assignment by selecting Create Assignment. Give your assignment a name and description (optional). Select your tenant and the Domain Accounts will be filtered to only that tenant.

Select your Shared Account and then select the admin users that you want to be able to use that Shared Account. You can also select groups optionally.

Once all your selections have been made scroll to the bottom and click Save.

Next you will need to designate users that have access to the Tenant

Select the Tenant Access Tab or from the menu on the left under Onboarding.

Select your tenant by clicking on the pencil icon on the right.

Select all groups and/or users that you would like to have access to the tenant and click Save.

For any admin user that you've added these permissions for, they should now be able to refresh their screens or log out and log back in and now their permissions should give them the ability to see the Evo administrative functionality.

Now if not completed already, create an Access Token for installing the Evo Agent.

Under the tenant menu, select Access Token and click New on the right hand side

This token will be used for the Evo Login Agent installer.

Give your token a name, ideally one that will help you distinguish this token from others you can create in the future. Select the Type as Credential Provider

Give it an expiration date. At this date, all communication between agents installed with this token and the Evo Cloud will be cut off. Evo Admins will get notices that the token is about to expire and you can extend the date by coming back to the Evo Portal and changing the expiration date.

After you select the date click Create Access Token.

Once you leave this screen the Token values will disappear and the secret value cannot be retrieved. Be sure to save the token details in a password manager or some vehicle that will allow you to retrieve the token details later on.

Now you can get the Evo Login Agent set up on your target system.

Now that everything is complete on the Evo Portal side, go to Settings -> Downloads to get a copy of the Evo Login Agent.

Once you download the agent, move the agent over to the system that you want to perform the install on.

You'll also need the Access Token details that you saved from the previous steps so have that accessible to the machine you are testing on.

Make sure that the machine is joined to the Azure domain that you are running the installer on or logins will not work.

Start the installer and walk through the process. You will eventually get to a screen that has inputs for the details from the Access Token

Fill in the details from the access token and change the authentication mode to both for now.

Finish the installer and complete setup.

Once complete, search for Evo on the Windows taskbar and you should see Evo Settings Editor pop up.

From here you can do a Connection Test and test the MFA setup.

For Secure Login you can select just the Secure mode and use the username of the Evo user that you have set up (The prefix before the @ sign in the email)

When you hit connect you should receive a notification on your mobile device. Approve that to complete the connection test.

If set up, you can also test the Elevated Mode. Here you will need to use your full Evo email address to test this functionality.

If any of these tests are unsuccessful, verify you have permissions correctly configured in your Evo Portal.

This includes

To fully test, log out of your user session.

You should now see an Evo Security Login option on your login screen.

To test Secure Login, enter your Windows username and password of your Evo user. Do not select Elevated Login.

You should now be logged in as your user using MFA.

To test Elevated Login, sign out again and now select the Elevated Login option. You will notice the prompts changing from Windows username to email address. Enter your full Evo email address and password and log in.

Approve the MFA prompt and now you will be signed in to the previously identified Shared Account using your own credentials.

To verify this, open the command prompt once logged in and enter the whoami command. You should see that you are now in the account of the Shared Account but using your own Evo credentials.

That's it! You've now installed Evo's Login Agent and tested both Secure Login and Elevated Access!

If you have any issues, please contact support at support@evosecurity.com