Configure Identity and Access Management(IAM) in Citrix Cloud with Microsoft Azure AD.
In this article, we will review what is Citrix Cloud Identity And Access Management and how to configure it with Microsoft Azure AD in order for your users and administrators to logon to Citrix Cloud with your corporate credentials managed via Azure AD.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
What is Identity and Access Management in Citrix Cloud?
The foundation of Citrix Workspace is to unify the user experience by offering one place to access applications and data from different providers. These providers often use different authentication mechanisms with different identities. That’s where Identity and Access Management shows its value. The goal of Identity as a Service is to centralize and provide a single point of access control, flexible authentication with integrated Smart Access and with the support of any cloud deployments.
There is a great video from Citrix Synergy 2017 that explains How to Manage Identities and Access with Citrix Cloud.
Citrix Cloud supports 2 identity providers (Azure AD credentials and My Citrix credentials).
Architecture

Getting started
For this part of the lab, you will need to following:
- Citrix Cloud account
- Microsoft Azure AD configured. Your Active Directory can be located either in the Cloud or on-premises. In this example, Active Directory is located on-premises and Azure AD is installed in the Cloud and communicating to our local AD with Azure AD Connect installed on our local DC. You can take a look at this post (Lab: Part 27 – Getting started with Microsoft Azure) to learn how to configure Azure AD with AD Connect.
- Account with permissions in Microsoft Azure
- Citrix Cloud Connectors installed and connected to Citrix Cloud (See this post Lab: Part 28 – Getting started with Citrix Cloud)
You will learn:
- How to delegate your Citrix Cloud account to Microsoft AD identities
- How to configure a custom sign-on administration URL
- How to troubleshoot delegation issues
- How to query Azure AD in PowerShell
Configure Identity And Access Management
In the Citrix Cloud web console, open the left menu and go to Identity and Access Management.

Select Connect under Azure Active Directory.

Citrix Cloud will ask for an URL to authenticate using Azure Active Directory. You can change that later.

Note: you cannot logon on https://citrix.cloud.com with federated identities. You must use the custom sign-in URL provided by Citrix Cloud above.
You will be prompted for Microsoft Azure credentials.

And to allow Citrix to connect to Microsoft Azure.

Once authenticated, Azure AD will appear as Connected in Citrix Cloud.

See below more details about the new configuration.

In the Domains tab you can check that the communication is working for the domain citrixguru.com.

Note: check your Citrix Cloud connectors virtual machines if you have issues here. If you need help setting up Cloud Connectors, take a look at this article Lab: Part 28 – Getting started with Citrix Cloud.
Let’s now try to delegate permissions to users in Citrix Cloud.
Go to Identity and Access Management and Select Administrators. Select Azure AD: default Directory in the drop-down list. Type the name of the user you want to allow in Citrix Cloud. You may face the same issue as below (name grayed out).

This issue means that the account does not have an email address associated in Azure AD.
Note: It is not possible to see all attributes in Azure AD. To have more details, you need to do it in PowerShell.
See below how I did.
1 2 3 4 5 6 7 8 |
Install-PackageProvider Nuget –Force Install-Module –Name PowerShellGet –Force Install-Module -Name AzureAD -RequiredVersion 2.0.1.10 Connect-AzureAD Get-AzureADUser ## Get the id of the account you want to see Get-AzureADUser -ObjectId 1dfdf590-9336-4a82-b46e-4d518256cfc9 | select Get-AzureADUser -ObjectId 1dfdf590-9336-4a82-b46e-4d518256cfc9 | select DisplayName, UserPrincipalName, Mail |
Here is the output of all attributes.

Here are the attributes I am looking for.

We have now confirmed that in AD Azure, this account does not have an email.
Let’s update it.
In my case this account is an account that was created in my Active Directory on-premises. Go to Active Directory on-premises, and pull up the account.

You can see above that the account has no email address associated with it.
Note: Citrix does not read the UPN attribute.
Add an email for the user and click OK.
Then force an AD Connect synchronization with Azure AD.
1 2 |
Import-Module ADSync Start-ADSyncSyncCycle -PolicyType Initial |
PowerShell should output the following:

You will have to wait few minutes for the replication to complete.
You can query Azure AD again in PowerShell to confirm that the account has been updated.

Go back to Citrix Cloud (https://citrix.cloud.com/identity/administrators) and try again to add a user from Azure AD.

Click on Invite.

The new account will show up in the list.

The user will get an email and has to validate the registration by clicking on the link in the email.

Select Accept Invitation.

You are now allowed to logon in Citrix Cloud with Azure AD credentials.
Note: if you don’t follow this step, you will get the following error message.

To access Citrix Cloud with corporate credentials, you must use a different logon page.
Go to Identity And Access Management to find the url.
For this lab, the address is https://citrix.cloud.com/go/citrixguru.
You will be prompted to logon via Microsoft.

Enter your password.

Allow Citrix Cloud to connect to Microsoft Azure.

You will be automatically redirected to Citrix Cloud dashboard.

A quick look in the Account Settings to confirm that we are now logged on with an account from Azure AD.

It possible to manage custom permissions for users in Citrix Cloud. At this time it is very limited.

That’s all for Identity And Access Management in Citrix Cloud. I hope you enjoyed this article. Stay tuned.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering