Use Azure Active Directory (AD) authentication for your StorSimple
ACTION REQUIRED: StorSimple Data Manager, StorSimple Device Manager, StorSimple 1200, and StorSimple 8000 have reached their end of support. End of support details were published in 2019 on the Microsoft Lifecycle Policy and Azure Communications pages. Additional notifications were also sent via email and posted on the Azure portal and StorSimple documentation site. Contact Microsoft Support for additional details.
The StorSimple Device Manager service runs in Microsoft Azure and connects to multiple StorSimple devices. To date, StorSimple Device Manager service has used an Access Control service (ACS) to authenticate the service to your StorSimple device. The ACS mechanism will be deprecated soon and replaced by an Azure Active Directory (Azure AD) authentication. For more information, go to the following announcements for ACS deprecation and use of Azure AD authentication.
- The future of Azure ACS is Azure Active Directory
- Upcoming changes to the Microsoft Access Control Service
This article describes the details of the Azure AD authentication and the associated new service registration key and modifications to the firewall rules as applicable to the StorSimple devices. The information contained in this article is applicable to StorSimple 8000 series devices only.
The Azure AD authentication occurs in StorSimple 8000 series device running Update 5 or later. Due to the introduction of the Azure AD authentication, changes occur in:
- URL patterns for firewall rules.
- Service registration key.
These changes are discussed in detail in the following sections.
URL changes for Azure AD authentication
To ensure that the service uses Azure AD-based authentication, all the users must include the new authentication URLs in their firewall rules.
If using StorSimple 8000 series, ensure that the following URL is included in the firewall rules:
||Azure Public||Azure AD authentication service|
||US Government||Azure AD authentication service|
For a complete list of URL patterns for StorSimple 8000 series devices, go to URL patterns for firewall rules.
If the authentication URL is not included in the firewall rules beyond the deprecation date, and the device is running Update 5, the users see a URL alert. The users need to include the new authentication URL. If the device is running a version prior to Update 5, the users see a heartbeat alert. In each case, the StorSimple device cannot authenticate with the service and the service is not able to communicate with the device.
Device version and authentication changes
If using a StorSimple 8000 series device, use the following table to determine what action you need to take based on the device software version you are running.
|If your device is running||Take the following action|
|Update 5.0 or earlier and the device is offline.||Transport Layer Security (TLS) 1.2 is being enforced by the StorSimple Device Manager service.
Install Update 5.1 (or higher):
|Update 5 or later and the device is offline.
You see an alert that the URL is not approved.
|Update 4 or earlier and the device is offline.||
|Update 4 or earlier and the device is online.||Modify the firewall rules to include the authentication URL.
Install Update 5 through the Azure portal.
|Factory reset to a version before Update 5.||The portal shows an Azure AD-based registration key while the device is running older software. Follow the steps in the preceding scenario for when the device is running Update 4 or earlier.|
Azure AD-based registration keys
Beginning Update 5 for StorSimple 8000 series devices, new Azure AD-based registration keys are used. You use the registration keys to register your StorSimple Device Manager service with the device.
You cannot use the new Azure AD service registration keys if you are using a StorSimple 8000 series device running Update 4 or earlier (includes an older device being activated now). In this scenario, you need to regenerate the service registration key. Once you regenerate the key, the new key is used for registering all the subsequent devices. The old key is no longer valid.
- The new Azure AD registration key expires after 3 days.
- The Azure AD registration keys work only with StorSimple 8000 series devices running Update 5 or later.
- The Azure AD registration keys are longer than the corresponding ACS registration keys.
Perform the following steps to generate an Azure AD service registration key.
To generate the Azure AD service registration key
In StorSimple Device Manager, go to Management > Keys. You can also use the search bar to search for Keys.
Click Generate key.
Copy the new key. The older key will no longer work.
If you are creating a StorSimple Cloud Appliance on the service registered to your StorSimple 8000 series device, do not generate a registration key while the creation is in progress. Wait for the creation to complete and then generate the registration key.
- Learn more about how to deploy StorSimple 8000 series device.