Use Azure Active Directory (AD) authentication for your StorSimple

Caution

ACTION REQUIRED: StorSimple Data Manager, StorSimple Device Manager, StorSimple 1200, and StorSimple 8000 have reached their end of support. End of support details were published in 2019 on the Microsoft Lifecycle Policy and Azure Communications pages. Additional notifications were also sent via email and posted on the Azure portal and StorSimple documentation site. Contact Microsoft Support for additional details.

Overview

The StorSimple Device Manager service runs in Microsoft Azure and connects to multiple StorSimple devices. To date, StorSimple Device Manager service has used an Access Control service (ACS) to authenticate the service to your StorSimple device. The ACS mechanism will be deprecated soon and replaced by an Azure Active Directory (Azure AD) authentication. For more information, go to the following announcements for ACS deprecation and use of Azure AD authentication.

This article describes the details of the Azure AD authentication and the associated new service registration key and modifications to the firewall rules as applicable to the StorSimple devices. The information contained in this article is applicable to StorSimple 8000 series devices only.

The Azure AD authentication occurs in StorSimple 8000 series device running Update 5 or later. Due to the introduction of the Azure AD authentication, changes occur in:

  • URL patterns for firewall rules.
  • Service registration key.

These changes are discussed in detail in the following sections.

URL changes for Azure AD authentication

To ensure that the service uses Azure AD-based authentication, all the users must include the new authentication URLs in their firewall rules.

If using StorSimple 8000 series, ensure that the following URL is included in the firewall rules:

URL pattern Cloud Component/Functionality
https://login.windows.net Azure Public Azure AD authentication service
https://login.microsoftonline.us US Government Azure AD authentication service

For a complete list of URL patterns for StorSimple 8000 series devices, go to URL patterns for firewall rules.

If the authentication URL is not included in the firewall rules beyond the deprecation date, and the device is running Update 5, the users see a URL alert. The users need to include the new authentication URL. If the device is running a version prior to Update 5, the users see a heartbeat alert. In each case, the StorSimple device cannot authenticate with the service and the service is not able to communicate with the device.

Device version and authentication changes

If using a StorSimple 8000 series device, use the following table to determine what action you need to take based on the device software version you are running.

If your device is running Take the following action
Update 5.0 or earlier and the device is offline. Transport Layer Security (TLS) 1.2 is being enforced by the StorSimple Device Manager service.
Install Update 5.1 (or higher):
  1. Connect to Windows PowerShell on the StorSimple 8000 series device, or connect directly to the appliance via serial cable.
  2. Use Start-HcsUpdate to update the device. For steps, see Install regular updates via Windows PowerShell. This update is non-disruptive.
  3. If Start-HcsUpdate doesn’t work because of firewall issues, install Update 5.1 (or higher) via the hotfix method.
Update 5 or later and the device is offline.
You see an alert that the URL is not approved.
  1. Modify the firewall rules to include the authentication URL. See authentication URLs.
  2. Get the Azure AD registration key from the service.
  3. Connect to the Windows PowerShell interface of the StorSimple 8000 series device.
  4. Use Redo-DeviceRegistration cmdlet to register the device through the Windows PowerShell. Supply the key you got in the previous step.
Update 4 or earlier and the device is offline.
  1. Modify the firewall rules to include the authentication URL.
  2. Download Update 5 through catalog server.
  3. Apply Update 5 through the hotfix method.
  4. Get the Azure AD registration key from the service.
  5. Connect to the Windows PowerShell interface of the StorSimple 8000 series device.
  6. Use Redo-DeviceRegistration cmdlet to register the device through the Windows PowerShell. Supply the key you got in the previous step.
Update 4 or earlier and the device is online. Modify the firewall rules to include the authentication URL.
Install Update 5 through the Azure portal.
Factory reset to a version before Update 5. The portal shows an Azure AD-based registration key while the device is running older software. Follow the steps in the preceding scenario for when the device is running Update 4 or earlier.

Azure AD-based registration keys

Beginning Update 5 for StorSimple 8000 series devices, new Azure AD-based registration keys are used. You use the registration keys to register your StorSimple Device Manager service with the device.

You cannot use the new Azure AD service registration keys if you are using a StorSimple 8000 series device running Update 4 or earlier (includes an older device being activated now). In this scenario, you need to regenerate the service registration key. Once you regenerate the key, the new key is used for registering all the subsequent devices. The old key is no longer valid.

  • The new Azure AD registration key expires after 3 days.
  • The Azure AD registration keys work only with StorSimple 8000 series devices running Update 5 or later.
  • The Azure AD registration keys are longer than the corresponding ACS registration keys.

Perform the following steps to generate an Azure AD service registration key.

To generate the Azure AD service registration key

  1. In StorSimple Device Manager, go to Management > Keys. You can also use the search bar to search for Keys.

  2. Click Generate key.

    Click regenerate

  3. Copy the new key. The older key will no longer work.

    Confirm regenerate

    Note

    If you are creating a StorSimple Cloud Appliance on the service registered to your StorSimple 8000 series device, do not generate a registration key while the creation is in progress. Wait for the creation to complete and then generate the registration key.

Next steps