Of course, official documentation: https://helpcenter.veeam.com/docs/vac/provider_admin/sso.html?ver=60

Yeah, I already showed that to the customer, but he was wondering if there was a simpler guide, and specific documented with screenshot for the Azure AD.

I guess if there is no such blog I can create the documentation too him (but it’s a cheap customer…...)

I don’t think there’s somewhere a simpler guide than that, idk.

But there’s a deep dive fresh video!
 

I found a Veeam Service Provider Console Easily Configure SSO with Azure AD but one of the steps has you download the SAML Signing Certificate but the VSPC wants a PKCS#12 format which Azure AD doesn’t provide an option.  Just raw and cer formats.  Has anyone got VSPC working with Azure AD as the iDP?

https://www.veeam.com/wp-veeam-service-provider-console-configure-sso-with-azure-ad.html?wpty

Have you find a solution to export good certificat in AzureAD for import in VCSP  ? 

Thank you 

Nope, I ended up using our wildcard third-party cert from Godaddy.  I installed in Azure and used the same cert for VCSP.

You can get Veeam’s official guide from https://www.veeam.com/wp-veeam-service-provider-console-configure-sso-with-azure-ad.html but there are a few things worth noting.

1. If your server hostname does not match your FQDN, set the Portal Web Address (under Configuration > Company Info > Portal Branding) to match your externally accessible FQDN. Otherwise, the generated URLs for 'SP Entity ID URL' and 'Assertion Consumer URL’ end up with the NETBIOS name which is not publicly accessible.
2. Under ‘security configuration’ you can use a self-signed certificate even though the PDF states to download the Azure AD Enterprise App cert. You can’t use the Azure AD Enterprise App cert as the wizard requires a PFX file, which needs a private key.
3. Users who will SSO must have the ‘company’ attribute populated in Azure AD (or in AD if using AD Connect). The ‘company’ attribute must match your company name as configured in the Veeam Service Provider console.
4. The PDF guides you through using various attributes (ie. department) to configure permissions in the Provider Console. This is fine, but you can also do this using AD Groups and group claims.

I know this is a really old thread but I'm having difficulty using group claims. Other claims work fine. It seems that only the first group claim is evaluated. So when I have an authorization rule that uses a group id that is not the first in the list, it doesn't work...