Skip to main content

Microsoft Entra ID External Authentication Methods

Microsoft Entra ID is a customer identity and access management (CIAM) solution for managing external identities. See the following documentation for more help:

You can configure Microsoft Entra ID External Authentication Methods to use Identity as a Service for multi-factor authentication. To do this, you must add Microsoft Entra ID External Authentication Methods as an application in Identity as a Service. This integration guide describes how to integrate Microsoft Entra ID External Authentication Methods with Identity as a Service. To integrate Microsoft Entra ID Active Directory with Identity as a Service, see Integrate Microsoft Entra ID active directory with Identity as a Service.

info

You can configure one or more Microsoft Entra ID External Authentication Methods OIDC applications for your Microsoft Entra ID tenant that can be used across all applications within that tenant. For example, you can create multiple Microsoft Entra ID External Authentication Methods OIDC applications in Identity as a Service and set each application to require a different authenticator.

To integrate Microsoft Entra ID External Authentication Methods with Identity as a Service, complete the following steps:

Step 1: Complete the following prerequisites:

  1. Synchronize your Microsoft Entra ID users with Identity as a Service. See Synchronize Microsoft Entra ID External users with Identity as a Service and Sync an on-premises AD with Microsoft Entra ID External.
  2. If you have not done so already, Create a gateway.
  3. Obtain the Microsoft Entra ID Tenant ID
    1. Log in to the Microsoft Entra ID portal.
    2. In the Navigation pane, click Microsoft Entra ID. The Directory Overview page appears.
    3. In the Manage section, click Properties.
    4. Copy the Directory ID. The Tenant ID and the Directory ID are the same.

Step 2: Add Microsoft Entra ID External Authentication Methods to Identity as a Service

  1. Log in to an Identity as a Service account with a role that allows you to configure applications.

  2. Click > Security > Applications. The Applications List page appears.

  3. Click Add. The Select an Application Template page appears.

  4. Do one of the following:

    • Select OpenID Connect and OAuth Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.
    • In the Search bar, enter a search option to filter for the application you want to add to IDaaS.

  5. Click Microsoft Entra ID External Authentication Methods (formerly Azure AD). The Add Microsoft Entra ID External Authentication Methods page appears.

  6. In the App Settings, Modify the Application Name and Application Description, if required.

  7. In the OIDC Settings, do the following:

    1. Optional. Set the Reauthentication Time to require users to reauthenticate after a predetermined amount of time.

    2. Select the OIDC Signing Certificate.

      note

      The Login Redirect URI and the Supported Scopes are selected by default.

    3. From the User ID Mapping Attribute drop-down list, select User Principal Name to map the Microsoft Entra ID incoming claim to the attribute used to find the user.

    4. Select Require Consent if you want the user to be prompted for consent for each request.

    5. Optional. Enter a Consent Message to include a message to users when consent is requested.

  8. In the Microsoft Entra ID External Authentication Methods Settings, do the following:

    1. Select the Incoming Userid Claim from the drop-down list. The default is User Principal Name. This value is the incoming claim used by Microsoft Entra ID Directory to identify the user.

      note

      An Identity as a Service account that is synchronized with a corporate directory containing User Principal Name values, auto-populates the User Principal Name in the user profile information when directory synchronization occurs. This value is stored in the user’s User Principal Name system attribute. See Trigger on-demand synchronization to trigger an immediate directory synchronization.

      If the User Principal Name is not populated by directory synchronization, you must populate the user’s User Principal Name system attribute manually for every user integrated with Microsoft Entra ID External Authentication Methods.

    2. In the Customer Tenant/Directory ID text box, enter the Microsoft Entra ID tenant ID, for example, a5a69e76-58be-4303-9339-9fe8f582523d.

  9. Open a text editor such as Notepad and copy and save the following contents from the JSON file under Microsoft Entra ID External Authentication Methods JSON Text:

  • appID
  • clientId
  • discoveryUrl

You need this information for Step 4: Configure the Microsoft Entra ID Tenant.

  1. Click Show Advanced Settings to configure advanced settings.

  2. Select Enable Organizations to allow organization information to be returned in OIDC claim values when users log in. When enabled, if users are associated with more than one organization and an organization has not been requested, users can select their organizations after they authenticate to their application.

    note

    When organizations are enabled, the corresponding OIDC claims must also be configured.

  3. From the ID Token Signing Algorithm drop-down list, select the signing algorithm that is used to sign the ID tokens during authentication.

  4. Set the ID Token Timeout to the time (in minutes) that the ID token is valid before it expires.

  5. Click Save.

Step 3: Add a resource rule

See Create resource rules.

note

Set Skip Password as the first-factor authentication type and then set the second-factor authenticators that you want to use with Microsoft Entra ID.

Step 4: Configure the Microsoft Entra ID Tenant

  1. Ensure that you have synchronized your Microsoft Entra ID users with Identity as a Service. See Synchronize Microsoft Entra ID External users with Identity as a Service and Sync an on-premises AD with Microsoft Entra ID External and Sync an on-premises AD with Microsoft Entra ID External.
  2. Log in to the Customer Tenant as an administrator. The Home page appears.
  3. Go to Home > Protection > Authentication Policies > Add external method (Preview).
  4. Enter the Name for the external authentication method.
  5. In the Client ID field, enter the clientId you copied from the JSON file in Step 2: Add Microsoft Entra ID External Authentication Methods to Identity as a Service.
  6. In the Discovery Endpoint field, enter the discoveryUrl you copied from the JSON file in Step 2: Add Microsoft Entra ID External Authentication Methods to Identity as a Service.
  7. Enter the App ID field, enter the appId you copied from the JSON file in Step 2: Add Microsoft Entra ID External Authentication Methods to Identity as a Service.
  8. Click Request permission.
  9. You are prompted for Permission for the app to access Microsoft Entra ID.
  10. Click Accept.
  11. Toggle Enable and Target to Enable.
  12. Select the target resource from the Add Target drop-down list.
  13. Click Save.

Step 5: Add conditional policies to Microsoft Entra ID

  1. Log in to the Customer Tenant as an administrator. The Home page appears.
  2. Go to Conditional Access > Policies > Add New policy. The Add New Policy page appears.
  3. To apply the policy users or user groups, from the Users list, select the applicable users or user groups.
  4. To apply the policy to specific applications, from the Target resource list, select the specific applicable applications, or select All cloud apps to have the policy apply in every case.
  5. Under Grant, select the Grant access option and enable the Require multifactor authentication checkbox.
  6. Next to Enable policy, select On.
  7. Click Save.

Step 6: Test the Entra ID External Authentication Methods

  1. Go to the Microsoft Entra ID portal.
  2. Log into Microsoft Entra ID with a user that you selected as part of the policy definition for conditional access.
  3. Enter the password. You are redirected to Identity as a Service for second-factor authentication.
  4. Respond to the second-factor challenge.
  5. Confirm that the user has logged in to the Microsoft Entra ID portal successfully.