Integrate Microsoft Entra ID
Microsoft Entra ID is a customer identity and access management (CIAM) solution for managing external identities. See the following documentation for more help:
https://learn.microsoft.com/en-us/entra/external-id/
You can configure Microsoft Entra ID External Authentication Methods to use Identity as a Service for multi-factor authentication. To do this, you must add Microsoft Entra ID External Authentication Methods as an application in Identity as a Service. This integration guide describes how to integrate Microsoft Entra ID External Authentication Methods with Identity as a Service. To integrate Microsoft Entra ID Active Directory with Identity as a Service, see Integrate Microsoft Entra ID active directory with Identity as a Service.
Note: You can configure one or more Microsoft Entra External ID Authentication Methods OIDC applications for your Microsoft Entra External ID custom tenant that can be used across all application within that tenant. For example, you can create multiple Microsoft Entra External ID Authentication Methods OIDC applications in Identity as a Service and set each application to require a different authenticator.
To integrate Microsoft Entra External ID OIDC with Identity as a Service, complete the following steps:
Step 1: Complete the following prerequisites:
Synchronize your Microsoft Entra ID users with Identity as a Service. See Synchronize Microsoft Entra ID users with Identity as a Service and Sync an on-premises AD with Microsoft Entra ID.
If you have not done so already, Create and configure a gateway
Obtain the Microsoft Entra ID Tenant IDObtain the Microsoft Entra ID Tenant ID.
Obtain the Tenant ID
Log in to theMicrosoft Entra ID portal.
In the Navigation pane, click Microsoft Entra ID. The Directory Overview page appears.
In the Manage section, click Properties.
Copy the Directory ID. The Tenant ID and the Directory ID are the same.
Step 2: Add Microsoft Entra ID External Authentication Methods to Identity as a ServiceStep 2: Add Microsoft Entra ID External Authentication Methods to Identity as a Service
Log in to an Identity as a Service account with a role that allows you to configure applications.
Click 
> Security > Applications. The Applications List page appears.
Click Add. The Select an Application template page appears.
Do one of the following:
Select OpenID Connect and OAuth Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.
- or -
In the Search bar, enter a search option to filter for the application you want to add to IDaaS.
Click Microsoft Entra ID External Authentication Methods (formerly Azure AD). The Add Microsoft Entra ID External Authentication Methods page appears.
Modify the Application Name and Application Description, if required.
Optional. Add a custom application logo, as follows:
Optional. Add a custom application logo, as follows:
Click 
next to Application Logo. The Upload Logo dialog box appears.
Click 
to select an image file to upload.
Browse to select your file and click Open. The Upload Logo dialog box reappears showing your selected image.
If required, resize your image.
Click OK.
Click Next. The General Settings and Authentication Settings page appears.
In the General Settings, do the following:
From the User ID Mapping Attribute drop-down list, select User Principal Name to map the Microsoft Entra External ID incoming claim to the attribute used to find the user.
Select the OIDC Signing Certificate used to connect to Microsoft Entra External ID Authentication Methods.
Note: The Login Redirect URI and the Supported Scopes are set by default.
In the Authentication Settings, accept the defaults or, optionally, do the following:
Optional. Select Require Consent to prompt the user for consent for each request.
Optional. Enter a Consent Message to include a message to users when consent is requested.
Optional. Set the Max Authentication Age (seconds) to the maximum amount of time that can elapse before a user must re-authenticate to log in. This feature is disabled if the field is left blank.
Optional. Select the ID Token Signing Algorithm that is used to sign the ID Token.
Optional. Set the ID Token Timeout.
In the Microsoft Entra External ID Authentication Methods Settings, do the following:
Select the Incoming Userid Claim from the drop-down list. The default is User Principal Name. This value is the incoming claim used by Microsoft Entra External ID Authentication Methods to identify the user.
Note: An Identity as a Service account that is synchronized with a corporate directory containing User Principal Name values, auto-populates the User Principal Name in the user profile information when directory synchronization occurs. This value is stored in the user’s User Principal Name system attribute. See Trigger on-demand synchronization to trigger an immediate directory synchronization.
If the User Principal Name is not populated by directory synchronization, you must populate the user’s User Principal Name system attribute manually for every user integrated with every Authentication Methods OIDC.
In the Customer Tenant/Directory ID text box, enter the Microsoft Entra External ID customer tenant ID that you copied in Step 1: Obtain the Microsoft Entra External ID customer Tenant ID (also called Directory ID).
Open a text editor such as Notepad and copy and save the following contents from the JSON file under Microsoft Entra ID External Authentication Methods JSON Text:
appID
clientId
discoveryUrl
You need this information for Step 4: Configure Microsoft Entra ID External Authentication Methods.
Click Submit. A success message appears.
Step 3: Add a resource ruleStep 3: Add a resource rule
Note: Set Skip Password as the first-factor authentication type and then set the second-factor authenticators that you want to use with Microsoft Entra ID.
Step 4: Optional. Add a resource serverStep 4: Optional. Add a resource server
Manage OAuth authorization with a resource server.
Add an API/URL resource server
Click > Security > Authorization. The Authorization page appears.
Select API/URL to add a protected resource. The APIs/URLs list page appears.
Click . The Add API/URL page appears.
Under Basic Definition, do the following:
Select Enabled to make this API/URL resource active in Identity as a Service. JWT access tokens will not be issued unless the authorization is active.
Enter a Name for the resource.
Enter a Description for the resource.
Add a Value for the resource. The value should be an absolute URI value. The value corresponds to the API (aka audience value) that the resource server is protecting.
Note: The API/URL names and values must be unique across all resource server.
Select the Supported OIDC/OAuth Applications from the drop-down list. These are the applications that have permission to access the resource server. If you want all OIDC and OAuth applications to access the resource server, leave this field blank.
Under Token Definition, do the following:
Select Require Consent to prompt users for consent when an OAuth token is requested.
Select Include Application Name to include the application name in OAuth access tokens.
Select Include Client ID to include the client ID in OAuth access tokens.
Select Include OIDC Scopes and Claims to include the claims derived from OIDC scopes and claim requests in OAuth access tokens.
Select Include Authentication Claims to include authentication claims in OAuth access tokens.
Select Include Transaction Claims to include the transaction details in OAuth access tokens (for applications using the JWT IDaaS grant type).
From the Access Token Signing Algorithm drop-down list, select the signing algorithm that is used to sign the access tokens during authentication.
Set the Access Token Timeout to the time that the access token is valid before it expires.
Select Refresh Token to allow refresh token requests for OAuth token access. If you select this option, complete the following:
- Set the Refresh Token Timeout to the time that the refresh token associated with the access token is valid.
- Set the Refresh Token Limit to the maximum amount of a time a refresh token process is valid.
Under Scope Configuration, add the scopes (the permissions) the OIDC and OAuth application can request on behalf of the user for the configured API/URL (for example, view:calendar, edit:calendar). To add scopes:
Select Allow All Scopes to be requested to allow client applications to use the specific scope all_scopes to request all scopes the user has access to for this API/URL. This is a short-hand mechanism to request all scopes instead of listing out all scopes in the request.
Select Role-Based Access Control (RBAC) to enable access to scopes based on their Access Management Role associations. If disabled, the user has access to all scopes associated with the API/URL regardless of their Access Management Role. When enabled, the user only has access to the scopes permitted by the Access Management Role associations. To create RBAC, see Configure Role-Based Access Control (RBAC).
Click Add. The Add Scope dialog box appears.
Add a Name for the scope.
Add a Value for the scope, for example, edit:calendar.
Click Add.
Note: Scope names and values must be unique across scopes defined across all APIs/URLs.
Click Save.
Step 5: Configure the Microsoft Entra ID External ID TenantStep 5: Configure the Microsoft Entra ID External ID Tenant
Configure authentication methods policies
Ensure that you have synchronized your Microsoft Entra ID users with Identity as a Service. See Synchronize Microsoft Entra ID External users with Identity as a Service and Sync an on-premises AD with Microsoft Entra ID External.
Log in to the Customer Tenant as an administrator. The Home page appears.
Go to Home > Protection > Authentication Policies > Add external method (Preview).
Enter the Name for the external authentication method.
In the Client ID field, enter the clientId you copied from the JSON file in Step 2: Add Microsoft Entra External ID Authentication Methods to Identity as a Service.
In the Discovery Endpoint field, enter the discoveryUrl you copied from the JSON file in Step 2: Add Microsoft Entra External ID Authentication Methods to Identity as a Service.
Enter the App ID field, enter the appId you copied from the JSON file in Step 2: Add Microsoft Entra External ID Authentication Methods to Identity as a Service.
Click Request permission.
You are prompted for Permission for the app to access Microsoft Entra External ID.
Click Accept.
Toggle Enable and Target to Enable.
Select the target resource from the Add Target drop-down list.
Click Save.
Step 6: Add conditional policies to Microsoft Entra IDStep 6: Add conditional policies to Microsoft Entra ID
Log in to the Customer Tenant as an administrator. The Home page appears.
Go to Conditional Access > Policies > Add New policy. The Add New Policy page appears.
To apply the policy users or user groups, from the Users list, select the applicable users or user groups.
To apply the policy to specific applications, from the Target resource list, select the specific applicable applications, or select All cloud apps to have the policy apply in every case.
Under Grant, select the Grant access option and enable the Require multifactor authentication checkbox.
Next to Enable policy, select On.
Click Save.
Step 7: Test the Conditional Access Control in Microsoft Entra IDStep 7: Test the Conditional Access Control in Microsoft Entra ID
Go to the Microsoft Entra ID External portal.
Log into Microsoft Entra ID with a user that you selected as part of the policy definition for conditional access.
Enter the password. You are redirected to Identity as a Service for second-factor authentication.
Respond to the second-factor challenge.
Confirm that the user has logged in to the Microsoft Entra ID portal successfully.