Integrate Microsoft Azure AD Conditional Access

You can configure Microsoft Azure AD Conditional Access to use Identity as a Service for multi-factor authentication. To do this, you must add a Microsoft Azure AD Conditional Access application to Identity as a Service. This integration guide describes how to integrate Microsoft Azure AD Conditional Access with Identity as a Service. o integrate Microsoft Entra ID Active Directory with Identity as a Service, see Integrate Microsoft Entra ID active directory with Identity as a Service.

Notes: You can configure one or more Microsoft Azure AD Conditional Access OIDC applications for your Microsoft Entra ID custom tenant that can be used across all application within that tenant. For example, you can create multiple Identity as a Service Microsoft Azure AD Conditional Access OIDC applications and set each application to require a different authenticator.

Microsoft Azure AD Conditional Access is being replaced with Microsoft Entra ID. See Integrate Microsoft Entra ID External Authentication

To integrate Microsoft Azure AD Conditional Access OIDC with Identity as a Service, complete the following steps:

Step 1: Complete the following prerequisites:

Obtain the Tenant ID

1. Log in to the Microsoft Entra ID portal.

2. In the Microsoft Entra ID icon.

3. Copy the Tenant ID.

Step 2: Add Microsoft Azure AD Conditional Access OIDC to Identity as a Service

1. Log in to an Identity as a Service account with a role that allows you to configure applications.

2. Click > Security > Applications. The Applications List page appears.

3. Click Add. The Select an Application Template page appears.

4. Do one of the following:

● Select OpenID Connect and OAuth Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.

- or -

● In the Search bar, enter a search option to filter for the application you want to add to IDaaS.

5. Click Microsoft Azure AD Conditional Access. The Add Microsoft Azure AD Conditional Access page appears.

6. Modify the Application Name and Application Description, if required.

7. Optional. Add a custom application logo, as follows:

a. Click next to Application Logo. The Upload Logo dialog box appears.

b. Click to select an image file to upload.

c. Browse to select your file and click Open. The Upload Logo dialog box reappears showing your selected image.

d. If required, resize your image.

e. Click OK.

8. Select the Authentication Flow that appears to users during login.

9. Click Next. The General Settings and Authentication Settings page appears.

10. In the General Settings, do the following:

a. From the User ID Mapping Attribute drop-down list, select User ID to map the Azure AD incoming claim to the attribute used to find the user.

Note: The Login Redirect URI and the Supported Scope are selected by default.

11. Select the OIDC Signing Certificate used to connect to the Microsoft Azure AD.

12. Optional: Select Respond Immediately for Unsuccessful Responses to return to the application immediately after a login failure, rather than allow user to try again with a different userID.

13. Deselect Enable Go Back Button if you do not want users to be able to go back to the Microsoft Azure AD login page to log in.

14. In the Authentication Settings, accept the defaults or, optionally, do the following:

a. Select Require Consent if you want the user to be prompted for consent for each request.

b. Optional. Enter a Consent Message to include a message to users when consent is requested.

c. Set the Max Authentication Age (seconds) to the maximum amount of time that can elapse before a user must re-authenticate to log in. This feature is disabled if the field is left blank.

15. In the Azure AD Conditional Access Custom Control Settings, do the following:

a. Select the Incoming Userid Claim from the drop-down list. The default is User Principal Name. This value is the incoming claim used by Microsoft Entra ID Directory to identify the user.

Note: An Identity as a Service account that is synchronized with a corporate directory containing User Principal Name values, auto-populates the User Principal Name in the user profile information when directory synchronization occurs. This value is stored in the user’s User Principal Name system attribute. See Trigger on-demand synchronization to trigger an immediate directory synchronization.

If the User Principal Name is not populated by directory synchronization, you must populate the user’s User Principal Name system attribute manually for every user integrated with Microsoft Azure AD Conditional Access OIDC.

b. In the Customer Tenant/Directory ID text box, enter the Microsoft Azure AD Conditional Access customer tenant ID, for example, a5a69e76-58be-4303-9339-9fe8f582523d. See Step 1: Obtain the Microsoft Azure AD Conditional Access customer Tenant ID.

16. Copy and save the auto-generated Azure AD Access Custom Control JSON Text. You need this text to configure the Azure AD conditional access custom control at the Microsoft Entra ID Customer Tenant site.

17. Click Submit. A success message appears.

Step 3: Add a resource rule

Step 4: Configure the Microsoft Entra ID Tenant

You must configure the Microsoft Azure AD Conditional Access Tenant for each Customer Tenant application that requires a custom control for multi-factor authentication. You must first configure a custom control and then configure the policies to prevent access to specific (or all) applications.

The Microsoft Azure AD Conditional Access policy is similar to an Identity as a Service resource rule. The policy may apply to a specific user or the interface being used, for example. The policy can also enforce custom controls.

Step A: Configure custom controls

1. Ensure that you have synchronized your Azure AD users with Identity as a Service. See Synchronize Microsoft Entra ID External users with Identity as a Service and Sync an on-premises AD with Microsoft Entra ID External.

2. Go to the Microsoft Entra ID portal and log in to the Customer Tenant as an administrator.

3. In the Home page, select Microsoft Entra Conditional Access.

4. Under Manage, click Custom controls.

5. Click New custom control.

6. In the text box, enter the auto-generated Azure AD Access Custom Control JSON Text that you copied in Step 2: Add Microsoft Azure AD Conditional Access OIDC to Identity as a Service.

You can change the Id value, if required, for example if you plan to define multiple custom controls. For example, "Id": "Identity as a Service MFA",

7. Click Create.

Step B: Configure policies

1. In the Microsoft Entra ID Conditional Access page, select Policies.

2. Click New Policy. The New Policy dialog box appears.

3. Under Assignments, select Users and groups.

4. In the Include pane, select Select users and groups and select the specific set of users you want to associate with the policy.

5. Click Done.

Attention: Ensure that you do not select your initial admin user as a user of this policy as doing so can potentially lock you out of the Microsoft Entra ID portal.

6. Under Assignments, click Cloud apps.

7. Select to Include specific apps or ALL applications. The options are

● None

● All cloud apps

● Select apps

If you choose Select apps, click Select and then from the Applications list, select the specific apps you want to include.

8. Click Select.

9. Click Done.

10. Under Access controls, click Grant.

11. Under Select the controls to be enforced, select Grant access.

12. Select Identity as a Service MFA (or select the required Id value of the custom control if you created several custom controls).

13. Click Select.

14. Toggle Enable policy to On.

15. Click Create.

Integrate Microsoft Azure AD Conditional Access with Identity as a Service

Step 1: Complete the following prerequisites:

Step 2: Add Microsoft Azure AD Conditional Access OIDC to Identity as a Service

Step 3: Add a resource rule

Step 4: Configure the Microsoft Entra ID Tenant

Step 5: Test the Conditional Access Control in Conditional Access Control in Microsoft Entra ID