Entrust Identity as a Service™ Technical Integration Guides
Click here to see this page in full context

Report errors or omissions

  1. Home >
  2. OIDC and OAuth Integration Guides >
  3. Integrate Microsoft Conditional Access Custom Controls

Integrate Microsoft Conditional Access Custom Controls with Identity as a Service

You can configure Microsoft Conditional Access Custom Controls to use Identity as a Service for multi-factor authentication. To do this, you must add a Microsoft Conditional Access Custom Controls application to Identity as a Service. This integration guide describes how to integrate Microsoft Conditional Access Custom Controls with Identity as a Service. To integrate Microsoft Entra ID Active Directory with Identity as a Service, see Integrate Microsoft Entra ID active directory with Identity as a Service.

Notes: You can configure one or more Microsoft Conditional Access Custom Controls applications for your Microsoft Entra ID custom tenant that can be used across all application within that tenant. For example, you can create multiple Identity as a Service Microsoft Conditional Access Custom Controls applications and set each application to require a different authenticator.
 

Attention: Microsoft Azure AD Conditional Access is being replaced with Microsoft Entra ID. See Integrate Microsoft Entra ID External Authentication. Entrust recommends using External Authentication Methods instead of Custom COntrols.

To integrate Microsoft Conditional Access Custom Controls with Identity as a Service, complete the following steps:

Step 1: Complete the following prerequisites:

Synchronize your Microsoft Conditional Access Custom Controls users with Identity as a Service. See Synchronize Microsoft Entra ID External users with Identity as a Service and Sync an on-premises AD with  Microsoft Entra ID External.

If you have not done so already, Create a gateway

Obtain the Microsoft Entra ID customer Tenant IDObtain the Microsoft Entra ID customer Tenant ID.

Obtain the Tenant ID

Log in to the Microsoft Entra ID portal.

In the Microsoft Entra ID icon.

Copy the Tenant ID.

Step 2: Add Microsoft Conditional Access Custom Controls OIDC to Identity as a ServiceStep 2: Add Microsoft Conditional Access Custom Controls OIDC to Identity as a Service

Log in to an Identity as a Service account with a role that allows you to configure applications.

Click > Security > Applications. The Applications List page appears.

Click Add. The Select an Application Template page appears.

Do one of the following:

Select OpenID Connect and OAuth Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.

- or -

In the Search bar, enter a search option to filter for the application you want to add to IDaaS.

Click Microsoft Conditional Access Custom Controls. The Add Microsoft Conditional Access Custom Controls General page appears.

In the App Settings, Modify the Application Name and Application Description, if required.

In the OIDC Settings, do the following:

Optional. Set the Reauthentication Time to require users to reauthenticate after a predetermined amount of time.

Select the OIDC Signing Certificate.

From the User ID Mapping Attribute drop-down list, select User ID to map the  Microfsoft Custom Access Controls incoming claim to the attribute used to find the user.

Note: The Login Redirect URI and the Supported Scope are selected by default.

Select Require Consent if you want the user to be prompted for consent for each request.

Optional. Enter a Consent Message to include a message to users when consent is requested.

In the Microsoft Conditional Access Custom Controls Settings, do the following:

Select the Incoming Userid Claim from the drop-down list. The default is User Principal Name. This value is the incoming claim used by Microsoft Entra ID Directory to identify the user.

Note: An Identity as a Service account that is synchronized with a corporate directory containing User Principal Name values, auto-populates the  User Principal Name in the user profile information when directory synchronization occurs. This value is stored in the user’s User Principal Name system attribute. See Trigger on-demand synchronization to trigger an immediate directory synchronization.

If the User Principal Name is not populated by directory synchronization, you must populate the user’s User Principal Name system attribute manually for every user integrated with Microsoft Conditional Access Custom Controls OIDC.

 In the Customer Tenant/Directory ID text box, enter the Microsoft Conditional Access Custom Controls customer tenant ID, for example, a5a69e76-58be-4303-9339-9fe8f582523d. See Step 1: Obtain the Microsoft Conditional  customer Tenant ID.

Copy and save the auto-generated Microsoft Conditional Access Custom Controls JSON Text. You need this text to configure the Microsoft Conditional Access Custom Controls at the Microsoft Entra ID Customer Tenant site.

Click Save.

Step 3: Add a resource ruleStep 3: Add a resource rule

See Create resource rules.

Step 4: Optional. Add a resource serverStep 4: Optional. Add a resource server

Manage OAuth authorization with a resource server.

Add an API/URL resource server

Click > Security > Authorization. The Authorization page appears.

Select API/URL to add a protected resource. The APIs/URLs list page appears.

Click . The Add API/URL page appears.

Under Basic Definition, do the following:

Select Enabled to make this API/URL resource active in Identity as a Service. JWT access tokens will not be issued unless the authorization is active.

Enter a Name for the resource.

Enter a Description for the resource.

Add a Value for the resource. The value should be an absolute URI value. The value corresponds to the API (aka audience value) that the resource server is protecting.

Note: The API/URL names and values must be unique across all resource server.

Select the Supported OIDC/OAuth Applications from the drop-down list. These are the applications that have permission to access the resource server. If you want all OIDC and OAuth applications to access the resource server, leave this field blank.

Under Token Definition, do the following:

Select Require Consent to prompt users for consent when an OAuth token is requested.

Select Include Application Name to include the application name in OAuth access tokens.

Select Include Client ID to include the client ID in OAuth access tokens.

Select Include OIDC Scopes and Claims to include the claims derived from OIDC scopes and claim requests in OAuth access tokens.

Select Include Authentication Claims to include authentication claims in OAuth access tokens.

Select Include Transaction Claims to include the transaction details in OAuth access tokens (for applications using the JWT IDaaS grant type).

From the Access Token Signing Algorithm drop-down list, select the signing algorithm that is used to sign the access tokens during authentication.

Set the Access Token Timeout to the time that the access token is valid before it expires.

Select  Refresh Token to allow refresh token requests for OAuth token access. If you select this option, complete the following:

  1. Set the Refresh Token Timeout to the time that the refresh token associated with the access token is valid.
  2. Set the Refresh Token Limit to the maximum amount of a time a refresh token process is valid.

Under Scope Configuration, add the scopes (the permissions) the OIDC and OAuth application can request on behalf of the user for the configured API/URL (for example, view:calendar, edit:calendar). To add scopes:

Select Allow All Scopes to be requested to allow client applications to use the specific scope all_scopes to request all scopes the user has access to for this API/URL. This is a short-hand mechanism to request all scopes instead of listing out all scopes in the request.

Select Role-Based Access Control (RBAC) to enable access to scopes based on their Access Management Role associations. If disabled, the user has access to all scopes associated with the API/URL regardless of their Access Management Role. When enabled, the user only has access to the scopes permitted by the Access Management Role associations. To create RBAC, see Configure Role-Based Access Control (RBAC).

Click Add. The Add Scope dialog box appears.

Add a Name for the scope.

Add a Value for the scope, for example, edit:calendar.

Click Add.

Note: Scope names and values must be unique across scopes defined across all APIs/URLs.

Click Save.

Step 5: Configure the Microsoft Entra ID TenantStep 5: Configure the Microsoft Entra ID Tenant

You must configure the Microsoft Conditional Custom Access Controls Tenant for each Customer Tenant application that requires a custom control for multi-factor authentication. You must first configure a custom control and then configure the policies to prevent access to specific (or all) applications.

The Microsoft Conditional Access Custom Controls policy is similar to an Identity as a Service resource rule. The policy may apply to a specific user or the interface being used, for example. The policy can also enforce custom controls.

Step A: Configure custom controls

Ensure that you have synchronized your Microsoft Conditional Access Custom Controls users with Identity as a Service.  See Synchronize Microsoft Entra ID External users with Identity as a Service and Sync an on-premises AD with Microsoft Entra ID External.

Go to the Microsoft Entra ID portal and log in to the Customer Tenant as an administrator.

In the Home page, select Microsoft Entra Conditional Access.

Under Manage, click Custom controls.

Click New custom control.

In the text box, enter the auto-generated Microsoft Conditional Access Custom Controls JSON Text that you copied in Step 2: Add Microsoft Conditional Access Custom Controls to Identity as a Service.

You can change the Id value, if required, for example if you plan to define multiple custom controls. For example, "Id": "Identity as a Service MFA",

Click Create.

Step B: Configure policies

In the Microsoft Entra ID Conditional Access page, select Policies.

Click New Policy. The New Policy dialog box appears.

Under Assignments, select Users and groups.

In the Include pane, select Select users and groups and select the specific set of users you want to associate with the policy.

Click Done.

Attention: Ensure that you do not select your initial admin user as a user of this policy as doing so can potentially lock you out of the Microsoft Entra ID portal.

Under Assignments, click Cloud apps.

Select to Include specific apps or ALL applications. The options are

None

All cloud apps

Select apps

If you choose Select apps,  click Select and then from the Applications list, select the specific apps you want to include.

Click Select.

Click Done.

Under Access controls, click Grant.

Under Select the controls to be enforced, select Grant access.

Select Identity as a Service MFA (or select the required Id value of the custom control if you created several custom controls).

Click Select.

Toggle Enable policy to On.

Click Create.

Step 6: Test the Microsoft Conditional Access Custom ControlsStep 6: Test the Microsoft Conditional Access Custom Controls

Go to the Microsoft Entra ID portal.

Log into Microsoft Entra ID with a user that you selected as part of the policy definition for conditional access.

Enter the password. You are redirected to Identity as a Service for second-factor authentication.

Respond to the second-factor challenge.

Confirm that the user has logged in to the Microsoft Conditional Access Custom Controls portal successfully.