Microsoft Entra ID
This page documents how to set up Keyless with Microsoft Entra ID (formerly Azure Active Directory)
Covered on this page:
App registration in Entra ID including OpenID Connect (OIDC) settings
External Authentication Method set-up
Conditional access policies including assigning it to a subset of users and access controls.
App Registration Setup
An Entra P1 or P2 license is required to activate the app registration setup
To complete the app registration:
Navigate to the Entra ID portal.
Go to "App registrations" and click "New registration."
Enter a name for the application.
Set the redirect URI to the OIDC authorize endpoint of Keyless. (i.e.:
https://idp.keyless.io/realms/{KEYLESS_TENANT}/protocol/openid-connect/auth)Ensure that the app has the required API permissions:
Microsoft Graph API permissions for user authentication.
Take note of the App ID you’ve just created.
External Auhthentication Method
In order to set up External Authentication:
Go to “Protection” → “Authentication methods” → “Add external authentication method (Preview)”
Enter the following details:
Client ID: (from the App registration)
Well-known discovery URL: (URL for OIDC discovery endpoint)
App ID: (unique identifier for the app created previously)
Enable the solution and Include or Exclude the target accordingly
Conditional Access Policy
Finally administrators can set-up Conditional Access if they:
Go to "Protection" -> "Conditional access."
Click "New policy" to create a new policy.
Configure the policy with the following settings:
Assignments:
Users and groups: Select the specific group created earlier.
Cloud apps or actions: Choose the required apps.
Conditions:
Configure any conditions as needed (e.g., locations, device platforms).
Access controls:
Grant or block access, or require additional authentication (e.g., MFA).
Last updated
Was this helpful?