Microsoft Entra ID

Covered on this page:

• App registration in Entra ID including OpenID Connect (OIDC) settings

• External Authentication Method set-up

• Conditional access policies including assigning it to a subset of users and access controls.

App Registration Setup

To complete the app registration:

• Navigate to the Entra ID portal.

• Go to "App registrations" and click "New registration."

• Enter a name for the application.

• Set the redirect URI to the OIDC authorize endpoint of Keyless. (i.e.: https://idp.keyless.io/realms/{KEYLESS_TENANT}/protocol/openid-connect/auth)

• Ensure that the app has the required API permissions:

  • Microsoft Graph API permissions for user authentication.

• Take note of the App ID you’ve just created.

External Authentication Method

In order to set up External Authentication:

1. Go to “Protection” → “Authentication methods” → “Add external authentication method (Preview)”

2. Enter the following details:

   • Client ID: (from the App registration)

   • Well-known discovery URL: (URL for OIDC discovery endpoint)

   • App ID: (unique identifier for the app created previously)

3. Enable the solution and Include or Exclude the target accordingly

Conditional Access Policy

Finally administrators can set-up Conditional Access if they:

1. Go to "Protection" -> "Conditional access."

2. Click "New policy" to create a new policy.

3. Configure the policy with the following settings:

   • Assignments:

     • Users and groups: Select the specific group created earlier.

     • Cloud apps or actions: Choose the required apps.

   • Conditions:

     • Configure any conditions as needed (e.g., locations, device platforms).

   • Access controls:

     • Grant or block access, or require additional authentication (e.g., MFA).