Documentation Hub
Workforce
Workforce
  • Keyless Integrations Docs
  • ✅Prerequisites
  • IAM and SSO Integrations
    • Overview
    • Okta
      • Account Linking Config
      • Identity Provider Config
    • Microsoft AD FS
      • Prerequisites
      • Integration
      • Authentication
      • Troubleshooting
    • AWS Cognito
    • Auth0
    • ForgeRock
      • ForgeRock Authentication Node
      • Forgerock Identity Cloud
    • OneLogin
    • Ping Identity
      • PingOne SSO
    • Microsoft Entra ID
    • Salesforce
  • Post Integration
    • 🏁Post Integration
      • 📢Employee Onboarding
        • Prerequisites
        • Email Templates
      • 🎧Admin Onboarding
        • Common Terms
        • Enrollment and Activation
        • Authentication
        • Troubleshooting and Support
Powered by GitBook
On this page
  • App Registration Setup
  • External Auhthentication Method
  • Conditional Access Policy

Was this helpful?

  1. IAM and SSO Integrations

Microsoft Entra ID

This page documents how to set up Keyless with Microsoft Entra ID (formerly Azure Active Directory)

Covered on this page:

  • App registration in Entra ID including OpenID Connect (OIDC) settings

  • External Authentication Method set-up

  • Conditional access policies including assigning it to a subset of users and access controls.

App Registration Setup

An Entra P1 or P2 license is required to activate the app registration setup

To complete the app registration:

  • Navigate to the Entra ID portal.

  • Go to "App registrations" and click "New registration."

  • Enter a name for the application.

  • Set the redirect URI to the OIDC authorize endpoint of Keyless. (i.e.: https://idp.keyless.io/realms/{KEYLESS_TENANT}/protocol/openid-connect/auth)

  • Ensure that the app has the required API permissions:

    • Microsoft Graph API permissions for user authentication.

  • Take note of the App ID you’ve just created.

External Auhthentication Method

In order to set up External Authentication:

  1. Go to “Protection” → “Authentication methods” → “Add external authentication method (Preview)”

  2. Enter the following details:

    • Client ID: (from the App registration)

    • Well-known discovery URL: (URL for OIDC discovery endpoint)

    • App ID: (unique identifier for the app created previously)

  3. Enable the solution and Include or Exclude the target accordingly

Conditional Access Policy

Finally administrators can set-up Conditional Access if they:

  1. Go to "Protection" -> "Conditional access."

  2. Click "New policy" to create a new policy.

  3. Configure the policy with the following settings:

    • Assignments:

      • Users and groups: Select the specific group created earlier.

      • Cloud apps or actions: Choose the required apps.

    • Conditions:

      • Configure any conditions as needed (e.g., locations, device platforms).

    • Access controls:

      • Grant or block access, or require additional authentication (e.g., MFA).

Last updated 2 months ago

Was this helpful?