Microsoft Entra ID

This page documents how to set up Keyless with Microsoft Entra ID (formerly Azure Active Directory)

Covered on this page:

  • App registration in Entra ID including OpenID Connect (OIDC) settings

  • External Authentication Method set-up

  • Conditional access policies including assigning it to a subset of users and access controls.

App Registration Setup

An Entra P1 or P2 license is required to activate the app registration setup

To complete the app registration:

  • Navigate to the Entra ID portal.

  • Go to "App registrations" and click "New registration."

  • Enter a name for the application.

  • Set the redirect URI to the OIDC authorize endpoint of Keyless. (i.e.: https://idp.keyless.io/realms/{KEYLESS_TENANT}/protocol/openid-connect/auth)

  • Ensure that the app has the required API permissions:

    • Microsoft Graph API permissions for user authentication.

  • Take note of the App ID you’ve just created.

External Authentication Method

In order to set up External Authentication:

  1. Go to “Protection” → “Authentication methods” → “Add external authentication method (Preview)”

  2. Enter the following details:

    • Client ID: (from the App registration)

    • Well-known discovery URL: (URL for OIDC discovery endpoint)

    • App ID: (unique identifier for the app created previously)

  3. Enable the solution and Include or Exclude the target accordingly

Conditional Access Policy

Finally administrators can set-up Conditional Access if they:

  1. Go to "Protection" -> "Conditional access."

  2. Click "New policy" to create a new policy.

  3. Configure the policy with the following settings:

    • Assignments:

      • Users and groups: Select the specific group created earlier.

      • Cloud apps or actions: Choose the required apps.

    • Conditions:

      • Configure any conditions as needed (e.g., locations, device platforms).

    • Access controls:

      • Grant or block access, or require additional authentication (e.g., MFA).

Last updated

Was this helpful?