DocumentationRelease Notes
Documentation

reorg shared - Join an Entra ID Directory tenant | AD Bridge

Suggest Edits

Alright — here’s the reorganized version with shared prerequisites expanded to also include any steps, commands, or examples that are truly identical between consoles, so they don’t live twice.

This will make each collapsible shorter, while keeping all the important details.

🛑

DRAFT CONTENT: INTERNAL ONLY. DO NOT SHARE.

This page is for review only and content is not verified. Do not share externally; this is proprietary information.


Join an Entra ID Directory tenant

You can use AD Bridge to authenticate to either Active Directory or Entra ID. This page describes how to join an Entra ID Directory tenant using either:

  • BeyondTrust Management Console (legacy)
  • BeyondTrust Bridge console (new)

Both consoles are supported. Use the instructions for the console you are working in.

Determine your console

If you aren’t sure which console you have:

  • The BeyondTrust Management Console is the older interface used in AD Bridge prior to the Bridge console release.
  • The BeyondTrust Bridge console has a simplified dashboard with tiles such as AD Status and Entra ID Status.

Prerequisites

The prerequisites apply to both consoles.

Requirements

  • Entra ID tenant
  • Azure Application Service: To join a tenant, an application Client ID and secret are required. The application also defines the access permissions for the endpoint.

Application registration and IDs

  1. Create an app registration in Entra ID and gather the Client ID and Directory (tenant) ID.
  2. Go to Certificates & secrets > Client secrets.
  3. Generate a secret for the app registration. Copy the secret value after generation and save it in a file.
    Note: After a period of time, the value is hidden.
  4. Set up the app registration rights so the app can access the endpoint’s required information.
  5. Go to Authentication > Advanced Settings and enable Allow public client flows.

Authentication requirements

  • The Entra ID user must belong to an Entra ID group.
  • The Entra ID user must have a valid tenant license.
  • The user initiating the SSH session must be the same one who authenticates with the device code.

Common Linux commands

Some commands are the same for both consoles when working with Linux endpoints.

Join tenant from CLI

/opt/pbis/bin/tenantjoin-cli join --tenant-id <tenant id> --app-id <application id> --app-secret-file <file path>

Check join status

pbis status

Query tenant info

/opt/pbis/bin/tenantjoin-cli query

Apply tenant license

/opt/pbis/bin/setkey-cli --key XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

SSH with Entra ID user

ssh USER@TENANT@HOSTNAME

Query Entra ID users

/opt/pbis/bin/ad-cache --enum-users --tenant

Query Entra ID groups

/opt/pbis/bin/ad-cache --enum-groups --tenant

The authorization polling interval is every 5 seconds with 12 tries (60 seconds total).

For BeyondTrust Management Console users

Expand steps for BeyondTrust Management Console

  1. Create a local file with the app registration secret value.

    vi secret-file

  2. Use the Join tenant from CLI command shown in the prerequisites.

  3. Use the Check join status and Query tenant info commands to verify the connection.

  4. Apply the tenant license with the Apply tenant license command.
    (You can keep your sample output here if desired.)

  5. Log in to the endpoint with the Entra ID user, then follow the device code instructions as prompted.

  6. Use the Query Entra ID users or Query Entra ID groups commands to confirm provisioning.

For BeyondTrust Bridge console users

Expand steps for BeyondTrust Bridge console
  1. Log in using the profile icon in the top right corner.
  2. Click the Entra ID status tile.
  3. On the BeyondTrust Entra ID configuration page, click Create connector app.
  4. Under Provisioned mode, click Create.
    (Add screenshot here when available.)
  5. If you don’t already have an agent app, you can create one during this process.
  6. Once setup is complete, go to the user or group page to assign attributes.

This process creates two applications:

  • Agent App – used to join the domain.
  • Connector App – holds the schema used for provisioning.

🚧

Important information

Do not remove the Entra ID Connector from the Azure portal. Doing so will orphan the schema extension. If needed, delete it in the console.

Linux endpoints

If you previously used AD Bridge with Entra ID before the BeyondTrust Bridge console, leave the existing tenant, upgrade to the latest version, and rejoin.
You can reuse the same app registration and secret.

Configuration options

(Keep all your config command examples here — OAuthProvisionMode, OAuthCacheEntryExpiry, SchemaConnectorApplication, OAuthMinID, OAuthMaxID — exactly as in your original.)

Installers

Linux agents
As of AD Bridge 24.2.3, the Linux Agent supports OAuth provisioning (disabled by default).

  • Enable before tenant join:

    /opt/pbis/bin/config OAuthProvisionMode true

  • Enable during tenant join:

    /opt/pbis/bin/tenantjoin-cli --tenant-id <tenant id> --app-id <application id> --app-secret-file <file path> --provisioned

Windows console
Download the AD Bridge MSI

Updated 15 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.