Join an Entra ID Directory tenant
Join an Entra ID tenant
You can set up AD Bridge to authenticate to Active Directory or Entra ID.
Requirements
These are the required components to use for Entra ID authentication:
- Entra ID
- Azure Application Service: To join a tenant, an application client ID and secret are required. The application also defines the access permissions for the endpoint.
Application registration and IDs
To set up app registration and IDs:
- Create an app registration and gather the Client ID and Directory (tenant) ID from it.
- Go to Certificates & secrets > Client secrets.
- Generate a secret for the app registration. The value is available to copy after you generate it. Copy the secret value and save in a file. It is required to join a tenant. After a period of time, the value is hidden.
- Set up the app registration rights. The app requires the rights for the endpoint to look up the required information.
- Go to Authentication > Advanced Settings and enable Allow public client flows.
Authentication requirements
Here are a few things to understand regarding authentication:
- For an Entra ID user login, the user must belong to an Entra ID group.
- For an Entra ID user login, the user must have a valid tenant license.
- The user that initiates the SSH session must be the same user that authenticates with the device code.
Endpoint setup
Note
AD Bridge only supports being joined to Entra ID or Active Directory.
To join AD Bridge to Entra ID:
-
Create a local file with the app registration secret value.
vi secret-file
-
Join Azure tenant with tenantjoin-cli.
/opt/pbis/bin/tenantjoin-cli join --tenant-id ########-####-####-####-############ --app-id ########-####-####-####-############ --app-secret-file secret-file
-
pbis status displays the tenant, and the provider that the agent is joined to.
pbis status
-
tenantjoin-cli query displays the following information.
/opt/pbis/bin/tenantjoin-cli query
Tenant Query Info: Display Name: ADBridge Tenant Primary Domain: ADB.Azure Tenant Id: ################################ Application Name: ADBridge Application Id: ################################ Access Token Issued At: Mon Apr 17 11:33:23 2023 Access Token Not Before: Mon Apr 17 11:33:23 2023 Access Token Expiration: Mon Apr 17 12:38:23 2023 Tenant query was successful
-
Before logging in as an Entra ID user, you must apply a tenant license through /opt/pbis/bin/setkey-cli –key XXXXX-XXXXX-XXXXX-XXXXX-XXXXX.
[bc-admin@bc-hrm4 ~] /opt/pbis/bin/setkey-cli --key XXXXX-XXXXX-XXXXX-XXXXX-XXXXX Key: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX Type: Azure tenant license Server (allows unlimited concurrent user logons) Term (limited time restriction) Site (unlimited usage for domain) Entitlements: Smart Card Group Policy Audit/Reporting AD Management Tools Expires: 2023-06-24 [bc-admin@bc-hrm4 ~]$
-
Log in to the endpoint with the Entra ID user. This displays a device code and a URL.
-
In a browser, navigate to the URL and follow the prompts. You must enter the device code.
ssh USER@TENANT@HOSTNAME
The authorization polling interval is every 5 secs with 12 tries (60 seconds total).
Query for Entra ID users or groups
Users who are joined to an Azure tenant can use the ad-cache command to query for Entra ID users. You can use the --tenant flag to display users or groups that are included with the tenant.
Example: Users
/opt/pbis/bin/ad-cache --enum-users --tenant
Azure user object [1] \(cdc32650-cbe0-43d9-8cc8-b0f2875a6441) ============ Enabled: yes UID: 1193502009 UPN: [[email protected]](mailto:[email protected]) Given name: <null> Surname: <null> Display Name: freshuzer Last Password Change: 2023-06-09T12:39:12Z Primary GID: 4244230445 Primary Group ObjectId: 04ea9c38-4913-4d02-9265-174d589daeb1 Shell: /bin/sh Home Dir: >/home/local/adbridge.dev/freshuzer Total Azure users found: 1 Total users found across all >authentication providers: 1
Example: Users
/opt/pbis/bin/ad-cache --enum-groups --tenant
Azure group object [1] \(04ea9c38-4913-4d02-9265-174d589daeb1) ============ GID: 4244230445 Display Name: Pure Uzers Group Description: <null> Security Identifier: S-1-12-1-82484280-1291995411-1293378962-2981010776 Total Azure groups found: 1 Total groups found across all authentication providers: 1
Updated 8 days ago