DocumentationRelease Notes
Documentation

Join an Entra ID Directory tenant

Suggest Edits

Join an Entra ID tenant

You can set up AD Bridge to authenticate to Active Directory or Entra ID.

Requirements

These are the required components to use for Entra ID authentication:

  • Entra ID
  • Azure Application Service: To join a tenant, an application client ID and secret are required. The application also defines the access permissions for the endpoint.

Application registration and IDs

To set up app registration and IDs:

  1. Create an app registration and gather the Client ID and Directory (tenant) ID from it.
  1. Go to Certificates & secrets > Client secrets.
  2. Generate a secret for the app registration. The value is available to copy after you generate it. Copy the secret value and save in a file. It is required to join a tenant. After a period of time, the value is hidden.
  1. Set up the app registration rights. The app requires the rights for the endpoint to look up the required information.
  1. Go to Authentication > Advanced Settings and enable Allow public client flows.

Authentication requirements

Here are a few things to understand regarding authentication:

  • For an Entra ID user login, the user must belong to an Entra ID group.
  • For an Entra ID user login, the user must have a valid tenant license.
  • The user that initiates the SSH session must be the same user that authenticates with the device code.

Endpoint setup

ℹ️

Note

AD Bridge only supports being joined to Entra ID or Active Directory.

To join AD Bridge to Entra ID:

  1. Create a local file with the app registration secret value.

    vi secret-file

  2. Join Azure tenant with tenantjoin-cli.

    /opt/pbis/bin/tenantjoin-cli join --tenant-id ########-####-####-####-############ --app-id ########-####-####-####-############ --app-secret-file secret-file

  3. pbis status displays the tenant, and the provider that the agent is joined to.

    pbis status

  4. tenantjoin-cli query displays the following information.

    /opt/pbis/bin/tenantjoin-cli query

    Tenant Query Info:
Display Name: ADBridge Tenant
Primary Domain: ADB.Azure
Tenant Id: ################################
Application Name: ADBridge
Application Id: ################################
Access Token Issued At: Mon Apr 17 11:33:23 2023
Access Token Not Before: Mon Apr 17 11:33:23 2023
Access Token Expiration: Mon Apr 17 12:38:23 2023
Tenant query was successful

  5. Before logging in as an Entra ID user, you must apply a tenant license through /opt/pbis/bin/setkey-cli –key XXXXX-XXXXX-XXXXX-XXXXX-XXXXX.

    [bc-admin@bc-hrm4 ~] 
/opt/pbis/bin/setkey-cli --key XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
         
Key: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Type:
  Azure tenant license
  Server (allows unlimited concurrent user logons)
  Term (limited time restriction)
  Site (unlimited usage for domain)

Entitlements:
  Smart Card
  Group Policy
  Audit/Reporting
  AD Management Tools

Expires: 2023-06-24
[bc-admin@bc-hrm4 ~]$

  6. Log in to the endpoint with the Entra ID user. This displays a device code and a URL.

  7. In a browser, navigate to the URL and follow the prompts. You must enter the device code.

ssh USER@TENANT@HOSTNAME

The authorization polling interval is every 5 secs with 12 tries (60 seconds total).

Query for Entra ID users or groups

Users who are joined to an Azure tenant can use the ad-cache command to query for Entra ID users. You can use the --tenant flag to display users or groups that are included with the tenant.

Example: Users

/opt/pbis/bin/ad-cache --enum-users --tenant

Azure user object [1] \(cdc32650-cbe0-43d9-8cc8-b0f2875a6441)
============
Enabled: yes  
UID: 1193502009  
UPN: [[email protected]](mailto:[email protected])  
Given name: <null>  
Surname: <null>  
Display Name: freshuzer  
Last Password Change: 2023-06-09T12:39:12Z  
Primary GID: 4244230445  
Primary Group ObjectId: 04ea9c38-4913-4d02-9265-174d589daeb1  
Shell: /bin/sh  
Home Dir: >/home/local/adbridge.dev/freshuzer
Total Azure users found: 1  
Total users found across all >authentication providers: 1

Example: Users

/opt/pbis/bin/ad-cache --enum-groups --tenant

Azure group object [1] \(04ea9c38-4913-4d02-9265-174d589daeb1)
============
GID: 4244230445  
Display Name: Pure Uzers Group  
Description: <null>  
Security Identifier: S-1-12-1-82484280-1291995411-1293378962-2981010776
Total Azure groups found: 1  
Total groups found across all authentication providers: 1

Updated 29 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.