Documentation

Entra ID (Azure Active Directory) IdP

Suggest Edits

Overview

Entra ID (Azure Active Directory) IdP Connection enables you to use managed domain services—such as Windows Domain Join, group policy, LDAP, and Kerberos authentication—without having to deploy, manage, or patch domain controllers.

Entitle populates the following resource types in the Entra ID Directory connection:

  • Groups
  • Users
  • Managers (optional)

This page will provide you with instructions on how to integrate Entitle and Entra ID as an IdP, both for populating the above resource types as well as for creating IdP-initiated login flows to the Entitle web app.

Set up Entra ID IdP connection

General guidelines

You can set up Entra ID as an Identity Provider (IdP), the source of truth for Entitle users, groups, and organizational structure, using the instructions below.

Note: In case you have already integrated Entra ID with Entitle using this guide, you can use the same Entra application configuration and continue to the Entitle setup section.

To integrate your Entra ID with Entitle, you will need to:

  • Create an application on Entra ID, and extract Client and tenant IDs.
  • Create a secret, and extract its value.
  • Provide Entitle with adequate permissions for the application.

Set up Entra ID to work with Entitle

Stage 1: Create an application

  1. Go to the Microsoft Azure portal.

  2. Click on Microsoft Entra ID.

  3. Click on the App registrations tab in the left-side menu.

  4. Then, click on New registration.

  5. Give your app a Name and leave the rest as is. Then, click on Register.

  1. Keep your Application (client) ID and Directory (tenant) ID for later. Then, click on Add a certificate or secret on the right side.
  1. Click on New client secret.
  1. In the pop-up window, choose a Description that you will remember and an expiration time of your choice. Keep in mind that you will have to create a new secret and hence a new integration when it expires. Once done, click Add.
  1. Click on the copy icon to copy your new Client Secret Value and keep it for later.

Stage 2: Assign permissions to Graph API

  1. Go to API permissions.
  1. Remove the existing permission by clicking on the "..." on the right, selecting Remove all permissions, and finally click the Yes, remove button.
478
  1. Now, click on Add a Permission.
  1. Then pick Microsoft Graph.
  1. Choose Application permissions.
  1. Using the search bar, search the following permission to allow Entitle to connect with your Entra ID tenant:
Directory.Read.All

ℹ️

Note

If you plan to set up Entra ID as an integration in Entitle, replace the above permission with the following:

Directory.ReadWrite.All,
RoleManagement.ReadWrite.Directory
  1. Then, click the Add permissions button at the bottom of the screen.
  1. Your screen should now look the same as the following image. Then, click on Grant admin consent for Default Directory, and then click Yes.

You will now see that you have granted Admin consent for the requested permissions:

Connecting your IdP in Entitle

All that is left to do is connect your IDP to the Entitle application.

  1. Log into Entitle and navigate to the Org Settings page.
  2. Under the Connect To section, navigate to the Microsoft Entra ID - Azure AD option, and click Connect.
  1. In the pop-up window Configure Entra ID, fill in the required details:
  • Tenant - your directory ID
  • Client ID
  • Secret - your Client Secret
  • In case you wish to add managers’ approval as a part of the approval process of Access Requests or to select managers as the User Access Review reviewers:
    • Check the Use as direct manager source checkbox. The direct manager information will be taken from the Entra ID default field. If you want to leverage a custom field for direct manager information instead, please contact Entitle. In this case the manager's identity has to be in an email format and the deployment model has to be Entitle cloud at the moment. A common use case is Entra ID synchronization with Active Directory extension attribute.

Test your IdP connection

  1. After being redirected to the Org Settings page, you should be able to see that the OneLogin Directory is now Connected.

  2. Within a few minutes, refresh your browser page and go to the Workflows tab. Then, click on New Workflow. You should now be able to see all the groups are fetched, and you are done!

Set up an Entitle SSO tile in Entra ID

Optionally, you can set up Entitle as an Entra ID SSO tile, for IdP-initiated login flow using the instructions below:

  1. Log in to your Microsoft Entra Admin Center.

  2. Select Applications under the Identity tab, found on the left-side navigation menu.

  3. Expand Applications to choose Enterprise applications.

  4. Click New application.

  5. Click Create your own application.

  6. Choose a name for the application, and select the Integrate any other application you don’t find in the gallery (non-gallery) option. Then, click Create.

    You will now be redirected to your new application’s Overview page.

  7. Select Assign users and groups to set an owner for the application and grant access permissions to specific users.

  8. Return to your application’s Overview page, and select Set up single sign on.

  9. Select Linked from the four available sign-on options.

  10. Copy the following URL and paste it in the Sign on URL section. Click Save.

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=40653a07-6423-4c6b-9e40-7ce34c8656d6&scope=User.Read&redirect_uri=https://app.entitle.io/api/v1/signIn/microsoft&response_type=code

  11. Your Entitle SSO application should now be presented as a new tile in your Microsoft My Apps portal.

Test your SSO tile

  1. Locate the Entitle application in your Microsoft My Apps portal.
  2. Open the application.
  3. You should now be logged in to the Entitle web app.

Updated 29 days ago