Documentation
Start typing to search…

Entra ID (Azure Active Directory) IdP | Entitle

Overview

Entra ID (Azure Active Directory) IdP Connection enables you to use managed domain services – such as Windows Domain Join, group policy, LDAP, and Kerberos authentication – without having to deploy, manage, or patch domain controllers.

Entitle populates the following resource types in the Entra ID Directory connection:

  • Groups
  • Users
  • Managers (optional)

This page will provide you with instructions on how to integrate Entitle and Entra ID as an IdP, both for populating the above resource types as well as for creating IdP-initiated login flows to the Entitle web app.

General guidelines

You can set up Entra ID as an Identity Provider (IdP), the source of truth for Entitle users, groups, and organizational structure, using the instructions below.

ℹ️

In case you have already integrated Entra ID with Entitle using the Azure AD guide, you can use the same Entra application configuration and continue to the Entitle setup section.

To integrate your Entra ID with Entitle, you will need to:

  • Create an application on Entra ID, and extract Client and tenant IDs.
  • Create a secret, and extract its value.
  • Provide Entitle with adequate permissions for the application.
  1. Using the search bar that appears, find and select the following permission to allow Entitle to connect with your Entra ID tenant:
    • Directory.Read.All
      ℹ️

      If you plan to set up Entra ID as an integration in Entitle, replace the above permission with the following:

      • GroupMember.ReadWrite.All
      • User.Read.All
    • Application.ReadWrite.OwnedBy (for federated credentials)
    • Application.Read.All (for federated credentials)
      ℹ️

      Application.ReadWrite.OwnedBy applies only to federated credential scenarios. It allows Entitle to delete the temporary onboarding secret immediately after setup is complete for the highest security.

      If this permission is disallowed, the secret remains available until its configured expiration.

      Application.Read.All is required to validate configuration details during setup.

  2. When you are done selecting the permissions, click Add permissions at the bottom of the screen.
  3. You will now see the added permissions in the table under Configured permissions.
  4. Click on Grant admin consent for Default Directory > Yes.
  1. If you are using a client secret, you can continue with Connect your IdP in Entitle. If you are using federated credentials with the Application.ReadWrite.OwnedBy permission, continue below.

Connect your IdP in Entitle

  1. Log in to Entitle and go to the Org Settings page.

  2. Under the System integrations section, click the + Add button and select Azure AD from the list of IdPs.

Follow the steps for your chosen authentication method: client secret or federated credentials.

Client secret

  1. In the pop-up window Configure Microsoft Entra ID - Azure AD, fill in the required details:

    • Display Name: Enter a name to identify this integration.

    • Tenant: Your Directory (tenant) ID, found on the Overview page.

    • Client ID: Your Application (client) ID, found on the Overview page.

    • Authentication mode: Select Secret.

    • Secret: Your Client secret, found on the Certificates & secrets page.

    • User identity source: Choose what will serve as the identifier for your users in Entra ID:

      • UPN (User Principal Name) – default
      • Email

    • Use as direct manager source: Select this option if you want managers to participate in Access Request approvals or serve as User Access Review reviewers.

      ℹ️

      When this option is selected, Entitle pulls direct manager information from the default Entra ID field. If you prefer to use a custom field, contact Entitle Support.

      A common example of when you might use this is when you want the direct manager field in Entra ID to synchronize with the Active Directory extension attribute.

      This option is currently available only for Entitle Cloud deployments and requires the manager’s value to be in email format.

    • Save on: Choose whether you would like this integration to be saved on your own hosted agent or in Entitle’s cloud.

  2. Click Save.

Federated credentials

  1. In the pop-up window Configure Microsoft Entra ID - Azure AD, fill in the required details:

    • Display Name: Enter a name to identify this integration.

    • Tenant: Your Directory (tenant) ID, found on the Overview page.

    • Authentication mode: Select Federated credentials.

    • Client ID: Your Application (client) ID, found on the Overview page.

    • Nonce ID: Your Secret ID, found on the Certificates & Secrets page. Refresh your browser to see the secret ID.

    • Nonce value: Your Nonce value, found in your Cloud Shell instance.

    • User identity source: Choose what will serve as the identifier for your users in Entra ID:

      • UPN (User Principal Name) – default
      • Email

    • Use as direct manager source: Select this option if you want managers to participate in Access Request approvals or serve as User Access Review reviewers.

      ℹ️

      When this option is selected, Entitle pulls direct manager information from the default Entra ID field. If you prefer to use a custom field, contact Entitle Support.

      A common example of when you might use this is when you want the direct manager field in Entra ID to synchronize with the Active Directory extension attribute.

      This option is currently available only for Entitle Cloud deployments and requires the manager’s value to be in email format.

    • Save on: Choose whether you would like this integration to be saved on your own hosted agent or in Entitle’s cloud.

      🚧

      Important information

      Federated credentials work only for integrations that are saved on Entitle's Cloud or on an on-premises agent that is hosted in Amazon Elastic Kubernetes Service (EKS)

  2. Click Save.

IdP groups sync

Filtering users by IdP groups lets admins control which Entra ID users are imported into Entitle by selecting specific groups during directory synchronization. Instead of syncing all users by default, this helps exclude non-essential users such as contractors or test users. The filter applies only to direct group members and can be adjusted later as needs evolve, keeping the user base focused and easier to manage.

ℹ️

To enable IdP group filtering, a feature flag must be enabled for your organization. Contact your BeyondTrust representative for details.

On the IdP groups sync page, select one of two options:

  1. Sync all users from all groups: Synchronize all of your Entra ID users with Entitle.
  2. Select specific groups to sync users from: Choose which groups to synchronize with Entitle.
Sync all users from all groups
  1. Click Sync all users from all groups.

  1. Click Sync groups.

  2. Synchronization begins. This process might take several minutes to complete.


  1. Once synchronization has finished, the Entra ID IdP connection appears as Connected on the Integrations tab of the Org settings page.
Select specific groups to sync users from

  1. Click Select specific groups to sync users from.

  2. A table of groups loads in two stages: first the group name and email, and second, the count of users in each group. There are several methods to help you find the groups you want to sync.

    • Search groups: Find groups by name and email.
    • Sort: When creating a new connection, sort by:
      • Name
      • Email
      • Members count
  1. Select the groups you would like to sync with Entitle.
    ℹ️

    • At least one group must be selected to proceed.
    • For each selected group, both direct members and members of any nested sub-groups are synced with Entitle.
    • The Direct users in group field counts only direct members.
    • Users who are not part of these groups cannot authenticate through Entra ID to access Entitle via Slack, Teams, or the web interface.
  2. Click Sync groups.
  3. Synchronization begins. This process might take several minutes to complete.
  1. Once synchronization has finished, the Entra ID IdP connection appears as Connected on the Integrations tab of the Org settings page.
Modify group filtering
  1. To modify which groups are synchronized or to filter an existing connection, right-click the connected IdP and select Edit synced groups.

  1. The Select groups page shows any previously selected groups.
    ℹ️

    Groups currently in use by policies or approval workflows cannot be removed. To stop syncing a group, you must first remove it from any associated policies or approval workflows, or delete those policies or workflows.

  1. There are several methods to help you find the groups you want to sync.

    • Search groups: Find groups by name and email.
    • Sort: When editing an existing connection, sort by:
      • Name
      • Email
      • Members count
      • In use
      • Is selected (only if the connection is not currently fully synced)

  2. Select the groups you would like to sync with Entitle.

    ℹ️

    • At least one group must be selected to proceed.
    • For each selected group, both direct members and members of any nested sub-groups are synced with Entitle.
    • The Direct users in group field counts only direct members.
    • Users who are not part of these groups cannot authenticate through Entra ID to access Entitle via Slack, Teams, or the web interface.

  3. Click Sync groups.

  4. Synchronization begins. This process might take several minutes to complete.

Test your IdP connection

  1. After being redirected to the Org Settings page, you should be able to see that the Entra ID directory is now Connected.
  1. Your data synchronizes within a few minutes. Go to Approval workflows and click New approval workflow at the top right. You should now see that all groups have been fetched. If not, wait a few more minutes and refresh the page.

Set up an Entitle SSO tile in Entra ID

Optionally, you can set up Entitle as an Entra ID SSO tile for IdP-initiated login flow using the instructions below.

ℹ️

This use case is not applicable when Entitle operates as part of Pathfinder, as all authentication is handled through Pathfinder. See Entitle on Pathfinder for more details.

  1. Log in to your Microsoft Entra Admin Center.

  2. Select Applications under the Identity section.

  3. Expand Applications to choose Enterprise applications.

  4. Click New application.

  5. Click Create your own application.

  6. Choose a name for the application, and select Integrate any other application you don’t find in the gallery (non-gallery). Then click Create.

    You are now redirected to your new application’s Overview page.

  7. Select Assign users and groups to set an owner for the application and grant access permissions to specific users.

  8. Set the application logo in the application properties.

  9. Return to your application’s Overview page, and select Set up single sign on.

  10. Select Linked from the available sign-on options.

  11. Copy the following URL and paste it in the Sign on URL field.

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=40653a07-6423-4c6b-9e40-7ce34c8656d6&scope=User.Read&redirect_uri=https://app.entitle.io/api/v1/signIn/microsoft&response_type=code

  12. Click Save.

  13. Your Entitle SSO application now appears as a new tile in your Microsoft My Apps portal.

Test your SSO tile

  1. Locate the Entitle application in your Microsoft My Apps portal.
  2. Open the application. You should now be logged in to the Entitle app.

Updated about 1 month ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.