DocumentationAPI ReferenceRelease Notes
Documentation

Microsoft Entra ID and EPM config guide | EPM-WM

There are two use cases when configuring Entra ID for use with EPM for Windows and Mac.

Before you begin

The setup requirements differ depending on which use case you are configuring.

Entra ID connector only:

  • Set up one application registered in Entra ID.
  • Configure connector settings at Configuration > Active Directory Settings > Microsoft Entra ID.

Identity authentication (includes connector):

  • Set up two applications registered in Entra ID:
    • One for the connector.
    • One for end-user identity verification.
  • Add connector application details at Configuration > Active Directory Settings > Microsoft Entra ID.
  • Add identity verification application details in the Policy Editor at Utilities > Identity Provider (IdP) Settings > Identity Authentication.

Set up the Entra ID connector

Register an Azure tenant

For EPM to query Entra ID groups, a communication channel between EPM-WM and Entra ID must exist.

The key steps to create a channel:

  • Create an app registration in Azure and grant the appropriate permissions.
  • Set up an authentication method.
  • Configure EPM-WM with the app registration.

Requirements

  • Microsoft Azure Commercial only.

Microsoft 365 Government Community Cloud (GCC) High is not supported.

ℹ️

For more information about the differences, see National cloud deployments.

Register a tenant

  1. Go to https://portal.azure.com.
  2. Create a new registration.
  3. Select the directory that contains the Entra ID you want to register with EPM-WM.
  4. Search for the App registrations service and select it.
  5. Click New registration.
  6. Give the registration a name. For example, EPM Registration.
  7. Select the Supported account types you require for your business needs.
  8. Ignore the Redirect URI setting.
  9. Select Register an application.
  10. Go to Manage > API Permissions and select Add a permission.
  11. Select Microsoft Graph, and then Application permissions.
  12. Add the following permissions. Search by name, then select the permission when it displays.
    • Domain.Read.All
    • GroupMember.Read.All
    • User.Read.All
  13. After the three permissions are selected, select Add permissions.
  14. Grant the permissions. Select Grant admin consent for (Directory Name).

Note the Application (client) ID and the Directory (tenant) ID. These are used when configuring EPM.

Configure authentication

Select an authentication method to create a trust relationship between EPM-WM and Azure.

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
    From the top left of the page, click Menu icon > Endpoint Privilege Management for Windows and Mac Configuration. The Configuration page displays.
  2. Select Active Directory Settings.
  3. Click the Microsoft Entra ID tab.
  4. Select User Certificate Authentication, and select Download Certificate.
  5. Go to the Azure app registrations portal, and then select Certificates & secrets.
  6. Click Upload certificate.

Add the Entra ID connector in EPM

You must create an app registration in Azure before you can configure the Microsoft Entra ID connector here. There can only be one Microsoft Entra ID connector per EPM-WM instance.

  1. Select Configuration > Active Directory Settings.
  2. Select the Microsoft Entra ID tab, and then select Enable Microsoft Entra ID Integration.
  3. Add the tenant ID and client ID.
  4. Select an authentication method. This depends on the app registration details you configured.
ℹ️

For more information, see Microsoft's documentation Quickstart: Register an application with the Microsoft identity platform.

Monitor Entra ID group sync

On the Microsoft Entra ID tab, EPM synchronizes and stores group information under Integration Status.

  • Groups: Entra ID group information that allows you to look up groups while editing a policy. Click Re-Sync to update with the latest information from Entra ID.
  • Group membership: Group memberships for groups referenced in a policy.
    • The number shown represents how many Entra ID groups are being tracked.
    • EPM polls for active policies and synchronizes every Entra ID group referenced in those policies with your Entra ID instance.
    • If you are using a transitive group membership structure, those transitive groups are synchronized too.

You can also confirm whether the integration is working correctly from this tab. Monitoring and health indicators help you respond to issues as they occur.

When do groups update?

Endpoints update group membership only when the user logs on. If you change a policy or add a user to a group, the update does not take effect immediately — the user must log off and log on again.

ℹ️

There can be a delay of 10 to 15 minutes between when you add a user to a group and when the change is available in the cache.

Set up identity authentication

Identity authentication allows endpoint users to verify their identity through Entra ID. This enables policies to enforce access based on Entra ID group membership.

After setup, users can select the Verify Identity link on the endpoint and confirm their identity through Entra ID. A prompt appears in EPM dialog boxes to guide users who have not yet verified their identity when a policy requires it.

ℹ️

The Entra ID connector is required to filter workstyles from Entra ID after a user's identity is verified. Complete the connector setup before configuring identity authentication.

Register a tenant for identity authentication

Identity authentication requires a separate app registration in Entra ID from the one used for the connector.

  1. Follow steps 1–9 in Register a tenant to create a new app registration. Give it a distinct name, for example EPM Identity Authentication.
  2. In the Redirect URI section, select Public client/native (mobile and desktop) and enter:
    • macOS: com.beyondtrust.pmfm://idp
    • Windows: http://127.0.0.1:port_number where port_number is an open port on your network. The port number is only needed if required by your identity provider.
  3. Go to Manage > API Permissions and select Add a permission.
  4. Select Microsoft Graph, then Delegated permissions.
  5. Add the following permissions:
    • User.Read
    • profile
    • openid
    • GroupMember.Read.All
  6. Select Add permissions, then grant admin consent.
  7. Add a group claim. Select Groups assigned to the application and set the value to Group ID.
  8. Configure groups in Entra ID. Go to your EPM app in Enterprise Apps and navigate to Users and groups. Add your EPM user groups used in the policy. Groups are sent to EPM when users verify their identities.

Configure identity authentication in the Policy Editor

  1. In the Policy Editor, expand Utilities.
  2. Click Identity Authentication.
  3. Add the Application (client) ID. This value is from the app registration you created for identity authentication.
  4. Add the Authority URL. For Entra ID, use one of the following:
    • https://login.microsoftonline.com/organizations/v2.0/
    • https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0/

Updated about 2 hours ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.