Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

SAS PCE as an External Authentication Method (EAM) in Microsoft Entra ID

Microsoft Entra ID Setup

search

Please Note:

Microsoft Entra ID Setup

Configuring Entra ID requires:

  1. Registering an Application and Setting up its Permissions

  2. Configuring an External Authentication Method (EAM)

  3. Creating a Conditional Access Policy

Registering an Application and Setting up its Permissions

Perform the following steps:

  1. Log into the Microsoft Entra ID Admin Centre as a Cloud Application Administrator.

  2. If you have access to multiple tenants, switch to the correct tenant by performing the following steps:

    1. On the Microsoft Entra admin center, click on the Settings icon , and on the All Directories tab, select the directory you want to switch to.

    2. In the left pane, click Identity > Applications > App registrations, and in the right pane, click New registration.

    3. In the right pane, under Register an application, perform the following steps:

      • Enter a display name for your application (for example, SASPCE as EntraID EAM).

      • Under Supported account types, select the Accounts in this organizational directory only ( only - Single tenant) option.

      • Under Redirect URI (optional), from the drop-down list, select Web and in the field, paste the authorization endpoint that you obtained in Step 4 of the Configuring the SafeNet Access Exchange Realm section.

      • Click Register.

  3. Under the Overview section of the newly added application, copy the Application (client) ID and paste it in a text editor. You will need the application ID while configuring Entra ID.

  4. In the left pane, under Manage, click API permissions.

  5. In the right pane, perform the following steps:

    1. Under Configured permissions, click Add a permission.

    2. On the Request API permissions window, on the Microsoft APIs tab, select the Microsoft Graph tile.

    3. Under Microsoft Graph, select the Delegate permissions tile.

    4. Under Select permissions, search and select the following permissions, and click Add permissions.

      • User.Read

      • openid

      • profile

      Click here for more information on permissions.

    5. Click Grant admin consent for <tenant_name>.

    6. Under Grant admin consent confirmation, click Yes. The permissions' Status will be changed to Granted.

    7. Under Token Configuration > Optional claims, click Add optional claim.

    8. In the right pane, under Add optional claim > Token type, select the ID token option, and perform the following steps:

      • Select the acrs, login_hint, and upn claims.

      • Click Add to add the claims.

    9. Under Token type, select the Access token option, and perform the following steps:

      • Select the acrs, aud, and upn claims.

      • Click Add to add the claims.

      The claims for both the Access and ID tokens are added as shown in the screenshot below:

Configuring an External Authentication Method (EAM)

Perform the following steps to configure an external authentication method:

  1. On the Microsoft Entra ID Admin Centre, in the left pane, click Protection > Authentication methods, and in the right pane, under Policies, click Add external method (Preview).

  2. Under Method Properties, perform the following steps:

    1. In the Name field, enter a name (for example, SASPCE as EAM) for the external method.

    2. In the Client ID field, enter the Client ID that you obtained in step 4 (c) of the Configuring an Entra ID Client section.

    3. In the Discovery Endpoint field, enter the OIDC Discovery Endpoint URL that you obtained in step 4 of the Configuring the SafeNet Access Exchange Realm section.

    4. In the App ID field, enter the application identifier that you obtained in step 3 of the Registering an Application and Setting up its Permissions section.

    5. Enable the policy.

    6. Use the Include or Exclude tabs to manage which users or groups are to be included in or excluded from the External Authentication Method.

      Note

      It is recommended to exclude the global administrator account or group if not needed.

    7. Click Save.

Creating a Conditional Access Policy

  1. On the Microsoft Entra ID Admin Centre, in the left pane, click Protection > Conditional Access > Policies, and select New policy.

  2. Under New, enter a Name for the policy.

  3. Under Assignments, perform the following steps:

    1. Under Users, select users and groups selected.

    2. On the Include tab, select the Select user and groups option, and then select the User and groups checkbox.

    3. Search and select the user type and group name, and then click Select.

    Note

    It is recommended to exclude global administrator groups.

  4. Under Target resources, perform the following steps:

    1. Select No target resources selected.

    2. On the Include tab, select the Select resources option.

    3. Under Edit filter, select None.

    4. In the right pane, under Select, search and select the resource application (for example, Office 365) to be protected using EAM, and then click Select.

  5. Under Access controls, perform the following steps:

    1. Select 0 controls selected as Grant.

    2. In the right pane, under Grant, select the Grant access option, and then select the Require multifactor authentication checkbox.

  6. On the Grant window, scroll down, select Require one of the selected controls option, and click Select.

  7. At the bottom, select On to Enable policy, and then click Create.

On this page