Microsoft Entra ID
InsightCloudSec supports using Microsoft Entra ID authentication as a valid authentication server. Because the authentication flow for Microsoft Entra ID is so different from typical LDAP and Active Directory implementations, changes must be made within the Azure Portal to configure Microsoft Entra ID for use with external applications. Check out Active Directory for details on Microsoft Active Directory.
Azure Active Directory transition
As of March 2024, Microsoft has renamed Azure Active Directory to Microsoft Entra ID. You may observe that some components within InsightCloudSec still refer to Azure Active Directory. This doesn't affect the configuration or functionality, and we will notify you as we fix these instances.
Prerequisites
Before getting started you will need to have the following
- A functioning InsightCloudSec platform
- Appropriate InsightCloudSec permissions (Domain Admin or Org Admin)
- Administrative credentials to your Azure Portal
For questions or issues reach out to us through the Customer Support Portal.
Microsoft Entra ID & Just In-Time Provisioning
For instructions specific to setting up an Authentication Server for Microsoft Entra ID and enabling Just In-Time Provisioning refer to our Microsoft Entra ID - Just In-Time Provisioning page.
InsightCloudSec - Microsoft Entra ID Authentication Server Setup (Start)
Before you configure Microsoft Entra ID to work with InsightCloudSec, you'll first need to complete some initial setup within InsightCloudSec, including generating a redirect URL.
- Login to your InsightCloudSec instance and navigate to Administration > User Management. Click Authentication Servers at the top of the page.
- Click Add Server to open the Create Authentication Server form.
- Complete the top of the Create the Authentication Server from as follows:
- Nickname: Enter a nickname
- Select Server Type: Select Azure Active Directory
- Global Scope Checkbox: Select the Global Scope checkbox if you want to use this server across all of your Organizations.
- Learn more about Organizations.
- Authentication Type: Select API Key/Secret or Client Certification, based on your preference.
Redirect URL
Copy the provided redirect URL value and keep it on-hand for later.
- Leave InsightCloudSec open in a browser window and open a new tab.
Azure - New App Registration
This section assumes you want to create a new app registration within the Azure console.
If you have an existing App Registration, and it is of the Web app/API type that you’d like to use, you can skip to Existing App Registration.
- Select New. This should bring you to the Register an application screen.
- Complete the App Registration Form as follows:
- Name: Enter something simple and descriptive for the name.
- Supported account types: Select the default Accounts in this organizational directory only ((Default Directory) only Single tenant).
- Redirect URI: Input the URL you copied from InsightCloudSec in the previous section.
- Click Register to complete the App registration.
This should create a new App and open an overview screen of the application. - Copy the Application ID on this page and keep the information in a safe place. You will need the Application (client) ID for configuration later during this process.
- On the left panel navigation under Manage select Authentication.
- Scroll down on the Authentication page and locate the Implicit grant and hybrid flows section.
Here you need to ensure you check/enable the ID tokens (used for implicit and hybrid flows) checkbox. - From the left side navigation under Managed, select Certificates & secrets.
- Under Client Secrets click on the New client secret button. Provide a description, select an expiration interval, and click Add to complete.
- Copy the value that you created for the secret. Store this information in a safe location. Note: You will not be able to return to this view.
- Navigate to API Permissions, select Add Permissions.
- Click on Microsoft Graph and then select Application permissions.
Scroll to GroupMember and click the checkbox next toGroupMember.ReadAll
, click Add Permission. - Repeat steps 13 & 14 to add one additional permission.
- Click on Add a permission, select Microsoft Graph and then select Application permissions
- Scroll to User and click the checkbox next to
User.ReadAll
, click Add Permission
At this point, Microsoft Entra ID should be configured for use within InsightCloudSec. You may now return to the browser window containing InsightCloudSec and finish the setup. Continue to this section for details.
Azure - Existing App Registration
This section assumes you have an existing app of the Web app/API type that you’d like to use with InsightCloudSec.
To modify an existing app registration the steps are as follows:
- In the Azure Portal, locate the App registrations page and select the application you want to modify. Click to open the overview page.
- This section should already contain one Redirect URI with the URL you supplied when you created the App Registration. You will need to click Add URI to create new a new field, and add the the redirect URL you copied from InsightCloudSec in the first section.
- Click Save in the top-left corner of the page.
Existing Keys
You can use an existing key if you already have created one and know its secret, but creating a new secret for InsightCloudSec is recommended.
- From the left side navigation under Managed, select Certificates & secrets.
- Under Client Secrets click on the New client secret button. Provide a description, select an expiration interval, and click Add to complete.
- Copy the value that you created for the secret. Store this information in a safe location. Note: You will not be able to return to this view.
At this point, Microsoft Entra ID should be configured for use within InsightCloudSec. You may now return to the browser window containing InsightCloudSec and finish the setup. Continue to the next section.
InsightCloudSec - Microsoft Entra ID Authentication Server Setup (Finish)
This section assumes that you have set up your Microsoft Entra ID to function with InsightCloudSec. If you have not done so, or need assistance, refer to one of the sections above (creating a new App, or updating an existing App) or reach out to us through the Customer Support Portal.
To finish setting up an Microsoft Entra ID Authentication Server:
Finish the Create Authentication Server form.
- Tenant: Provide the domain name associated with the Microsoft Entra ID instance you are authenticating against.
- Authority Server Hostname/IP: Unless you have a private Azure instance from Microsoft, you probably want to leave the Authority Host URL set to
https://login.microsoftonline.com
.- If you are using a private Azure instance, the Authority Host URL should be the authoritative login URL for that private instance.
- Application ID: Provide the Application ID you saved from your Azure App Registration.
If you selected API Key/Secret for your Authentication Type provide the API Key. Use the secret key value that we created in the earlier steps. If that key is not available, create a new one as per the instructions.
If you selected Client Certificate for your Authentication Type provide:
- the PEM Certificate
- the Certificate thumbprint
The options that appear after the authentication fields (e.g. Enable periodic user provisioning using graph API, etc.) are specific to configuring an Azure AD Authentication server, the steps are identical up until this point but JIT includes different capabilities.
- For more information on these capabilities check out the overview documentation on Just In-Time User Provisioning (Authentication Server Support)
- For specific step-by-step instructions check out the page for Microsoft Entra ID- Just In-Time Provisioning
Click Submit to finalize your authentication server and enable the system to verify that the values you entered are correct. If an error message appears, check that the values you entered are correct for the Active Directory instance for which you are trying to configure authentication.
Because Microsoft Entra ID uses an oAuth mechanism for authentication, you won’t be able to assign usernames to users authenticating against the system. Instead, you must use the email address for that user as it is in Microsoft Entra ID for both the name and email values when creating users for this Authentication Server.