Microsoft Entra ID - Just In-Time Provisioning
Overview
InsightCloudSec supports using Microsoft Entra ID authentication as a valid authentication server. Because the authentication flow for Microsoft Entra ID is so different from typical LDAP and Active Directory implementations, changes must be made within the Azure Portal to configure Microsoft Entra ID for use with external applications. Check out Active Directory for details on Microsoft Active Directory.
Azure Active Directory transition
As of March 2024, Microsoft has renamed Azure Active Directory to Microsoft Entra ID. You may observe that some components within InsightCloudSec still refer to Azure Active Directory. This doesn't affect the configuration or functionality, and we will notify you as we fix these instances.
Prerequisites
Before getting started you will need to have the following
- A functioning InsightCloudSec platform
- Appropriate InsightCloudSec permissions (Domain Admin or Org Admin)
- Administrative credentials to your Azure Portal
For questions or issues, reach out to us through the Customer Support Portal.
InsightCloudSec - Microsoft Entra ID Authentication Server Setup (Start)
Before you configure Microsoft Entra ID to work with InsightCloudSec, you'll first need to complete some initial setup within InsightCloudSec, including generating a redirect URL.
- Login to your InsightCloudSec instance and navigate to Administration > User Management. Click Authentication Servers at the top of the page.
- Click Add Server to open the Create Authentication Server form.
- Complete the top of the Create the Authentication Server from as follows:
- Nickname: Enter a nickname
- Select Server Type: Select Azure Active Directory
- Global Scope Checkbox: Select the Global Scope checkbox if you want to use this server across all of your Organizations.
- Learn more about Organizations.
- Authentication Type: Select API Key/Secret or Client Certification, based on your preference.
Redirect URL
Copy the provided redirect URL value and keep it on-hand for later.
- Leave InsightCloudSec open in a browser window and open a new tab.
Azure - New App Registration
This section assumes you want to create a new app registration within the Azure console.
If you have an existing App Registration, and it is of the Web app/API type that you’d like to use, you can skip to Existing App Registration.
- From within the Azure portal, search for App registration.
- Select New. This should bring you to the Register an application screen.
- Complete the App Registration Form as follows:
- Name: Enter something simple and descriptive for the name.
- Supported account types: Select the default Accounts in this organizational directory only ((Default Directory) only Single tenant).
- Redirect URI: Input the URL you copied from InsightCloudSec in the previous section.
- Click Register to complete the App registration. This should create a new App and open an overview screen of the application.
- Copy the Application ID on this page and keep the information in a safe place. You will need the Application (client) ID for configuration later during this process.
- On the left panel navigation under Manage select Authentication.
- Scroll down on the Authentication page and locate the Implicit grant and hybrid flows section. Here you need to ensure you check/enable the ID tokens (used for implicit and hybrid flows) checkbox.
- From the left side navigation under Managed, select Certificates & secrets.
- Under Client Secrets click on the New client secret button. Provide a description, select an expiration interval, and click Add to complete.
- Copy the value that you created for the secret. Store this information in a safe location. Note: You will not be able to return to this view.
- Navigate to API Permissions, select Add Permissions.
- Click on Microsoft Graph and then select Application permissions. Scroll to GroupMember and click the checkbox next to
GroupMember.Read.All
, click Add Permission. - Repeat steps 13 & 14 to add one additional permission.
- Click on Add a permission, select Microsoft Graph and then select Application permissions
- Scroll to User and click the checkbox next to
User.Read.All
, click Add Permission
At this point, Microsoft Entra ID should be configured for use within InsightCloudSec. You may now return to the browser window containing InsightCloudSec and finish the setup. Continue to this section for details.
Azure - Existing App Registration
This section assumes you have an existing app of the Web app / API type that you’d like to use with InsightCloudSec.
To modify an existing app registration the steps are as follows:
- In the Azure Portal, locate the App registrations page and select the application you want to modify. Click to open the overview page.
- This section should already contain one Redirect URI with the URL you supplied when you created the App Registration. You will need to click Add URI to create new a new field, and add the the redirect URL you copied from InsightCloudSec in the first section.
- Click Save in the top-left corner of the page.
Existing Keys
You can use an existing key if you already have created one and know its secret, but creating a new secret for InsightCloudSec is recommended.
- From the left side navigation under Manage, select Certificates & secrets.
- Under Client Secrets click on the New client secret button. Provide a description, select an expiration interval, and click Add to complete.
- Copy the value that you created for the secret. Store this information in a safe location. Note: You will not be able to return to this view.
At this point, Microsoft Entra ID should be configured for use within InsightCloudSec. You may now return to the browser window containing InsightCloudSec and finish the setup. Continue to the next section.
InsightCloudSec - Microsoft Entra ID Authentication Server Setup (Finish)
This section assumes that you have set up your Microsoft Entra ID to function with InsightCloudSec. If you have not done so, or need assistance, refer to one of the sections above (creating a new App, or updating an existing App) or reach out to us through the Customer Support Portal.
To finish setting up an Microsoft Entra ID Authentication Server:
- Finish the Create Authentication Server form.
- Tenant: Provide the domain name associated with the Microsoft Entra ID instance you are authenticating against.
- Authority Server Hostname/IP: Unless you have a private Azure instance from Microsoft, you probably want to leave the Authority Host URL set to
https://login.microsoftonline.com
.- If you are using a private Azure instance, the Authority Host URL should be the authoritative login URL for that private instance.
- Application ID: Provide the Application ID you saved from your Azure App Registration.
- If you selected API Key/Secret for your Authentication Type provide the API Key. Use the secret key value that we created in the earlier steps. If that key is not available, create a new one as per the instructions.
- If you selected Client Certificate for your Authentication Type provide:
- The PEM Certificate
- The Certificate thumbprint
Enabling JIT for Microsoft Entra ID
These steps are a continuation of the steps above. They assume you are interested in enabling the Just In-Time Provisioning (periodic user provisioning) feature. If you are not familiar with this feature check out the Just In-Time User Provisioning (Authentication Server Support) summary details.
- To enable JIT, select the following checkboxes:
- Enabled periodic user provisioning using graph API: enables the synchronization between InsightCloudSec and your Microsoft Entra ID. We will now be able to synchronize your users in Active Directory once an hour or on-demand (by clicking on the synchronize users option next to the server name in the actions menu)
- Update profile (email & display name) on periodic user provisioning: every time we sync (every hour, or every manual sync) we will update the username and email within InsightCloudSec to match what is supplied from Microsoft Entra ID.
- Complete the following to finalize your JIT setup for Microsoft Entra ID. These fields are used to populate user details during synchronization of provisioning data:
- displayName: (Default is displayName). This field defines the Display Name provided for the user profile during provisioning.
- userPrincipalName: (Default is userPrincipalName) This field defines the Principal Name provided for the user profile during provisioning.
- displayName: (Default is displayName) This field defines the Display Name provided for the user profile during provisioning.
- user profile: (Optional) This field can be used define a last name included in the display name
- mail: (Default is mail). This field defines the email provided for the user profile during provisioning.
If your setup contains these properties in another location, input those details here.
If you enable JIT and do not provide these details we will not have the information required to populate these details.
If it's a new setup these fields will likely already be populated, if you are modifying an existing Microsoft Entra ID server setup you will need to provide these values.
Managing Entitlements!
Before you proceed with Group Mappings for external authentication you must have all of your desired entitlements configured.
If you create a group and enable group mapping BEFORE you establish entitlements, the users within your groups will have nothing configured and will not be able to access anything.
Refer to our documentation on Permissions Entitlements for details.
- Click Submit to finalize your authentication server and enable the system to verify that the values you entered are correct. If an error message appears, check that the values you entered are correct for the Active Directory instance for which you are trying to configure authentication.
Because Microsoft Entra ID uses an oAuth mechanism for authentication, you won’t be able to assign usernames to users authenticating against the system. Instead, you must use the email address for that user as it is in Microsoft Entra ID for both the name and email values when creating users for this Authentication Server.