Skip to content

Entra ID Configuration

Use this guide to create a new Entra ID integration with Azure for user and group search functionality in SAML connections.

Note

This native connection can only be used with direct Entra ID logins that do not have MFA enabled. If MFA is enabled in your Azure tenant, you must also complete the Azure SAML configuration for user authentication.

Requirements

  • Administrator access to the Azure tenant to create a new App Registration to support this configuration.
  • Successful configuration to this Azure tenant using SAML for user authentication.

Creating a new Entra ID Integration

Create your Azure App Registration

The first step is to create an Azure App Registration that is used for integration.

  1. Log in to your Azure tenant and open the App registration page and from here, click the New registration button to create new or select an existing one that you wish to extend for this integration.
  2. From the Register an application page, enter a Name, selected the Support account types that you wish to support, and leave the Redirect URI parameter empty. Click the Register button to continue.
  3. On the Overview page of your application, click on Add a certificate or secret for the Client credentials parameter. Enter a Description and select an Expires option. Click Add to continue.

  4. After the secret is created, copy the value of the secret by selecting and copying the full string from the Value column. Securely save this Value string to a save location and please note that this value is only visible from this screen. Once you close this page, the value cannot be viewed again.

    Azure App Registration Value String

  5. Next, we will add API Permissions to this app. Navigate to Manage > API Permissions and click the Add a permission button.

  6. From the Request API permissions page, select Microsoft Graph and then Application Permissions. For the selected permissions, include each of the following:

    • Application.Read.All
    • Directory.Read.All
    • Group.Read.All
    • GroupMember.Read.All
    • User.Read.All

  7. From the Request API permissions page, select Microsoft Graph and then Delegated Permissions. For the selected permissions, include the following:

    • User.Read

  8. When all have been selected, click the Add Permissions button to complete this operation.

  9. Finally, click the Grant admin consent button to finalize the API Permissions for this App.

Azure App Registration API Permissions

Do not exit your App Registration yet, as we will return during the next section to copy additional parameters.


Integrate your Azure App Registration

The second step is to integrate your App Registration with 12Port Horizon.

  1. Log in to this Horizon tenant with a System Administrator or Configuration Manager role.
  2. Navigate to Configuration > Entra ID and click the Add button to create a new Entra ID integration.

  3. Click on the parameter name for details about each or follow the guidance provided here:

    • Name: Enter a unique, but recognizable name for this Entra ID connection.
    • Tenant ID: From your App Registration page in Azure, copy the value from the Directory (Tenant) ID and paste that into this parameter.
    • Client ID: From your App Registration page in Azure, copy the value from the Application (Client) ID and paste that into this parameter.
    • Client Secret: Paste the Value string from the Certificates & Secrets page that we created in the previous section, into this parameter.
    • Direct Login: Enable this option if you wish to support native, direct non-MFA enabled Entra ID logins to this tenant.
    • Enabled: Enable this integration.

Click the Save button to complete this integration.


Verify your Entra ID Integration

Once saved, use the Actions menu for this integration and select the Test Connection button to verify a successful integration.

Note

If you experience any error messages during this authentication flow, please review your Azure configuration for resolution methods.


Assigning Objects to Entra ID Accounts

To assign objects like permissions, roles or workflows to an Entra ID account, please perform the following procedure:

  1. From the User or Group assignment field, open the drop-drop menu and select the Entra ID integration name.

    Grant Permission Directory Selector

  2. In the provided field, begin typing an Entra ID account name. The type-ahead feature should search and display this name in its drop-down as you proceed. Select this name from the drop-down menu when it becomes visible.

    Grant Permission User Entry

  3. If assigning Group(s), click the Group icon and then begin typing an Entra ID group name until it is visible in the drop-down, then select this Group by name.

    Grant Permission Group Selector

Entra ID Usage

The software uses Entra ID configuration in several different components:

  • Authentication - When the Login button is pressed on the software's authentication screen, it tries to authenticate the user account using the provided account and password information across each enabled Entra ID configuration marked with the "Direct Login" flag. This process occurs sequentially, following alphabetical order.
    Users have the option to specify a particular Entra ID tenant for authentication by providing the Entra ID configuration name before the account in the user field separated with back slash such as in the example: entraid-name\account.

  • Authorization - The software utilizes account and group membership data obtained from the configured Entra ID tenant to verify permissions set for objects and roles.

  • Permissions - System owners can search for user accounts and groups in the configured Entra ID tenants to use in object and role permissions.

  • Metadata - The software might use account metadata obtained from the configured Entra ID tenant to improve the visual presentation for different system functionalities. Examples of Entra ID metadata include Thumbnail, Display Name or Creation Date.