Configure Microsoft Entra ID for a Tenant

We recommend all organisations that uses Microsoft Entra ID (former Azure AD) to use it for their users. The process of using Microsoft Entra ID is very simple:

  1. Register the tenant id for your Microsoft Entra ID. This is displayed on the Overview page of Microsoft Entra ID administration. If you don’t have administrativ priviliges in Entra ID, please ask you administrator.
  2. Approve our pre-configured Microsoft Entra application in your Entra ID instance. The configuration page for Microsoft authentication method has a link to consent the application for your convenience.

After thoose simple steps all your users can use their existing business accounts to sign-in. To synchronize permissions from your Microsoft Entra ID to the applications that uses Authway you follow theses steps:

  1. Navigate to Groups in Authway admin.
  2. Choose an existing group or create a new group.
  3. Set the group to be external and set the external name to be the Object ID of the Microsoft Entra ID group. Object ID is displayed both in the listning of all groups and on the Overview page of the specific group.

Use your own Microsoft Entra application

Some organisations wants to provide their own Microsoft Entra application to use for their users. One reason for doing this could be to filter the groups exposed. To create an application to use in Authway do this (some of the steps are equal to Configure OpenId Connect for a Tenant):

  1. Navigate to the organisation in Authway admin portal.
  2. Choose “Settings” and then “Add” -> “OpenId Connect”.
  3. Edit the settings for the newly created OpenId Connect authentication method, typically named the same as you organisation name.
  4. Set “Authority” to https://login.microsoftonline.com/[Your Microsoft Entra Tenant Id]/v2.0/.
  5. Copy the redirect URL.
  6. Open Microsoft Entra ID administration portal
  7. Choose “App registrations” in the left pane and click “New registration”.
  8. Give your application a suitable name and let the default “Accounts in this organizational directory only” be selected for “Supported account types”.
  9. Under “Redirect URI”, choose “Web” as platform and paste the copied redirect URL (from above in the Authway admin portal).
  10. Copy the application id (client id) from Microsoft Entra portal and paste it as Client Id in Authway.
  11. Create a client secret in Microsoft Entra portal and copy the secret value so you can paste it as Client Secret in Authway.
  12. Enable and save the tenant specific authentication in Authway. It can take up to five minutes before it becomes available as a sign-in alternative.
  13. To get an Entra application that handles everything the pre-configured application does, you also need to add some optional claims under “Token configuration”. Click “Add optional claim”, choose “ID” as Token type and select family_name plus given_name. Click “Add” and accept that the “Microsoft graph profile permission” is required. This configuration ensures that Authway will get and can synhronize its first and last name properties. Finally, to flow permssions, you also need to “Add groups claim”. Mark “Security groups” and optionally do additional configuration, but the pre-configured client uses Group ID (which will be the Object ID of the group). sAMAccoountName can be used when Entra is synhronized with an on-prem AD and will in that case emit the name of the group instead of Object ID, which is more readable as the external group name in Authway.

Filter the Groups Exposed to Authway

A common reason to creat a custom Entra application is to filter the groups exposed to Authway. One way to do this is during “Add group claim” above, but if you for example want to expose all groups that has a group name that starts with “authwayTest” you can do this:

  1. On the App configuration, click on “Manifest” in Microsoft Entra portal and set "acceptMappedClaims" to true. Save the application.
  2. Make sure to consent the application configured above.
  3. Click on “Enterprise applications” in Microsoft Entra ID admin portal and search for your newly created application.
  4. On the deatils for the application, select “Single sign-on”.
  5. Click “Edit” in the “Attribute & Claims” section.
  6. Click on the groups claim (under “Additional claims”). In the window that opens, it is possible to choose “Filter groups”. Do that, choose “Display name” as attribute, “Prefix” for “Match with” and finally enter the prefix, for example “authwayTest”.

Entra-group-filter.png Entra-group-filter.png