Entra Integration
This section covers integration with Microsoft Entra ID (formerly Azure Active Directory) for enterprise directory services.
Overview
Entra integration enables seamless user authentication, authorization, and directory synchronization with your organization's Microsoft Entra tenant, providing enterprise-grade identity management capabilities.
Prerequisites
Before setting up Entra integration, ensure you have:
- An active Azure subscription
- Microsoft Entra tenant (ID)
- Application Administrator or Global Administrator role in Entra
- AuthSec Enterprise license
Setup Steps
1. Register Application in Microsoft Entra
- Navigate to the Azure Portal
- Go to Microsoft Entra ID > App registrations
- Click New registration
- Enter application details:
- Name: AuthSec Integration
- Supported account types: Accounts in this organizational directory only
- Click Register
2. Configure API Permissions
- In your registered application, go to API permissions
- Click Add a permission
- Select Microsoft Graph
- Add the following delegated permissions:
User.Read- Read user profilesUser.Read.All- Read all users' full profilesGroup.Read.All- Read all groupsDirectory.Read.All- Read directory data
- Add application permissions:
User.Read.All- Read all users' full profilesGroup.Read.All- Read all groupsDirectory.Read.All- Read directory data
- Click Grant admin consent for your organization
3. Create Client Secret
- Go to Certificates & secrets
- Click New client secret
- Enter a description and select expiration
- Copy the Value (client secret) - store it securely
4. Configure in AuthSec
- Log in to your AuthSec Admin Dashboard
- Navigate to Enterprise Features > Directory Integration
- Click Add Integration > Microsoft Entra
- Enter the following details:
- Tenant ID: Your Entra tenant ID
- Client ID: Application (client) ID from step 1
- Client Secret: The secret value from step 3
- Click Test Connection to verify the setup
- Configure synchronization settings:
- User Sync: Enable/disable user synchronization
- Group Sync: Enable/disable group synchronization
- Sync Frequency: Set automatic sync interval (15 minutes to 24 hours)
- Attribute Mapping: Map Entra attributes to AuthSec user fields
Features
User Synchronization
- Automatic Sync: Real-time or scheduled user data synchronization
- Attribute Mapping: Custom mapping of Entra user attributes
- Profile Updates: Automatic profile updates on user changes
- Account Lifecycle: Handle user creation, updates, and deactivation
Group and Role Management
- Group Sync: Synchronize security groups and distribution lists
- Role Assignment: Automatic role assignment based on group membership
- Nested Groups: Support for nested group hierarchies
- Dynamic Groups: Integration with Entra dynamic groups
Single Sign-On (SSO)
- OAuth 2.0 / OpenID Connect: Standard protocol support
- SAML Integration: SAML 2.0 compatibility for legacy applications
- Conditional Access: Integration with Entra Conditional Access policies
- Multi-factor Authentication: MFA enforcement through Entra
Security Features
- Audit Logging: Comprehensive activity tracking and reporting
- Compliance: SOC 2, HIPAA, and GDPR compliance support
- Risk Detection: Integration with Entra Identity Protection
- Access Reviews: Automated access certification workflows
Advanced Configuration
Custom Attribute Mapping
{
"userAttributes": {
"employeeId": "extension_employeeId",
"department": "department",
"manager": "manager.displayName"
},
"groupAttributes": {
"groupType": "securityEnabled"
}
}
Synchronization Filters
Configure filters to control which users and groups are synchronized:
- User Filters: Based on department, location, or custom attributes
- Group Filters: Based on group type or naming conventions
- Exclusion Rules: Exclude specific users or groups from sync
Monitoring and Alerts
Set up monitoring for:
- Sync status and health
- Failed authentication attempts
- User provisioning events
- Security policy violations
Troubleshooting
Common Issues
Connection Test Failed
- Verify tenant ID, client ID, and client secret
- Ensure API permissions are granted
- Check network connectivity to Microsoft Graph API
User Sync Not Working
- Confirm user has necessary permissions
- Check attribute mapping configuration
- Review sync logs for error details
SSO Login Issues
- Validate redirect URIs in application registration
- Ensure OpenID Connect configuration is correct
- Check conditional access policies
Logs and Diagnostics
Access integration logs through:
- AuthSec Admin Dashboard > Logs > Directory Integration
- Azure Portal > Microsoft Entra > Audit logs
- Application Insights (if configured)
Support
For detailed API documentation and assistance, contact enterprise support at enterprise@authsec.com.