Configuring Customer Central for Device Management

Register Customer Central as an Application in Microsoft Entra ID

Customer Central must be registered as an application with Microsoft Entra ID to be able to connect to Entra ID services.

For details on this procedure, refer to Register an application with the Microsoft identity platform | Microsoft Learn.

When registering your application with Microsoft Entra ID, make sure you set up the following configuration:

1. Log on to the Microsoft Entra admin center (https://entra.microsoft.com/#home) and, if necessary, switch to the required directory.

2. Under Entra ID in the left menu, navigate to App registrations and click New registration.

   

3. Create the application as follows:

   

   1. Enter a Name for the application.

   2. Under Supported account types, select Accounts in this organizational directory only (<your directory> only - Single tenant).

   3. Click Register.

4. After the initial registration is complete, make a note of the Application (client) ID and the Directory (tenant) ID.

   

   Note: These IDs are required when configuring the connection to Entra ID in Customer Central.

5. In the overview page for your application, click the link under Client credentials.

   Alternatively, under Manage, select Certificates & secrets.

6. Click New client secret.

   

   1. Add a client secret credential for your application with an identifiable Description and Expires after 180 days as recommended.

   2. Click Add.

7. Under Manage , click Certificates & secrets.

   

   1. Select the Client secrets tab.

   2. Make a note of the Value for the application's secret.

   Important: The Value displayed for the client secret credential corresponds to the Secret required when configuring the connection to Entra ID in Customer Central.

   This Value is only displayed when the secret is generated, so you must make sure to keep a copy of it.
   

8. Under Manage , select API Permissions.

   

   Note: Leave the delegated User.Read permission as is.

   1. Click Add a permission.

      

   2. Select Microsoft Graph.

   3. Select Application Permissions.

   4. Add the following permissions:

      • Group.Read.All

      • User.Read.All

      • UserAuthenticationMethod.ReadWrite.All

   When complete, the Configured permissions should be as follows:

   

9. Once these permissions are set, click Grant admin consent for <your directory> and then Yes.

   

10. Make sure the status for the permissions is "Granted for <your directory>" with a green checkmark next to each.

    

Enable FIDO Provisioning

Before users in your organization can register and sign in to their Microsoft Entra account using (FIDO2) passkeys, you must enable the provisioning of the passkeys.

For details on this procedure, refer to Enable passkeys (FIDO2) for your organization | Microsoft Learn.

1. Return to the Microsoft Entra admin center home page and select Authentication Methods in the left menu.

2. Under Manage, select Policies.

   

3. In the Authentication method policies section, select the Passkey (FIDO2) built-in authentication method.

   

4. In the Enable and Target tab, toggle the policy to Enable.

5. In the Include tab, select All users or Select groups to define the users allowed to authenticate with this method.

6. Select the Configure tab and set the following parameters:

   Section	Setting	Description
   GENERAL	Allow self-service set up	Set to Yes
   	Enforce attestation	Set to Yes if your organization wants to ensure that a FIDO2 security key model or passkey provider is genuine
   KEY RESTRICTION POLICY	Enforce key restrictions	Set to Yes only if your organization wants to only allow or disallow certain security key models or passkey providers (identified by their AAGUID)
   	Restrict specific key	Set to Allow only if your organization wants to only allow or disallow certain security key models or passkey providers (identified by their AAGUID)

   

   Important: If you change key restrictions and remove a previously allowed AAGUID, users who have registered an allowed device will no longer be able use it to sign in.

7. Click Add AAGUID and add the AAGUID of your devices (for example, 2a55aee6-27cb-42c0-bc6e-04efe999e88a for the HID Crescendo 4000 device).

   

   For the complete list of identifiers for the HID Crescendo FIDO devices, see AAGUID for Crescendo Devices.

8. Click Save.

Assign Users or Groups

Once you have completed the application and passkey configuration, you can now define the user population accessible for device management in Customer Central.

For details on this procedure, refer to Manage users and groups assignment to an application | Microsoft Learn.

1. Return to the Microsoft Entra admin center home page, expand Entra ID in the left menu and select Enterprise apps and then your application.

   

2. In the overview page, under Getting Started, click Assign users and groups.

   Alternatively, under Manage, select Users and groups.

   

3. Click Add user/group.

   

4. Click None Selected.

5. Select the required users or groups you want to assign to the Device Management application and click Select.

   

6. When complete, click Assign.

   

Configure the Connection to Microsoft Entra ID

Before you can provision and enroll FIDO devices for your users, you must configure the connection between your Microsoft Entra ID application and Customer Central.

1. Sign in to Customer Central.

2. Select Device Management in the left menu.

   

3. Select Configurations under FIDO Device Management.

   

4. Click CONFIGURE.

   

5. Enter a Configuration Name for the configuration.

6. Enter the following information obtained in Register Customer Central as an Application in Microsoft Entra ID:

   • Directory (tenant) ID - the unique identifier that represents your organization's Microsoft Entra ID instance

   • Application (client) ID - the unique identifier that Microsoft Entra ID assigned to your Device Management application when you registered it

   • Secret - the Value of the client secret credential used by your Device Management application to identify itself when requesting a token

7. Click ADD.

   

   Customer Central verifies that the configuration is correct and displays a success message when complete.

   Customer Central is now connected to your Microsoft Entra ID application and your users are available for provisioning.

   

Test a Connection

1. Sign in to Customer Central.

2. Select Device Management in the left menu.

3. Select Configurations under FIDO Management.

   

4. Click the menu icon for the configuration and select Test Connection.

   • Success:

     

   • Failure - verify your configuration and try again

     

Edit a Configuration

1. Sign in to Customer Central.

2. Select Device Management in the left menu.

3. Select Configurations under FIDO Management.

   

4. Click the menu icon for the configuration and select Edit.

   

   Note: The UPDATE button is unavailable until you have entered the required information.

   You can update the:

   • Configuration Name

   • Application (client) ID - the unique identifier that Microsoft Entra ID assigned to your Device Management application when you registered it

   • Secret - the Value of the client secret credential used by your Device Management application to identify itself when requesting a token

     Note: This Value is only displayed when the secret is generated and cannot be displayed again.

     If you do not know the secret's value, you must generate a new secret.

5. Edit the configuration as required and click UPDATE.

   

Delete a Configuration

1. Sign in to Customer Central.

2. Select Device Management in the left menu.

3. Select Configurations under FIDO Management.

   

4. Click the menu icon for the configuration and select Delete.

   

5. Enter permanently delete in the field and click CONFIRM.