Configure Microsoft Azure for Authentication

Note: As of July 2023, Microsoft renamed Azure AD to Microsoft Entra® ID. These integration instructions and illustrations refer to Azure AD but also apply to Entra ID.

To enable authentication for the federated users, configure a valid public client in your Microsoft Azure Directory:

  1. Log on to the Microsoft Azure AD portal (https://aad.portal.azure.com/) and go to the App Registrations page.

    Graphical user interface, text, application, email Description automatically generated

  2. Click New registration to add a new public client or, in the list of Owned applications, select an existing public client.

    Graphical user interface, text, application Description automatically generated

  3. In the Authentication page, under Advanced settings, select Yes to Allow public client flows.

    Graphical user interface, text, application, email Description automatically generated

  4. In the API permissions page, under Configured permissions, select Grant admin consentfor… your directory.

  5. Configure your Microsoft Azure directory as a SCIM federated datasource using POST /User/Repository/ScimFed.

    Make sure the "userAuthenticationEndpoint" section contains the authentication endpoint of your Microsoft Azure directory:

    Copy 
    "userAuthenticationEndpoint": {
        "issuerUri": "<URL of your Microsoft Azure/Entra ID Oauth2 provider>/v2.0",
        "clientId": "4fafef0d-79fc-470b-9e5e-7a1ed4fd549f"
    }

    Where:

    • issuerUri - is the <Authority URL> for the application’s endpoint in the https://login.microsoftonline.com/<client ID>/v2.0 format.

      You can get the <Authority URL> value from your application's list of endpoints:

    • clientId - is the ID of the client to connect to the directory host

    You can verify the configuration using GET /User/Repository/ScimFed.

    Copy

    Sample response

    {
       "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
       "totalResults": 1,
       "resources": [   {
          "schemas": ["urn:hid:scim:api:idp:2.0:User:Repository"],
          "id": "DS_c",
          "meta":       {
             "resourceType": "UserRepository",
             "location": "https://[base-server-url]/scim/{tenant}/v2/User/Repository/ScimFed/DS_c",
             "version": "1"
          },
          "name": "scim fed AAD",
          "type": "SCIM_FED_AD",
          "adminGroupAssignment":       {
             "type": "Group",
             "value": "UG_ROOT",
             "$ref": "https://[base-server-url]/scim/{tenant}/v2/Groups/UG_ROOT"
          },
          "roleAssignments":       [
                      {
                "roleId": "RL_CUSTOMROLE2",
                "mappingCriteria": {"groupMembership": "475f23fa-ad47-4ca9-b535-9792c9494daa"}
             },
                      {
                "roleId": "RL_CUSTOMROLE1",
                "mappingCriteria": {"groupMembership": "b94f8737-0885-4193-b91e-6249974d9df3"}
             }
          ],
          "provisioningAgentCredential":       {
             "type": "User",
             "value": "123",
             "$ref": "https://[base-server-url]/scim/{tenant}/v2/Users/123"
          },
          "userAuthenticationEndpoint":       {
             "issuerUri": "<URL of your Microsoft Azure/Entra ID Oauth2 provider>/v2.0",
             "clientId": "4fafef0d-79fc-470b-9e5e-7a1ed4fd549f"
          }
       }]
    }

  1. Test the connection to the SCIM federated directory using POST /User/Repository/ScimFed/{uid}.

Once the Microsoft Azure/Entra ID users are provisioned into HID Authentication Service by the sync service, the users can then authenticate with their LDAP password.