OAuth 2.0 Authentication

The Microsoft Entra ID connector supports OAuth2.0 authentication with the following grant types:

  • Client Credentials

  • SAML Bearer Assertion

  • Refresh Token/Auth Code

  • JWT Certificate Credentials

Client Credentials

The default grant type is client credentials-based authentication. This grant type requires the following:

  • Obtain your Client ID and Client Secret from Microsoft Entra ID by registering the application.

  • Assign the required Microsoft Graph API permission to the application. For more information, refer to Microsoft Graph API.

  • The following permissions do not allow the connector to manage users with administrative roles. To manage users with administrative roles, the application created on Azure must have the User Administrator or Global Administrator role and the Privileged Authentication Administrator role assigned using Windows Azure Active Directory Module for Windows PowerShell.

  • Assign the required permissions to the application:

    Permission

    Type

    Purpose

    Directory.ReadWrite.All

    Application

    Read, Update, Delete Group, and Add Membership

    Read, Update, Change Password, and Delete User

    User.Invite.All

    Application

    Invite B2B Users

SAML Bearer Assertion

The SAML Bearer Assertion grant type authentication involves password-based user authentication with ADFS environment. SAML assertion issued by ADFS after authentication is used to obtain the access token from Microsoft Entra ID.

The SAML Bearer Assertion authentication requires the following additional configurations to be performed:

  • Microsoft Entra Connect configured with Microsoft Entra ID along with ADFS.

  • Obtain your Client ID and Client Secret from Microsoft Entra ID by registering the application.

  • Assign required permissions to the application:

    Permission

    Type

    Purpose

    Directory.ReadWrite.All

    Delegated

    Read, Update, Delete Group, and Add Membership

    Read User and Update User

    User.Invite.All

    Delegated

    Invite B2B Users

    Directory.AccessAsUser.All

    Delegated

    Change Password and Delete User

    Note
    Assign granular level application permission for each operation if you do not want to assign full directory level permission. For more information, refer to Required Permissions.

  • The authentication user must be synchronized in Microsoft Entra ID.

  • To manage users with administrative roles, an application created on Azure must have the User Administrator or Global Administrator role and the Privileged Authentication Administrator role assigned using Windows Azure Active Directory Module for Windows PowerShell.

    Note
    To manage users with administrative roles, assign user with Global Administrator role.

  • The ADFS endpoint required to authenticate user must be enabled.

  • The ADFS service communication certificate must be installed on the Identity Security Cloud machine.

  • The ADFS machine time zone must be in sync with Azure time zone, that is, UTC.

Refresh Token/Auth Code or JWT Certificate Credentials

  • Refresh Token/Auth Code: Refresh Token/Auth Code grant type is a client credentials-based authentication protocol. In addition to client credentials, it uses a Refresh Token to perform authentication.

  • JWT Certificate Credentials: JWT Certificate Credentials supports Authentication based on JWT assertion prepared from Certificate and private key.

For the Refresh Token/Auth Code or JWT Certificate Credentials grant type client credentials-based authentication, the following are the required configurations:

  • Obtain your Client ID and Client Secret from Microsoft Entra ID by registering the application.

  • Assign the required Microsoft Graph API permission to application. For more information, refer to Microsoft Graph API.

  • The following permissions do not allow the connector to manage users with administrative roles. To manage users with administrative roles, the application created on Azure must have the User Administrator or Global Administrator role and the Privileged Authentication Administrator role assigned using Windows Azure Active Directory Module for Windows PowerShell.

    Permission

    Type

    Purpose

    Directory.ReadWrite.All

    Delegated

    Read, Update, Delete Group, and Add Membership

    Read User and Update User

    User.Invite.All

    Delegated

    Invite B2B Users

    Directory.AccessAsUser.All

    Delegated

    Change Password, and Delete User

    Note
    Assign granular level application permission for each operation if you do not want to assign full directory level permission.

  • (For Refresh Token/Auth Code only) Generate a Refresh Token. For more information, refer to Generating a Refresh Token.

  • (For JWT Certificate Credentials only) The Certificate (self-signed or CA signed) must be uploaded. It must be of type X.509 Certificate and the Private Key must be encrypted with RSA and registered at the Microsoft Entra ID portal. Perform the following steps to register the certificate with the Microsoft identity platform:

    1. Log in to Microsoft Entra Portal.

    2. In the Entra app registrations for client application, select the client application.

    3. Select Certificates & secrets.

    4. Select the Upload certificate and select the certificate file that is to be uploaded.

    5. Select Add.

    6. Obtain values for the following configurations:

      • Private Key: Obtain the private key text file.

      • Private Key Password

      • Certificate: Obtain the text file of the same certificate which was uploaded on the Microsoft Entra portal.