OAuth 2.0 Authentication

The Microsoft Entra SaaS connector supports OAuth2.0 authentication with the following grant types:

  • Client Credentials

  • Refresh Token/Auth Code

  • JWT Certificate Credentials

Client Credentials

The default grant type is client credentials-based authentication. This grant type requires the following:

  • Obtain your Client ID and Client Secret from Microsoft Entra by registering the application.

  • Assign the required Microsoft Graph API permission to the application. For more information, refer to Microsoft Graph API.

  • The following permissions do not allow the connector to manage users with administrative roles. To manage users with administrative roles, the application created on Microsoft Entra must have the User Administrator or Global Administrator role and the Privileged Authentication Administrator role assigned using Windows Azure Active Directory Module for Windows PowerShell.

  • Assign the required permissions to the application:

    Permission

    Type

    Purpose

    Directory.ReadWrite.All

    Application

    Read, Update, Delete Group, and Add Membership

    Read, Update, Change Password, and Delete User

    User.Invite.All

    Application

    Invite B2B Users

Refresh Token/Auth Code or JWT Certificate Credentials

  • Refresh Token/Auth Code: Refresh Token/Auth Code grant type is a client credentials-based authentication protocol. In addition to client credentials, it uses a Refresh Token to perform authentication.

  • JWT Certificate Credentials: JWT Certificate Credentials supports Authentication based on JWT assertion prepared from Certificate and private key.

For the Refresh Token/Auth Code or JWT Certificate Credentials grant type client credentials-based authentication, the following are the required configurations:

  • Obtain your Client ID and Client Secret from Microsoft Entra by registering the application.

  • Assign the required Microsoft Graph API permission to application. For more information, refer to Microsoft Graph API.

  • The following permissions do not allow the connector to manage users with administrative roles. To manage users with administrative roles, the application created on Azure must have the User Administrator or Global Administrator role and the Privileged Authentication Administrator role assigned using Windows Azure Active Directory Module for Windows PowerShell.

    Permission

    Type

    Purpose

    Directory.ReadWrite.All

    Delegated

    Read, Update, Delete Group, and Add Membership

    Read User and Update User

    User.Invite.All

    Delegated

    Invite B2B Users

    Directory.AccessAsUser.All

    Delegated

    Change Password, and Delete User

    Note
    Assign granular level application permission for each operation if you do not want to assign full directory level permission.

  • (For Refresh Token/Auth Code only) Generate a Refresh Token. For more information, refer to Generating Refresh Token.

  • (For JWT Certificate Credentials only) The Certificate (self-signed or CA signed) must be uploaded. It must be of type X.509 Certificate and the Private Key must be encrypted with RSA and registered at the Microsoft Entra portal. Perform the following steps to register the certificate with the Microsoft identity platform:

    1. Log in to Microsoft Entra Portal.

    2. In the Entra app registrations for client application, select the client application.

    3. Select Certificates & secrets.

    4. Select the Upload certificate and select the certificate file that is to be uploaded.

    5. Select Add.

    6. Obtain values for the following configurations:

      • Private Key: Obtain the private key text file.

      • Private Key Password

      • Certificate: Obtain the text file of the same certificate which was uploaded on the Microsoft Entra portal.