ContextQMD
Back to Authentik

Configure Entra ID

website/docs/add-secure-apps/providers/entra/configure-entra.md

latest2.9 KB
Original Source

For more information about using an Entra ID provider, see the Entra ID Overview documentation.

Your Entra ID tenant must be configured before you create a Entra ID provider.

This involves creating an app registration, generating a secret, and configuring the required API permissions.

:::warning Email domains When the default authentik default Microsoft Entra Mapping: User property mapping is used, authentik checks whether each user's email domain is verified in your Entra ID tenant.

In which case, you must configure each user's email domain as a verified custom domain in Entra ID; otherwise, provisioning fails. The tenant's default onmicrosoft.com domain (e.g., @<tenant name>.onmicrosoft.com), is considered a verified domain.

Alternatively, if you need to provision users with email domains that you don't control, refer to Email handling for more information. :::

Configuring you Entra ID tenant

  1. Log in to the Entra ID admin center.
  2. Navigate to App registrations, click New registration, and set the following configurations:
    • Provide a Name for the app registration (e.g. authentik Entra Provider)
    • Under Supported account types, select Accounts in this organizational directory only
    • Leave Redirect URI empty
  3. Click Register.
  4. On the app detail page, take note of the Application (client) ID and Directory (tenant) ID. These values will be required when you create the Entra ID provider in authentik.
  5. Next, in the near-left navigation pane, click on Certificates and Secrets.
  6. On the Client secrets tab, click New client secret and set the following configuration:
    • Provide a Description for the client secret
    • Set an expiry period for the secret. Please note that you will need to rotate the secret value in Entra ID and authentik upon expiry.
  7. Click Add.
  8. The Value of the client secret is shown only once. Take note of the value as it will be required when you create the Entra ID provider in authentik.
  9. Next, in the near-left navigation pane, click on API permissions.
  10. Click Add a permission and select Microsoft Graph as the API.
  11. Select Application permissions as the permission type and assign the following permissions:
    • Group.Create
    • Group.ReadWrite.All
    • GroupMember.ReadWrite.All
    • User.ReadWrite.All
  12. Click Add permissions.
  13. Under Configured permissions, click Grant admin consent for default directory.

Now that you have configured your Entra ID tenant, you are ready to create an Entra ID provider.