Entra ID

The Microsoft (Entra ID) identity service allows Specops Authentication to integrate with Microsoft Authentication Libraries. This means that Microsoft Authenticator can be used to authenticate with Specops Authentication without using a password. More information on passwordless sign-in can be found here. Please note that although this identity service leverages Entra ID (formerly known as Azure AD), it is referred to in the GUI as Microsoft.

Configuring Microsoft (Entra ID)

Before you can configure Specops Authentication to work with Microsoft (Entra ID), you need to register a client application in Microsoft Entra ID. Detailed and up-to-date instructions on how to register a new application can be found in Microsoft's documentation. Below is a shortened version of the set-up procedure.

Note that once you've registered your application, the following information is required for configuring Specops Authentication:

Creating an appregistration in Azure Portal (Azure Portal)

  1. Go to Microsoft Entra ID > App registrations > New registration.
  2. Provide a name, for example "Microsoft MFA for Specops uReset".
  3. In the Supported account types section, select an option (default is "Account in this organizational directory only (Default Directory only - Single tenant)).
  4. In the Redirect URI section, select Web from drop down list and enter URL from Specops Authentication Microsoft Identity Services settings: https://login.specopssoft.com/Authentication/MicrosoftEntraId/Authentication/Callback.
  5. Click Register.
  6. In the app registration Overview section, copy the following:
    • Directory (tenant) ID
    • Application (client) ID

Configure the app registration

  1. Go to Microsoft Entra ID > App registrations > All applications tab > Microsoft MFA for Specops uReset (or another app registration name if that was chosen) > Authentication.
  2. In the Implicit grant and hybrid flows section, enable ID tokens (used for implicit and hybrid flows).
  3. Go to Microsoft Entra ID > App registrations > All applications > Microsoft MFA for Specops uReset (or another app registration name if that was chosen) > Certificates & secrets > Client secrets tab.
  4. Click New client secret.
  5. Provide a description, for example Microsoft MFA for Specops uReset Client Secret.
  6. In the Expires dropdown list, select the time that the client secret will expire, for example 730 days (24 months).
  7. Click Add.
  8. Copy the client secret value.

Review Microsoft Authenticator settings

  1. Go to Microsoft Entra authentication methods .
  2. Go to Policies section in left pane, then select Microsoft Authenticator .
  3. In the Enable and Target tab, Target "All users" Authentication mode must not be set to Push in drop down list (if set to Push, it would disable passwordless authentication).
NOTE
On first use, an Azure admin may need to approve the app registration before it can actually be used: see https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/review-admin-consent-requests.

Configure Specops Authentication Web

    Specops Authentication WebIdentity Services

  1. Go to Identity Services, and click on Microsoft.
  2. In the Azure Instance field, select the Entra ID instance you want to use: Global, US Government, or China, depending on your requirements.
  3. Enter your Entra ID Tenant ID
  4. Enter your Application Client ID
  5. Enter your Application Client Secret
  6. Enter the Redirect URI in your Entra ID application. (in the application, go to Authentication, then click Add a Platform, select Web , and enter the URI in the Custom redirect URIs field. More information can be found here.
  7. If the Entra ID ImmutableId (also referred to as source anchor) value is stored in a custom attribute, enter that attribute in the User attribute field.
    NOTE
    The default attribute is objectGUID.
  8. Click Test connection to check whether everything is configured correctly.
  9. Click Save

Setting up passwordless authentication

To enable the passwordless phone sign-in authentication method, configuration is required by both administrators and individual users.

Configuration for administrators

NOTE
For the most up-to-date information on configuring passwordless authentication, please visit the Microsoft support pages here.
  1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
  2. Browse to Protection > Authentication methods > Policies.
  3. Under Microsoft Authenticator, choose the following options:
    • Enable: Yes or No
    • Target: All users or Select users
  4. Each added group or user is enabled by default to use Microsoft Authenticator in both passwordless and push notification modes ("Any" mode). To change the mode, for each row for Authentication mode - choose Any, or Passwordless. Choosing Push prevents the use of the passwordless phone sign-in credential.
  5. To apply the new policy, click Save.

Configuration for users

NOTE
For the most up-to-date information on configuring passwordless authentication, please visit the Microsoft support pages here.

To register the Microsoft Authenticator app, follow these steps:

  1. Browse to https://aka.ms/mysecurityinfo.
  2. Sign in, then select Add method > Authenticator app > Add to add Microsoft Authenticator.
  3. Follow the instructions to install and configure the Microsoft Authenticator app on your device.
  4. Select Done to complete Microsoft Authenticator configuration.
Enabling phone sign-in

After users registered themselves for the Microsoft Authenticator app, they need to enable phone sign-in:

  1. In Microsoft Authenticator, select the account registered.
  2. Select Enable phone sign-in.
  3. Follow the instructions in the app to finish registering the account for passwordless phone sign-in.
NOTE
For Secure Service Desk verification, because users must answer Yes or No to the Stay Signed in prompt after signing in via Microsoft 365 for the verification process to be fully completed, administrators may want to consider disabling the Stay signed in prompt in Azure.