Microsoft Entra ID

There are two ways to manage users in Specops Authentication, your organization’s environment determines which one fits:

Specops Authentication Gatekeeper (on-premises component): for Active Directory environments.
Microsoft Entra ID (cloud-based): for non-Active Directory environments.

This section explains how to integrate Specops Authentication with Microsoft Entra ID.

Note

Entra ID also functions as an identity service, enabling the product to integrate with Microsoft Authentication Libraries. Through this service, Microsoft Authenticator can be used for passwordless authentication. For more details, see Entra ID identity service.

Integrating Specops Authentication with Entra ID

By integrating Specops Authentication with Entra ID, you can securely authenticate and manage users in Cloud environments where no traditional Active Directory (AD) is available.

With this integration, Entra ID users can:

Enroll for uReset and securely reset their passwords.
Enroll for Secure Service Desk and have their passwords securely reset by service desk agents.

To enable Specops Authentication integration with Entra ID you need to configure the connection. You can either connect using the Specops supplied applications (see Default) or configure your own (see Custom). There is also an Authentication only option, where Entra ID is used only for authenticating synced users, without enabling the full uReset functionality. This option is described in Entra ID.

Note

You need to verify your Entra ID domain in Specops Authentication to be able to complete the configuration, please refer to Domain Verification.

See Roles and Scopes for details on configuring access for Entra ID user groups.

Default

The recommended way to configure the Entra ID connection is to use the default application to connect to your Tenant. This alternative is only available if "Entra ID users" is enabled.

Navigate to Microsoft Entra ID in Specops Authentication and click Connection.
In the Microsoft Entra ID connection details drop-down list, select Default.
Enter your Tenant ID in the field, you can find this inside your Entra ID portal.
(Optional) If you have synced users, enter the custom AD attribute in the User attribute field.
Click on Grant consent. This will redirect you to the Microsoft sign in prompt.
A Microsoft consent dialog is displayed. Sign in with your Entra ID tenant admin account to accept the requested permissions. These permissions will allow the app to:
- access directory as the signed in user
- sign in and read user profile
- read directory data
- read and write all users' full profiles
Note

By accepting the permissions, you give the app access to the specified resources for all users in your organization.

To accept the permissions, click Accept. If you click Cancel you will be redirected to the Specops Authentication Admin Portal.
Click Test Connection to ensure that Specops Authentication can access the Entra ID tenant. (if the connection test fails, wait for a while and try again.)
Click Save configuration.

The application will be signed by Microsoft under the parent company Outpost24.

Next, you need to configure Application permissions.

Custom

Use this option for more detailed control over the integration. To setup a custom integration, a new app needs to be registered in the organization´s tenant.

Create an app registration in Azure Portal (Azure Portal)

Go to Microsoft Entra ID > App registrations > New registration.
Provide a name, for example [Specops App].
In the Supported account types section, select an option (default is Account in this organizational directory only (Default Directory only - Single tenant)).
In the Redirect URI section, select Web from drop down list and copy the Redirect URL from the configuration page. It should look like this https://login.specopssoft.com/Authentication/MicrosoftEntraId/Authentication/Callback>.
Click Register.

Configure the app registration

Go to Microsoft Entra ID > App registrations > All applications tab > [Specops App] > Authentication.
In the Implicit grant and hybrid flows section:
- enable Access tokens (used for implicit flows).
- enable ID tokens (used for implicit and hybrid flows)
Go to Microsoft Entra ID > App registrations > All applications > [Specops App] > Certificates & secrets > Client secrets tab.
Click New client secret.
Provide a description, for example Specops App Client Secret.
In the Expires dropdown list, select the time that the client secret will expire, for example 730 days (24 months).
Click Add.
Copy the client secret value.

Configure API permissions

Go to Microsoft Entra ID > App registrations > All applications > [Specops App] > API permissions.
Add the following delegated permissions for Microsoft Graph:
```
Directory.AccessAsUser.All
User.Read
```
Add the following application permissions for Microsoft Graph:
```
Directory.Read.All
User.ReadWrite.All
Application.ReadWrite.All**
```
** The permission Application.ReadWrite.All is used to create an extension property that Specops Authentication will use and it can be removed after the initial configuration has been finished, see Setup connection in Specops Authentication.
After adding the permissions, click Grant admin consent for [Company Name].

Configure in Specops Authentication Web

Navigate to Microsoft Entra ID in Specops Authentication and click Connection.
In the Microsoft Entra ID connection details drop-down list, select Custom.
Enter the required values for:
- Tenant ID
- Application Client ID
- Application Client Secret
Click Test connection to check so that everything is configured correctly.
Click Save.

The Application.ReadWrite.All permission can now be removed.

Roles

Here you can configure which EntraID groups that match the corresponding Specops Authentication roles. Search for a group in each tab and select at least one group for each category.

Admin - Has full access to the admin pages
User Admin - Has full access to Secure Service Desk**
User Verifier - Can verify users in Secure Service Desk**
Reporting Reader - Can access the admin pages reporting function

** Only available for customers with an active Secure Service Desk subscription.

Scopes

Here you can configure what group of users that will be able to use Specops Authentication.

Select the scope in Entra ID, default/blank will set the scope to all users in the tenant.
(Optional) If you have administrators outside of the selected scope, also enable the Allow admins and managers to be outside of the selected scopes option.

Configure application permissions

In order to enable Reset/Change password capabilities you need to assign the application as a Helpdesk or User Administrator.

Helpdesk Administrator - Can reset passwords for non-administrators.
User Administrator - Can reset passwords for all users, including limited admins.

Go to Roles and Administrators in the Microsoft Entra Portal.

Select one of the roles above.
Click Add assignment.
Search for the application name [Specops App] or your custom application. Note that the search window will only show users until the search term starts to match an application name.
Add the appropriate role to the application.