1. Home
  2. Configuration
  3. Add Directory Service
  4. Add Microsoft Entra ID as a Directory Source
  1. Home
  2. Configuration
  3. Microsoft Entra ID
  4. Add Microsoft Entra ID as a Directory Source

Add Microsoft Entra ID as a Directory Source

Overview

If you are using Microsoft Entra ID (formerly Azure Active Directory) to store and manage your user information, you can configure Practice Protect Identity to recognize it as a directory service and see the users as managed domain users. You can then add your Entra ID users to roles and grant permissions to access applications. Your users can then log in to Practice Protect Identity with their Entra ID accounts and launch assigned applications.

Considerations

In this deployment method, the core attributes of the user accounts are controlled in Entra ID/Microsoft 365 including passwords. As EntraID is the point of truth, we are also unable to implement Email Integration (Federation) in this deployment as it would cause an authentication loop. That’s why it is recommended that this deployment method is only done in an instance where your Microsoft Entra ID is managed by an IT professional. You have either Microsoft Entra ID Security Defaults Enabled or Microsoft Entra ID Conditional Access Configured with GEO Blocking.

Migration

If you have a current deployment of Practice Protect and would like to switch over to Microsoft Entra ID as the Source Identity, please reach out to the support team to plan a migration. As each source directory creates its user source and existing user accounts cannot be linked to new directories, incorrect migration can lead to duplicate accounts. 

You may reach out to our support team at [email protected]



Instructions

Register an application in Entra

  1.  Login to Microsoft Entra Admin Center with an Administrator Account.  (Note this is the same Administrator Account as Microsoft 365)
  2.  On the left menu, go to Applications and click App Registrations. 
  3. Click New Registration.


  4.  Set the Name to Practice Protect leave all other settings default and click Register.


  5. Go to API permissions, then click Add a permission.

  6. Click Microsoft Graph
  7. Click Application permissions.

  8. Select the following permissions below. The Type should be Application then click Add permissions.

  • Domain.Read.All
  • Group.Read.All
  • User.Read.All
                                                                                                                           
  1. Click Grant admin consent for <your company>.

  2. Click Yes on the confirmation prompt.
  3. Return to the overview of the created app (i.e. PracticeProtect). Next to ObjectID click copy.

  4. Open PowerShell. Run the following commands to connect to AzureAD and Set the Date Variables.

    Connect-AzureAD

    $StartDate = Get-Date
    $EndDate = $startDate.AddYears(100)


    Then run the following command to generate a secret.
    Note – change the ObjectID value to the Object ID you copied from Step 3

    New-AzureADApplicationPasswordCredential -ObjectId 359489f0-ee65-448d-8fd2-4f02a969583b -StartDate $startDate -EndDate $endDate


    Important! Copy the Value Output to your clipboard/notepad. This is needed in the next steps as if you missed it, you will have to generate it again. 

  5. Return to the Microsoft Entra Admin Center then go to the Overview page of the app you registered (E.g. PracticeProtect) and copy the following values:

    • Application (client) ID
    • Directory (tenant) ID


Add the Microsoft Entra ID Directory in the Admin Portal

  1. Open a new browser tab and log in to the Practice Protect Admin Portal
  2. Go to Settings > Users > Directory Services, then click Add Microsoft Entra ID.

  3. On the Microsoft Entra Domain Sevices form, enter a Name for your Directory. (e.g. YourCompany Entra ID).
  4. Paste the Directory ID and Client ID you copied from Step 5 on the Register an Application in Entra section in the required fields.
  5. Also, paste the Client Secret you copied from Step 4 on the Register an Application in Entra section. 
  6. Set National Cloud Type to Global Service
  7. Click Authorize.


    Your available domains appear in the table below the authorize button. Domains not indicated as Federated are considered Managed domains.

    If you add additional custom domains in Microsoft Entra ID, you have to re-authorize it in the Admin Portal before you can query the users and groups. 

  8. Below the list of domains, click Copy URI to copy the authenticated redirect URI.
  9. Go back to the Microsoft Entra ID page >  Overview of your registered app (e.g. PracticeProtect) and click Add a Redirect URI.

  10. Click Add a platform, then click Web.

  11. Paste the Redirect URI you copied from Step 8 into the Redirect URIs field.
  12. Select ID tokens (used for Implicit and hybrid flows), then click Configure.

  13. click Save. PracticeProtect app with the redirect URI is now set up. 
  14.  The Microsoft Entra ID users can now log in to Practice Protect via their Microsoft 365/Entra ID credentials.

    You can also utilize the Microsoft Security group and add them to Practice Protect roles to grant user application permissions, and security policies or enforce authentication profiles. 

  15. On the login page of Practice Protect, enter your Microsoft 365/Entra ID username and click Next. 

  16. Users will be redirected to Microsoft 365 login for login authentication. Note: If your Microsoft 365 Tenant has a Conditional Access Policy applied like MFA enforcement, this will prompt users to authenticate their sign-in. 

  17. Once authenticated, Users now have access to the User Portal of Practice Protect.




 

Updated on September 16, 2024

Related Articles

Need Support?
Can't find the answer you're looking for?
Contact Support