Entra ID

The Microsoft (Entra ID) identity service allows Specops Authentication to integrate with Microsoft Authentication Libraries. This means that Microsoft Authenticator can be used to authenticate with Specops Authentication without using a password. More information on passwordless sign-in can be found here.

To enable Specops Authentication integration with Entra ID you need to configure the connection. The Authentication only (passwordless authentication) section below outlines the steps for configuring passwordless authentication, where Entra ID is used exclusively to authenticate synchronized users. Another option, offering more detailed control over the integration, is described in Custom.

Authentication only (passwordless authentication)

To enable the passwordless phone sign-in authentication method, configuration is required by both administrators and individual users.

Configuration for administrators

Note

For the most up-to-date information on configuring passwordless authentication, please visit the Microsoft support pages here.

Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
Browse to Protection > Authentication methods > Policies.
Under Microsoft Authenticator, choose the following options:
- Enable: Yes or No
- Target: All users or Select users
Each added group or user is enabled by default to use Microsoft Authenticator in both passwordless and push notification modes ("Any" mode). To change the mode, for each row for Authentication mode - choose Any, or Passwordless. Choosing Push prevents the use of the passwordless phone sign-in credential.
To apply the new policy, click Save.

Configuration for users

Note

For the most up-to-date information on configuring passwordless authentication, please visit the Microsoft support pages here.

To register the Microsoft Authenticator app, follow these steps:

Browse to https://aka.ms/mysecurityinfo.
Sign in, then select Add method > Authenticator app > Add to add Microsoft Authenticator.
Follow the instructions to install and configure the Microsoft Authenticator app on your device.
Select Done to complete Microsoft Authenticator configuration.

After users registered themselves for the Microsoft Authenticator app, they need to enable phone sign-in:

In Microsoft Authenticator, select the account registered.
Select Enable phone sign-in.
Follow the instructions in the app to finish registering the account for passwordless phone sign-in.

Note

For Secure Service Desk verification, because users must answer Yes or No to the Stay Signed in prompt after signing in via Microsoft 365 for the verification process to be fully completed, administrators may want to consider disabling the Stay signed in prompt in Azure.

Review Microsoft Authenticator settings

Browse to Microsoft Entra admin center.
In Microsoft Entra authentication methods, go to the Policies section in left pane, then select Microsoft Authenticator.
In the Enable and Target tab, Target "All users", Authentication mode must not be set to Push in the drop down list (if set to Push, it would disable passwordless authentication).

Configure in Specops Authentication Web

Navigate to Microsoft Entra ID in Specops Authentication and click Connection.
In the Microsoft Entra ID connection details drop-down list, select Authentication only.
Enter your Entra ID Tenant ID.
If the Entra ID ImmutableId (also referred to as source anchor) value is stored in a custom attribute, enter that attribute in the User attribute field.

Note

The default attribute is objectGUID.
Click Test connection to check so that everything is configured correctly.
Click Grant consent. This will redirect you to the Microsoft sign in prompt.
A Microsoft consent dialog is displayed. Sign in with your Entra ID tenant admin account to give the application access to sign in and read user profile.

Note

By accepting the permissions, you give the app access to the specified resources for all users in your organization.

To accept the permissions, click Accept. If you click Cancel you will be redirected to the Specops Authentication Admin Portal.
Click Save.

Custom

Use this option for more detailed control over the integration. To setup a custom integration, you need to register a client application in the organization´s tenant.

Detailed and up-to-date instructions on how to register a new application can be found in Microsoft's documentation. Below is a shortened version of the set-up procedure.

Once you've registered your application, the following information is required for configuring Specops Authentication:

Tenant ID (more information on where to find your Tenant ID)
Application Client ID (more information on where to find your Application Client ID)
Application Client Secret (more information on registering your Application Client Secret)

Create an app registration in Azure Portal (Azure Portal)

Go to Microsoft Entra ID > App registrations > New registration.
Provide a name, for example "Microsoft MFA for Specops uReset".
In the Supported account types section, select an option (default is "Account in this organizational directory only (Default Directory only - Single tenant)).
In the Redirect URI section, select Web from drop down list and enter URL from Specops Authentication Microsoft Identity Services settings: https://login.specopssoft.com/Authentication/MicrosoftEntraId/Authentication/Callback.
Click Register.
In the app registration Overview section, copy the following:
- Directory (tenant) ID
- Application (client) ID

Configure the app registration

Go to Microsoft Entra ID > App registrations > All applications tab > Microsoft MFA for Specops uReset (or another app registration name if that was chosen) > Authentication.
In the Implicit grant and hybrid flows section, enable ID tokens (used for implicit and hybrid flows).
Go to Microsoft Entra ID > App registrations > All applications > Microsoft MFA for Specops uReset (or another app registration name if that was chosen) > Certificates & secrets > Client secrets tab.
Click New client secret.
Provide a description, for example Microsoft MFA for Specops uReset Client Secret.
In the Expires dropdown list, select the time that the client secret will expire, for example 730 days (24 months).
Click Add.
Copy the client secret value.

Note

On first use, an Azure admin may need to approve the app registration before it can actually be used: see https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/review-admin-consent-requests.

Configure in Specops Authentication Web

Navigate to Microsoft Entra ID in Specops Authentication and click Connection.
In the Microsoft Entra ID connection details drop-down list, select Custom.
Enter the required values for:
- Tenant ID
- Application Client ID
- Application Client Secret
In the Azure Instance field, select the Entra ID instance you want to use: Global, US Government, or China, depending on your requirements.
Copy the Redirect Uri value. In the Entra ID tenant application, go to Authentication, then click Add a Platform, select Web, and enter the URI in the Custom redirect URIs field. More information can be found here: Register an application in Microsoft Entra ID.
Click Test connection to check so that everything is configured correctly.
Click Save.

Entra ID

Authentication only (passwordless authentication)

Configuration for administrators

Configuration for users

Enabling phone sign-in

Review Microsoft Authenticator settings

Configure in Specops Authentication Web

Custom

Create an app registration in Azure Portal (Azure Portal)

Configure the app registration

Configure in Specops Authentication Web