Guides

Microsoft Entra as an IAM provider Integration

Suggest Edits

Before you begin

  • Make sure you can access to your company Microsoft Entra instance
  • You must have User Administrator, Groups Administrator, Application Administrator and App Developer role to perform App Registration, group and user setup
  • You must have Global Administrator role to grant required App permissions
  • You must add mandatory data to employee profile

❗️

If your Microsoft Entra has federated access through another IAM provider, such as OKTA, then you should follow steps in OKTA INTEGRATION GUIDES

User profile configuration requirements

Incode Workforce reads data from Microsoft Entra user profile. In order to perform identity verification following fields are mandatory in Entra user profile:

  • First Name: User's first name (or Given name)

  • Last Name: User's last name (or Surname)

    Fill out First and Last name for all users in your employee directory

    Fill out First and Last name for all users in your employee directory

  • Email: User's work email. This is the email user will be receiving registration information.

    Fill out Email field in user Contact information

    Fill out Email field in user Contact information

Make sure that all users in the group that represents all your employees you wish to perform self-served password/MFA resets and on request identity verification have these fields correctly setup.

Workforce IAM Settings for API Access to employees directory

The Workforce product needs to sync with your employee directory to ensure only active employees can complete verifications. It also syncs to the employee directory to enable password / MFA resets at user request. This is achieved through an App integration which has minimum necessary data scopes.

Microsoft Entra App registration

  1. MS Entra Admin Dashboard Register App: In your Microsoft Entra go to Applications->App Registration and Register a new app.

    Go to Applications-> App registrations

    Go to Applications-> App registrations

  2. MS Entra Admin Dashboard Configure App: Give your application a name. Incode currently support only Single tenant applications. Click on Register app.

    Give your app a name and choose Single tenant app

    Give your app a name and choose Single tenant app

  3. MS Entra Admin Dashboard Copy app id: Copy App id and save it. You will have to add it to your Incode Workforce configuration in the next section.

    Copy Application (Client) ID

    Copy Application (Client) ID

  4. MS Entra Admin Dashboard Generate Secret: Once app is registered go to Certificates & Secretes section and generate a new client secret. Please copy and save the Secret Value since you will have to add it in your Workforce configuration. Microsoft Entra does not allow you to view secret later so you must copy and save it now. Note that once your secret is expired you would need to generate a new one and update your Incode Workforce configuration.

    Generate a new client secret for your app

    Generate a new client secret for your app

  5. MS Entra Admin Dashboard Assign Permissions: Go to your app API Permissions section and select Microsoft Graph. Choose Application type permissions. Assign permissions listed below to your app. After you have added all permission you must grant Global admin consent for this app.

    • GroupMember.Read.All (Need for employees sync)

    • User-PasswordProfile.ReadWrite.All (Need for password resets)

    • User.Read.All (Need for employees sync, MFA reset and password reset)

    • User.RevokeSessions.All (Needed for MFA reset and password reset)

    • UserAuthenticationMethod.ReadWrite.All (Needed for MFA reset and password reset)

      Grant required API permissions to your app

      Grant required API permissions to your app

Workforce configuration

Provide the following details in the Workforce Dashboard in the Settings -> IAM Settings. All these information can be found on your Microsoft Entra portal.

  1. Tenant Id is a unique Microsoft Entra identifier for your organization. Check Microsoft instructions on how to find your tenant id here

    Copy Tenant ID

    Copy Tenant ID

  2. Client id is an id of the app you have just registered in Entra.

    Copy Application (client) ID

    Copy Application (client) ID

  3. Client secret is a secret key generated by Entra for your app. Paste the secret you have previously extracted from Microsoft Entra.

  4. User group id is a user group id (Object Id) that you want to assign Workforce. Usually, it is an all employees group. To find user group id go to your Microsoft Entra portal -> Groups -> All groups and copy Object id for group you want to use.

Find user group id in your Microsoft Entra portal

Find user group id in your Microsoft Entra portal

Save settings. Employee directory sync will be triggered. Depending on the size of your employee directory it might take some time to import all employees into Workforce. You are ready to test identity verifications on request or password/MFA resets.

Test. Trigger Directory Sync to make sure everything is connected successfully. Go to Helpdesk Verification and choose employee to whom you want to send verification request. A list of all employees from the group you have configured in the IAM settings will be displayed. To test password or MFA reset, go to Self-serve portal. Once user's identity is verified, they can reset password or MFA. Next time user logs in into Microsoft Entra they will be asked to setup a new password or configure authentication factors.

Updated 5 months ago

What’s Next