defguard
  • Introduction
  • User documentation (help)
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring manually a device for a new VPN Location
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
    • Desktop Client
    • CLI Client
  • Admin & features
    • Troubleshooting Guide
      • Sending support information
      • Client Windows installer exit codes
    • Deploying your instance
      • Upgrading
      • One-line install script
      • Standalone package based installation
      • Docker images and tags
      • Docker Compose
      • Kubernetes
      • Gateway
        • Running gateway on MikroTik routers
      • Securing gRPC communication
      • OpenID RSA key
      • Configuration
      • Pre-production and development releases
      • High Availability and Failover
      • Health check
    • Features & configuration
      • Zero-Trust VPN with 2FA/MFA
        • Create/manage VPN Location
        • Network overview
        • Executing custom gateway commands
        • Multi-Factor Authentication (MFA/2FA)
          • MFA Architecture
        • Remote desktop client configuration
        • DNS and domains
      • Remote user enrollment
        • User onboarding after enrollment
      • SSO (OpenID Connect)
        • Portainer
        • Grafana setup
        • Proxmox
        • Matrix / Synapse
        • Django
        • MinIO
        • Vault
      • SMTP for email notifications
      • LDAP synchronization
        • Configuration
        • Settings table
      • YubiKey Provisioning
      • Webhooks
      • Forward auth
      • SSH Authentication
      • Network devices
      • Gateway notifications
      • New version notifications
  • Enterprise Features
    • License
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • REST API
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Roadmap
    • Architecture
      • How do VPN statistics work
      • Security concepts
  • For Developers
    • Contributing
    • Environment setup
    • Translations ( web )
      • Switching language
      • Adding translations
  • Contact us
    • Community & Support
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Enterprise Features
  2. Enteprise features
  3. External OpenID providers

Microsoft

PreviousGoogleNextZitadel

Last updated 16 days ago

Was this helpful?

  1. Go to https://portal.azure.com/

  2. Navigate to Microsoft Entra ID

  3. In the Microsoft Entra ID, click Manage and select App registrations from the menu on the left.

  4. Click "Make new registration"

  5. Fill out the form, like in the example:

Make sure the Redirect URL you insert here is correct. Replace defguard.example.com with the domain you use for your Defguard dashboard. If you'd like to use OpenID enrollment through proxy, make sure to enter an additional URI here in the form of <DEFGUARD_ENROLLMENT_URL>/openid/callback.

  1. You should be now on the registered application's management screen. You can copy the client's ID and the tenant ID from here, as you need to provide them on the Defguard settings' page.

  2. Go to Defguard settings, click the OpenID tab and paste the copied client ID. The tenant ID should be inserted instead of the <TENANT_ID> placeholder in the base URL field.

  3. Now back in Microsoft Entra ID, still in your newly created application, go to Certificates & Secrets

  4. Click Client secrets and create a new client secret. Copy its value and paste it in your Defguard OpenID settings.

  5. Go to Token configuration (in the menu on the left) and add a new optional token claim.

  6. Make sure to select the ID token type and the following claims:

  7. Accept the popup or configure the API permissions manually.

  1. Now you should be good to go. A new login button should appear on the login screen.

Directory synchronization

This feature is available only in Defguard 1.2.1 and above

This feature is currently technically limited to 10000 members or groups. High user or group counts may still trigger your provider API limits even below this threshold. If you have many users (200+), we recommend you test this feature first before you decide to turn on automatic user deletion.

Defguard supports synchronizing groups' and users' states based on your Microsoft directory.

Make sure to check the general guide to directory synchronization to learn more about the available configuration options.

Setup

  1. Go back to your app registrations in Microsoft Entra ID and select the app you registered during the provider setup.

  2. Navigate to API permissions

  3. Click "Add a permission", then select "Microsoft Graph"

  4. Select "Application permissions", as Defguard will perform the synchronization in the background.

  5. Assign the following permissions:

    • GroupMember.Read.All

    • Group.Read.All

    • User.Read.All

  6. Now grant admin consent for the permissions using the "Grant admin consent for" button

  7. You should be good to go now. Navigate to the directory sync settings in Defguard and try to test your setup using the test connection button.