Microsoft
Last updated
Was this helpful?
Last updated
Was this helpful?
Navigate to Microsoft Entra ID
In the Microsoft Entra ID, click Manage and select App registrations from the menu on the left.
Click "Make new registration"
Fill out the form, like in the example:
Make sure the Redirect URL you insert here is correct. Replace defguard.example.com with the domain you use for your Defguard dashboard. If you'd like to use OpenID enrollment through proxy, make sure to enter an additional URI here in the form of <DEFGUARD_ENROLLMENT_URL>/openid/callback.
You should be now on the registered application's management screen. You can copy the client's ID and the tenant ID from here, as you need to provide them on the Defguard settings' page.
Go to Defguard settings, click the OpenID tab and paste the copied client ID. The tenant ID should be inserted instead of the <TENANT_ID> placeholder in the base URL field.
Now back in Microsoft Entra ID, still in your newly created application, go to Certificates & Secrets
Click Client secrets and create a new client secret. Copy its value and paste it in your Defguard OpenID settings.
Go to Token configuration (in the menu on the left) and add a new optional token claim.
Make sure to select the ID token type and the following claims:
Accept the popup or configure the API permissions manually.
Now you should be good to go. A new login button should appear on the login screen.
This feature is available only in Defguard 1.2.1 and above
This feature is currently limited to 999 Microsoft Entra ID members or groups. It may not work correctly if you have more members than that. If this limit is an issue, report it on our GitHub.
Defguard supports synchronizing groups' and users' states based on your Microsoft directory.
Make sure to check the general guide to directory synchronization to learn more about the available configuration options.
Go back to your app registrations in Microsoft Entra ID and select the app you registered during the provider setup.
Navigate to API permissions
Click "Add a permission", then select "Microsoft Graph"
Select "Application permissions", as Defguard will perform the synchronization in the background.
Assign the following permissions:
GroupMember.Read.All
Group.Read.All
User.Read.All
Now grant admin consent for the permissions using the "Grant admin consent for" button
You should be good to go now. Navigate to the directory sync settings in Defguard and try to test your setup using the test connection button.
