search
Ctrlk

Microsoft

Firstly, we need to obtain credentials such as

  • Tenant ID

  • Client ID

  • Client secret

If you already have them, please skip to Configuring Microsoft as external OIDC in Defguard

hashtag
Obtaining basic credentials

  1. Go to https://portal.azure.com/arrow-up-right

  2. Navigate to Microsoft Entra ID

  3. In the Microsoft Entra ID, click Manage and select App registrations from the menu on the left.

  4. Click "Make new registration"

  5. Fill out the form, like in the example:

Make sure the Redirect URL you insert here is correct. The full list of redirect URLs that should be configured in order to use all features is available here.

  1. You should be now on the registered application's management screen. You can copy the client's ID and the tenant ID from here, as you need to provide them on the Defguard settings' page.

  2. Now back in Microsoft Entra ID, still in your newly created application, go to Certificates & Secrets

  3. Go to Certificates & secrets and create a new client secret. Copy its value.

  1. Go to Token configuration (in the menu on the left) and add a new optional token claim.

  2. Make sure to select the ID token type and the following claims:

  3. Accept the popup or configure the API permissions manually.

  1. Now you should be good to go.

hashtag
Obtaining Directory Synchronization credentials

circle-info

This feature is available only in Defguard 1.2.1 and above

circle-exclamation

This feature is currently technically limited to 10000 members or groups. High user or group counts may still trigger your provider API limits even below this threshold. If you have many users (200+), we recommend you test this feature first before you decide to turn on automatic user deletion.

Defguard supports synchronizing groups' and users' states based on your Microsoft directory.

Make sure to check the general guide to directory synchronization to learn more about the available configuration options.

hashtag
Setup

  1. Go back to your app registrations in Microsoft Entra ID and select the app you registered during the provider setup.

  2. Navigate to API permissions

  3. Click "Add a permission", then select "Microsoft Graph"

  4. Select "Application permissions", as Defguard will perform the synchronization in the background.

  5. Assign the following permissions:

    • GroupMember.Read.All

    • Group.Read.All

    • User.Read.All

  6. Now grant admin consent for the permissions using the "Grant admin consent for" button\

  7. You should be good to go now. Navigate to the directory sync settings in Defguard and try to test your setup using the test connection button.

hashtag
Configuring Microsoft as external OIDC in Defguard

  1. Go to Settings → External identity providers.

  1. Click "Connect" in row with Microsoft.

  1. Fill out Tenant ID, Client ID, Client secret (Check Obtaining basic credentials)

  1. Click "Continue"

  2. If you decide to use Directory Synchronization, enable it. (If you don't need Directory Synchronization, go to step 6).

circle-exclamation

In order for Entra users to be created in Defguard they must have the following attributes set:

  • email (or otherMails)

  • first name

  • last name

By default, directory sync guaranteed only that the state and group membership of Defguard users also present in the directory is up-to-date. It does not create Defguard users until they log in using an External OpenID provider.

To create Defguard users during directory sync enable the Prefetch users option:

  1. Click "Continue"

If no errors occurred during configuration, you will see a message indicating that your OIDC provider has been successfully added.

  1. Click "Finish"

PreviousGoogleNextOkta

Last updated

Was this helpful?