Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

SAS PCE as an External MFA in Microsoft Entra ID

Microsoft Entra ID Setup

search

Please Note:

Microsoft Entra ID Setup

Configuring Entra ID requires:

  1. Registering an Application and Setting up its Permissions

  2. Configuring SAS PCE as an External MFA

  3. Creating a Conditional Access Policy

Registering an Application and Setting up its Permissions

Entra ID requires application registration because the Microsoft identity platform handles identity and access management (IAM) only for registered applications. Registering the application establishes a trust relationship between your application and the identity provider, the Microsoft identity platform.

Perform the following steps:

  1. Log in to the Microsoft Entra admin center as a Cloud Application Administrator.

  2. In the left pane, click Entra ID > App registrations, and in the right pane, click New registration.

  3. In the right pane, under Register an application, perform the following steps:

    1. In the Name field, enter a display name for the application (for example, SafeNet).

    2. Under Supported account types, select one of the following account types to grant application access to its users:

      • Accounts in this organizational directory only (Integration only - Single tenant)

      • Accounts in any organizational directory (Any Entra ID tenant - Multitenant)

    3. Under Redirect URI, from the drop-down list, select Web and in the field, paste the authorization endpoint URL obtained in step 4 of the Configuring the SafeNet Access Exchange Realm section.

    4. Click Register.

  4. Under the Overview section of the newly added application, copy the Application (client) ID and paste it in a text editor. You will need this value when configuring SAS PCE as an external MFA.

  5. In the left pane, under Manage, click API permissions.

  6. In the right pane, perform the following steps:

    1. Under Configured permissions, click Add a permission.

    2. On the Request API permissions window, on the Microsoft APIs tab, select the Microsoft Graph tile.

    3. Under Microsoft Graph, select the Delegated permissions tile.

    4. Under Select permissions, search and select the following permissions, and click Add permissions:

      • User.Read

      • openid

      • profile

    5. Click Grant admin consent for <tenant_name>.

    6. Under Grant admin consent confirmation, click Yes. The permissions' Status will be changed to Granted.

    7. In the left pane, under Manage, click Token configuration, and then click Add optional claim.

    8. In the right pane, under Add optional claim, select the ID token type and perform the following steps:

      • Select the acrs, login_hint, and upn claims.

      • Click Add to add the claims.

    9. Under Token type, select the Access token option and perform the following steps:

      • Select the acrs, aud, and upn claims.

      • Click Add to add the claims.

      The claims for both the Access and ID tokens are added as shown in the screenshot below:

Configuring SAS PCE as an External MFA

Perform the following steps to configure SAS PCE as an external MFA:

  1. In the Microsoft Entra admin center, in the left pane, select Entra ID > Authentication methods > Policies, and then select Add External MFA.

  2. Under Properties, enter a method name in the Name field, and then complete the following fields:

    Field Description
    Name Enter a display name for the external MFA method.
    Client ID Enter the CLIENT ID value obtained in step 4 (c) of the Configuring an Entra ID Client section.
    Discovery Endpoint Enter the OIDC Discovery Endpoint URL obtained in step 4 of the Configuring the SafeNet Access Exchange Realm section.
    App ID Enter the Application (client) ID obtained in step 4 of the Registering an Application and Setting up its Permissions section.

  3. Under Enable and target, turn on the Enable toggle, and then go to the Include or Exclude tabs to enable or disable users or groups, respectively.

    Note

    As a best practice, exclude global administrator accounts or groups unless they are required.

  4. Click Save to save the external MFA configuration.

  5. Under Authentication methods > Policies, verify that the external MFA you configured is listed and its status is set to Enabled.

Creating a Conditional Access Policy

  1. In the Microsoft Entra admin center, in the left pane, select Entra ID > Conditional Access > Policies, and then click New policy.

  2. In the Name field, enter a policy name.

    Note

    As a best practice, exclude global administrator groups.

  3. Under Assignments, select Users or agents (Preview), and then perform the following steps:

    1. On the Include tab, select the Select users and groups option, and then select the Users and groups check box.

    2. Under Select users and groups, search for and select the users and groups to which you want to apply the policy, and then click Select.

  4. Select Target resources, select the Select resources option, and then under Resources, select the application to protect with SAS PCE as the external MFA (for example, Office 365), and click Select.

  5. Under Access controls, select Grant, and then perform the following steps:

    1. Select the Grant access option, select the Require multifactor authentication check box, and then click Select.

    2. Under For multiple controls, select the Require one of the selected controls option, and then click Select.

  6. Under Enable policy, set the toggle to On, and then select Create to create the conditional access policy.

    Note

    You can initially set Enable policy to Report-only to monitor the policy behavior without enforcing it. After verifying the policy is working as expected, switch it to On to enforce the MFA requirement.

Optimize the New User Authentication Journey

Note

According to Microsoft documentation, if no other authentication methods are enabled, a user can select external MFA and is redirected to the external authentication provider to complete authentication.

To ensure users are redirected directly to SAS PCE without being prompted to choose from multiple authentication methods, apply the following configuration in Entra ID:

  1. In the Microsoft Entra admin center, in the left pane, select Entra ID > Authentication methods > Policies.

  2. For each of the following built-in authentication methods, exclude the target user group and ensure that only the external MFA (SAS PCE) method is enabled and targeted to your group:

    • Microsoft Authenticator
    • SMS
    • Voice call
    • Hardware OATH tokens
    • Software OATH tokens
    • Email OTP

  3. In the left pane, select Entra ID > Authentication methods > Registration campaign. Under Settings, exclude your target group from the Microsoft Authenticator registration campaign. This prevents users from being prompted to register Microsoft Authenticator as a sign-in method.

With this configuration, users in the target group are automatically redirected to SAS PCE to complete the external MFA authentication, without being prompted to select from multiple methods.

On this page