Thales Authenticator Lifecycle Manager with Microsoft Entra ID

This section provides the steps to integrate Thales Authenticator Lifecycle Manager with Microsoft Entra ID. The integration requires:

1. Enabling the Passkey (FIDO2) Authentication Method in Microsoft Entra ID.

2. Registering an application in Microsoft Entra ID.

3. Obtaining parameters' values required to configure Microsoft Entra ID in Thales Authenticator Lifecycle Manager.

Enable the Passkey (FIDO2) Authentication Method

Prerequisites

• Users for whom FIDO2 authentication will be enabled must already exist in Microsoft Entra ID.

• A Microsoft Entra ID administrator account with the Authentication Policy Administrator role is required.

Perform the following steps to enable the Passkey (FIDO2) authentication method:

1. Go to the Microsoft Entra admin center (https://entra.microsoft.com) and sign in as an administrator.

2. On the Microsoft Entra admin center, in the left pane, select Entra ID > Authentication Methods, in the right pane select Policies, and under Method, select Passkey (FIDO2).

   

3. Under Passkey (FIDO2) settings, on the Enable and Target tab, perform the following steps to enable the Passkey (FIDO2) method:

   1. Turn on the Enable toggle.

   2. On the Include tab, click Add target to select one of the following options:

      • All users: To select and apply a method for all users.
      • Select targets: To select and apply a method for specific groups.

      Note

      Only security groups are supported for this operation.

   

4. Go to the Configure tab and perform the following steps to configure the Passkey (FIDO2) authentication method:

   1. Select the Allow self-service set up checkbox to allow users to register their own FIDO2 keys.

   2. Select Save to save the configuration.

   

For more information on enabling and configuring the Passkey (FIDO2) authentication method, refer to the Microsoft Entra ID documentation.

Register an Application in Microsoft Entra ID

Perform the following steps to register an application in Microsoft Entra ID and grant the required API permissions:

1. If you have access to multiple tenants, select the Settings icon in the top menu to switch to the tenant for which you want to register the application. If you need to create a new tenant, perform the following steps:

   1. On the Microsoft Entra admin center, in the left pane, select Entra ID > App registrations, in the right pane, select New registration.

      

   2. Under Register an application, in the Name field, enter a meaningful name for your application (for example, talm-identity-client-app).

   3. Under Supported account types, select the user account types that can use the application. It is recommended to select the Single tenant only option for most of the applications.

   4. Select Register to complete the application registration.

   

2. Perform the following steps to grant API permissions to the application:

   1. On the application window (for example, talm-identity-client-app), under Manage, select API permissions.

   2. Under Configured permissions, select Add a permission, and select Microsoft Graph.

   3. Select Application permissions, then search for and add the following permissions:

      • User.Read.All: To test the IDP connection and search users.

      • UserAuthMethod-Passkey.ReadWrite.All: To perform enrollment and revocation operations.

      • Group.Read.All: To read all groups in the tenant. Enables group search in Assign Devices to Multiple Users.

      • Policy.Read.All: To read authentication and authorization policies configured in Microsoft Entra ID for the device control feature.

      • Policy.ReadWrite.AuthenticationMethod: To read and modify authentication method policies for the device control feature.

      Note

      Updating Graph API permissions during IdP creation and modification in Thales Authenticator Lifecycle Manager may take up to 60 minutes to reflect due to token caching.

   4. Select Grant admin consent for <tenant name>, then select Yes.

   5. Select Refresh and verify that Granted for <tenant name> appears under Status of the permissions.

   

Obtain Parameters' Values

To configure Microsoft Entra ID in Thales Authenticator Lifecycle Manager, you need to obtain values of the following parameters:

• Application/Client ID

• Authentication URL

• Client Secret

On the application window (for example, talm-identity-client-app), perform the following steps to obtain these values:

1. For Application/Client ID, copy the Application (client) ID field value, and paste it into a text editor.

2. For Authentication URL, copy the Directory (tenant) ID field value, and paste it into the text editor.

3. For Client Secret, select the value of the Client credentials field and perform the following steps:

   1. Under Client secrets, select New client secret.

   2. Enter a description for the secret, select expiry, and select Add.

      Note

      Once this secret expires, Thales Authenticator Lifecycle Manager cannot communicate with the Microsoft Entra ID application. A new secret must be generated and updated in the IDP Configuration section of Thales Authenticator Lifecycle Manager.

   3. After the client secret is created, copy its value, and store it in a secure location.

   Caution

   Ensure to store the client secret at a secure location as it will not be visible again.

   

   After obtaining the required values, enter them in the Thales Authenticator Lifecycle Manager console while adding Microsoft Entra ID as an IDP. Once the values are entered, select Test Connection to confirm that the connection is successful. For detailed instructions, refer to the Configure Microsoft Entra ID section.