Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Integrations

Thales Authenticator Lifecycle Manager with Microsoft Entra ID

search

Thales Authenticator Lifecycle Manager with Microsoft Entra ID

This section provides the steps to integrate Thales Authenticator Lifecycle Manager with Microsoft Entra ID. The integration requires:

  1. Enabling the Passkey (FIDO2) Authentication Method in Microsoft Entra ID.

  2. Registering an application in Microsoft Entra ID.

  3. Obtaining parameters' values required to configure Microsoft Entra ID in Thales Authenticator Lifecycle Manager.

Enable the Passkey (FIDO2) Authentication Method

Prerequisites

  • Users for whom FIDO2 authentication will be enabled must already exist in Microsoft Entra ID.

  • A Microsoft Entra ID administrator account with the Authentication Policy Administrator role is required.

Perform the following steps to enable the Passkey (FIDO2) authentication method:

  1. Go to the Microsoft Entra admin center (https://entra.microsoft.com) and sign in as an administrator.

  2. On the Microsoft Entra admin center, in the left pane, select Entra ID > Authentication Methods, in the right pane select Policies, and under Method, select Passkey (FIDO2).

  3. Under Passkey (FIDO2) settings, on the Enable and Target tab, perform the following steps to enable the Passkey (FIDO2) method:

    1. Turn on the Enable toggle.

    2. On the Include tab, under Target, select an option (either All users or Select groups) to enable the method for all users or for specific groups by selecting Add groups.

      Note

      Only security groups are supported for this operation.

  4. Go to the Configure tab and perform the following steps to configure the Passkey (FIDO2) authentication method:

    1. Set Allow self-service set up to Yes to allow users to register their own FIDO2 keys.

    2. Set Enforce attestation to No to allow users to register any type of passkey.

    3. Under KEY RESTRICTION POLICY, set Enforce key restrictions to No.

    4. Select Save to save the configuration.

For more information on enabling and configuring the Passkey (FIDO2) authentication method, refer to the Microsoft Entra ID documentation.

Register an Application in Microsoft Entra ID

Perform the following steps to register an application in Microsoft Entra ID and grant the required API permissions:

Note

If your application is already registered, ensure to grant it the required API permissions. Refer to step 2 in this section.

  1. If you have access to multiple tenants, select the Default icon Settings icon in the top menu to switch to the tenant for which you want to register the application. If you need to create a new tenant, perform the following steps:

    1. On the Microsoft Entra admin center, in the left pane, select Entra ID > App registrations, in the right pane, select New registration.

    2. Under Register an application, in the Name field, enter a meaningful name for your application (for example, talm-identity-client-app).

    3. Under Supported account types, select the user account types that can use the application. It is recommended to select the Accounts in this organizational directory only option for most of the applications.

    4. Select Register to complete the application registration.

  2. Perform the following steps to grant API permissions to the application:

    1. On the application window (for example, talm-identity-client-app), under Manage, select API permissions.

    2. Under Configured permissions, select Add a permission, and select Microsoft Graph.

    3. Select Application permissions, then search for and add the following permissions:

      • User.Read.All

      • UserAuthenticationMethod.ReadWrite.All

    4. Select Grant admin consent for <tenant name>, then select Yes.

    5. Select Refresh and verify that Granted for <tenant name> appears under Status of the permissions.

Obtain Parameters' Values

To configure Microsoft Entra ID in Thales Authenticator Lifecycle Manager, you need to obtain values of the following parameters:

  • Application/Client ID

  • Authentication URL

  • Client Secret

On the application window (for example, talm-identity-client-app), perform the following steps to obtain these values:

  1. For Application/Client ID, copy the Application (client) ID field value, and paste it into a text editor.

  2. For Authentication URL, copy the Directory (tenant) ID field value, and paste it into the text editor.

  3. For Client Secret, select the value of the Client credentials field and perform the following steps:

    1. Under Client secrets, select New client secret.

    2. Enter a description for the secret, select expiry, and select Add.

      Note

      Once this secret expires, Thales Authenticator Lifecycle Manager cannot communicate with the Microsoft Entra ID application. A new secret must be generated and updated in the IDP Configuration section of Thales Authenticator Lifecycle Manager.

    3. After the client secret is created, copy its value, and store it in a secure location.

    Caution

    Ensure to store the client secret at a secure location as it will not be visible again.

After obtaining the required values, enter them in the Thales Authenticator Lifecycle Manager console while adding Microsoft Entra ID as an IDP. Once the values are entered, select Test Connection to confirm that the connection is successful. For detailed instructions, refer to the Configure Microsoft Entra ID section.

On this page