Configuring Microsoft Entra

6.1 Configuring Microsoft Entra

You can use Microsoft Entra as an external identity provider for MyID.

6.1.1 Configuring Microsoft Entra as an external identity provider

When you configure Microsoft Entra, you can register a new application to use as the external identity provider in MyID.

You are recommended to create the application as a single tenant system, where only members of your own organization have access to MyID; if you create a multitenant system, anyone with an organizational Microsoft account can access your system.

You must configure the following in Microsoft Entra:

Redirect URIs

Add the redirect URI for your web.oauth2 server. This is in the format:

https://<server>/web.oauth2/signin-microsoft

Where <server> is the address of your MyID web server.

For example:

https://myid.mydomain.com/web.oauth2/signin-microsoft
Client secrets

Create a client secret in Microsoft Entra. You must take a note of this client secret when you create it, as for security reasons it is not available once you navigate away from the screen on which it is first displayed.

Note: By default, client secrets created in Microsoft Entra expire after 180 days. You must make sure you set up procedures to remind you to create a new client secret before the current client secret expires, and to update your MyID web.oauth2 configuration with the new client secret.
Application (client) ID

Take a note of the client ID. You need this when configuring the web.oauth2 server.
Directory (tenant) ID

Take a note of the tenant ID. You need this to specify the Entra authorization and token endpoints when configuring the web.oauth2 server.

6.1.2 Encrypting the client secret

Because you are going to store the client secret in a configuration text file on the server, you must encrypt it for security purposes. MyID supports DPAPI for encrypting the client secret; this uses the logged-on Windows user (in this case, the MyID web service user) to encrypt the secret, and only the same Windows user can decrypt the secret.

To encrypt the client secret:

On the MyID web server, log on as the user under which the web.oauth2 service runs.

By default, this is the MyID Web Service user; you can confirm this by checking which user is configured for the myid.web.oauth2.pool application pool in IIS.

Note: It is important that you use this account to encrypt the secret, as no other accounts can decrypt the secret to use it.
Open a Windows PowerShell command prompt, and navigate to the web.oauth2 folder.

By default, this is:

C:\Program Files\Intercede\MyID\web.oauth2\
Run the following PowerShell script:

.\DPAPIEncrypt.ps1 <secret>

For example:

.\DPAPIEncrypt.ps1 b5989015-bb9e-4533-874b-2b4a6a8280ed

The script outputs an encrypted copy of the secret; for example:

PS C:\Program Files\Intercede\MyID\web.oauth2> .\DPAPIEncrypt.ps1 b5989015-bb9e-4533-874b-2b4a6a8280ed

AQAAANCMnd8BFdERjHoAwE/C [...] JwWwaKXWoS3i+ulxtmjVQyudpQ==

(Encrypted output string truncated for documentation purposes.)
Copy the encrypted secret.

6.1.3 Configuring the web.oauth2 server for Microsoft Entra

In a text editor, open the appsettings.Production.json file for the web service.

By default, this is:

C:\Program Files\Intercede\MyID\web.oauth2\appsettings.Production.json

This file is the override configuration file for the appsettings.json file for the web service.
Add an entry to the ExternalProviders array.

If the ExternalProviders array does not exist, add it at the top level of the file. For reference, the appsettings.json file contains an empty ExternalProviders array that allows you to confirm its location.
Copy
```
"ExternalProviders":[
  {
    "Name":"<name>",
    "LogonMechanismId":101,
    "Action":"<action>",
    "MicrosoftAccountOptions":{
      "ClientId":"<client ID>",
      "ClientSecret":"<client secret>",
      "AuthorizationEndpoint":"https://login.microsoftonline.com/<tenant ID>/oauth2/v2.0/authorize",
      "TokenEndpoint":"https://login.microsoftonline.com/<tenant ID>/oauth2/v2.0/token"
    },
    "ClientSecretEncrypted":"<encrypted client secret>",
    "Mappings":[
      {}
    ]
  }
]
```
where:
- <name> – the label used for the authentication method in the MyID Authentication dialog.
- <action> – one of the following actions:
  - Find – (default) the user must already exist in the MyID database; the claims from the external identity provider must identify a user already in the MyID database.
  - Create – if the user does not already exist in MyID, they are created. If the user does exist, that same user is used.
  - Update – the user must already exist in MyID. Mapped fields marked with Update:true are updated in MyID based on the value supplied by the external identity provider.
    
    See section 6.4, Mapping attributes for details of setting the update options for mapped fields.
  - CreateAndUpdate – if the user does not already exist in MyID, they are created. If the user does exist, that same user is used and any fields marked with Update:true are updated.
- <client ID> – the client ID from your Microsoft Entra configuration.
- <client secret> – the client secret you created in Microsoft Entra.
  
  Important: For production systems, you are recommended not to include the client secret in the appsettings.production.json file, but to encrypt the client secret and use the ClientSecretEncrypted option instead.
- <tenant ID> – the tenant ID from your Microsoft Entra configuration. You must include the tenant ID in both the AuthorizationEndpoint and TokenEndpoint options.
  
  Note: If you are using a multitenant system, you do not need to include the AuthorizationEndpoint and TokenEndpoint options.
- <encrypted client secret> – the encrypted client secret. See section 6.1.2, Encrypting the client secret.
Note: The LogonMechanismId is set to 101, which is fixed for Microsoft Entra.

For example:
Copy
```
"ExternalProviders":[
  {
    "Name":"Microsoft Entra ID",
    "LogonMechanismId":101,
    "Action":"CreateAndUpdate",
    "MicrosoftAccountOptions":{
      "ClientId":"bb61c9f6-9a71-42ba-a156-05db9a7a6407",
      "ClientSecret":"",
      "AuthorizationEndpoint":"https://login.microsoftonline.com/2fad39ef-cead-489d-a755-c3b45c762c4a/oauth2/v2.0/authorize",
      "TokenEndpoint":"https://login.microsoftonline.com/2fad39ef-cead-489d-a755-c3b45c762c4a/oauth2/v2.0/token"
    },
    "ClientSecretEncrypted":"AQAAANCMnd8BFdERjHoAwE/C [...] JwWwaKXWoS3i+ulxtmjVQyudpQ==",
    "Mappings":[
      {}
    ]
  }
]
```

For further information about the settings available in the MicrosoftAccountOptions section, see the Microsoft documentation for the ASP.NET Core MicrosoftAccountOptions class:

learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.microsoftaccount.microsoftaccountoptions?view=aspnetcore-8.0

6.1.4 Configuring MyID to use Microsoft Entra

Once you have set up Microsoft Entra, and configured the web.oauth2 server, you can configure MyID to make Microsoft Entra available as a logon mechanism.

To enable the Microsoft Entra logon mechanism:

In the MyID Operator Client, from the More category, select Configuration Settings > Security Settings.

Alternatively, in MyID Desktop, from the Configuration category, select the Security Settings workflow.
Click the Logon Mechanisms tab.
Set the following option:
- Microsoft Entra ID – set to Yes to allow logon using Microsoft Entra.
Click Save changes.

To make the Microsoft Entra logon mechanism available to users:

In the MyID Operator Client, from the More category, select Configuration Settings > Edit Roles.

Alternatively, in MyID Desktop, from the Configuration category, select the Edit Roles workflow.
Click Logon Methods.
In the Logon Mechanisms dialog, select the Microsoft Entra ID logon mechanism for each role you want to be able to log on using Microsoft Entra.
Click OK, then click Save Changes.

6.1.5 Next steps

You can now map the attributes from the external identity provider to MyID attributes. See section 6.4, Mapping attributes.

See also section 6.5, Example Microsoft Entra settings for a sample set of mappings for Microsoft Entra.