3.5 Configuring Microsoft Entra
You must configure your Microsoft Entra system to allow MyID to use it to issue passkeys.
If you are using the Self-Service Request Portal, you must also configure Microsoft Entra as an external identity provider for the SSRP.
3.5.1 Configuring Entra to allow access from MyID CMS
You must configure Entra to allow access from the MyID server:
-
In your Entra tenant, use the Create your own application option to create an enterprise application; you can configure this to permit access from the MyID server to Entra.
-
Set up an associated app registration for the enterprise application.
-
You must create a client secret in Entra for server authentication from MyID.
You must specify this client secret in MyID when you set up the external system; see section 3.7.3, Setting up the external system.
You must also specify the client secret when you configure the SSRP to use Microsoft Entra as an external identity provider.
-
Make sure the Passkey (FIDO2) authentication method is enabled on your Entra system.
See the External identity providers section in the Derived Credentials Self-Service Request Portal guide on configuring Microsoft Entra as an external identity provider for the Self-Service Request Portal. In particular, you must:
-
Configure the redirect URI to allow responses to be returned to SSRP.
Note: You must configure the redirect URI as a web page, not a single-page application.
3.5.2 Configuring Entra to allow MyID to access the passkey registration APIs
MyID currently uses the following API methods:
-
GET /users/<UserID>/authentication/fido2methods/creationOptions
Retrieves the available options for creating a passkey.
-
POST /users/<UserID>/authentication/fido2methods
Registers a passkey.
-
DELETE /users/<UserID>/authentication/fido2Methods/<DeviceID>
Cancels a passkey.
You must grant the following Graph API permission to the app registration used by MyID:
|
API / Permissions Name |
Type |
Description |
|---|---|---|
|
UserAuthenticationMethod.ReadWrite.All |
Application |
Read and write all users’ authentication methods |
3.5.3 Configuring Entra for enterprise attestation
When issuing a passkey through Entra, MyID CMS passes the enterprise attestation information to Entra; however, if you are using enterprise attestation for your passkey issuance that uses a custom attestation root certificate that is not publicly available in the FIDO repository, Entra is unable to carry out the attestation check. In this case, you must disable the attestation check on Entra.
MyID CMS carries out the enterprise attestation check on behalf of Entra; see section 2.3.1, Setting up a local metadata repository for details of setting up a metadata repository that contains your custom attestation root certificate.
3.5.4 Restricting the number of credentials issued to a person
Entra uses a setting called ExcludeCredentials that prevents a person from collecting a second FIDO credential to the same FIDO device.
MyID CMS ignores this restriction and by default allows people to collect multiple FIDO credentials to the same FIDO device.
If you want to restrict the credentials issued through MyID CMS, you can set the Active credential profiles per person option in the credential profile; see the Additional credential profile options section in the Administration Guide.