Passport
      Back to home
      1. Kandji Support
      2. Library
      3. Passport

      Passport Configuration with Microsoft Azure

      Learn how to create an OpenID Connect (OIDC) application in Microsoft Azure (Azure AD) to be used when configuring Kandji Passport.

      Create the App registration

      1. Login to portal.azure.com
      2. From the hamburger menu, click Azure Active Directory
      3. On the left, select App registrations
      4. Click New registration


      5. Enter a name for the new application (such as Kandji Passport)
      6. In the Supported Account Types section, select Accounts in this organizational directory only (Default Directory only - Single tenant)
      7. Click Register

      8. On the Overview page, copy the Application (client) ID to a temporary text document

      9. While still on the Overview page, click Endpoints
      10. Copy OpenID Connect metadata document (identity provider URL) to a temporary text document

      11. On the left, select Authentication
      12. Set Enable the following mobile and desktop flows to Yes
      13. Click Save

      14. On the left, select Token configuration
      15. Click Add optional claims
      16. For the Token type, select ID
      17. For the Claim, select preferred_username
      18. Click Add


      19. While still on the Token configuration page, click Add groups claim
      20. Select All Groups...
      21. Click Add



        Once you complete the token configurations, you will see both optional claims


      22. On the left, select API permissions
      23. Click Add a permission
      24. Click Microsoft Graph

      25. Select Delegated permissions
      26. Expand OpenId permissions
      27. Select email
      28. Select profile



      29. In the Search permissions field, enter User.Read 
      30. Under Users, select User.Read
      31. Click Add permissions

      32. While still on the API permissions page, select Grant admin consent for <your_tenant_name>
      33. Select Yes
        1. You should see a notification similar to the one below and you should see a "Granted for <your_tenant_name> ..." message in the Status column next to each permission.

      34. Continue to the next section

      Assign users and groups

      1. From the hamburger menu, click Azure Active Directory

      2. Click Enterprise applications

      3. Find and select the Kandji Passport app that was created earlier

      4. Click Users and groups
      5. Click Add user/group

      6. Select the users or groups that should be assigned to the Kandji Passport app

        If you see the message below, this means that the entry-level Azure AD license tier is being used, and you will only be able to add users to the Passport app.
      7. Click Select, then click Assign

      8. You should then be back on the Users and groups page
      9. Continue to the next section

      Multi-factor Authentication (MFA) Considerations

      To use Azure with Passport you will need to turn off Azure MFA using  Security Defaults (Azure AD free tier), for all users (Microsoft 365 Business, E3, or E5), or with Azure AD Conditional Access (Azure AD Premium P1+).

      If Azure MFA was turned on using the legacy per-user method, it will need to turned off at that level as well so that the user can authenticate successfully using Passport.

      Turn off legacy per-user MFA

      If per-user MFA was turned on previously, it must be turned off for each user.

      1. Login to your O365 admin center
      2. In the left-hand navigation click Users > Active users
      3. Click Multi-factor authentication
      4. Find each user that needs Multi-factor authentication turned off and set the status to Disabled

      Turn off MFA using Security Defaults 

      If your organization is using the free tier of Azure Active Directory licensing, you will need to turn off Security Defaults to allow users to authenticate with Passport. This will turn off MFA for the entire organization. 

      1. From the Azure Active Directory module, select Properties
      2. Select Manage Security Defaults
      3. Change Enable Security Defaults to No

      Exclude Kandji Passport from MFA using Azure AD Conditional Access

      Azure AD Conditional Access is included with Azure Active Directory Premium or better.

      Be sure to turn off both per-user MFA and Security defaults before you turn on Azure AD Conditional Access policies.

      If Conditional Access is configured in Azure AD, Kandji Passport Enterprise app will need to be excluded from each Conditional Access policy where MFA is a requirement. Part of this process involves adding a redirect URI to the Kandji Passport Application Registration.
      1. To configure the redirect URI, select Azure Active Directory
      2. Click App Registrations
      3. Select the Kandji Passport application created earlier

      4. In the left navigation menu, click Authentication
      5. Click Add a Platform
      6. Click Web in the Configure Platforms blade



      7. In the Redirect URIs text field, enter http://localhost
      8. Click Configure


      9. From the main menu, click Azure AD Conditional Access

        1. If Azure AD Conditional Access is not visible in the menu click More services

        2. Filter for conditional so that Azure AD Conditional Access appears
        3. Using the cursor, hover over Azure AD Conditional Access 
        4. Click the star(⭐️) in the popup that appears. This will put Azure AD Conditional Access in the main menu bar

      10. In the Policies section, select each policy that has MFA as a requirement. You can see which policies have MFA as a requirement within the Grant section of each policy.

      11. Click the link under Cloud apps or actions
      12. Click Exclude
      13. Click the link under Select excluded cloud apps
      14. Search for the Passport app that needs to be excluded
      15. Check the box next to the app
      16. Click Select and then click Save in the bottom-left corner.



      17. Repeat the same process for all Conditional Access policies that have MFA as a requirement.

      With the Azure configuration complete, go to the Kandji web app to configure the Passport library item.

      User account provisioning via Passport

      If you are using the Specify per identity provider group option in the Passport Library item, use the Azure group ObjectID in the Identity provider group field.

      Common Azure errors

      AADSTS50076

      • Azure Message: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '{resource}' - User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others.
      • Remediation: Make sure to review the Multi-factor Authentication (MFA) Considerations section in this support article to ensure that Multi-factor Authentication is turned off for the Passport enterprise app in your Azure environment.

      AADSTS7000218

      • Azure Message: The request body must contain the following parameter: 'client_assertion' or 'client_secret' - Developer error - the app is attempting to sign in without the necessary or correct authentication parameters.
      • Remediation: Make sure to have the setting Enable the following mobile and desktop flows set to Yes in Authentication section of the Passport Enterprise App in Azure.

      To look up additional Azure error codes you can use this link.

       

      Top