Passport Configuration with Microsoft Azure

By Nick Bickhart

Learn how to create an OpenID Connect (OIDC) application in Microsoft Azure (Azure AD) to be used when configuring Kandji Passport.

Article Contents

Create the App registration

  1. Login to
  2. From the hamburger menu, click Azure Active Directory

  3. On the left, select App registrations
  4. Click New registration

  5. Enter a name for the new application (such as Kandji Passport)
  6. In the Supported Account Types section, select Accounts in this organizational directory only (Default Directory only - Single tenant)
  7. Click Register

  8. On the Overview page, copy the application (client) ID to a temporary text document

  9. While still on the Overview page, click Endpoints
  10. Copy OpenID Connect metadata document (identity provider URL) to a temporary text document

  11. On the left, select Authentication
  12. Set Enable the following mobile and desktop flows to Yes
  13. Click Save

  14. On the leftselect Token configuration
  15. Click Add optional claims
  16. For the Token type, select ID
  17. For the Claim, select preferred_username
  18. Click Add

  19. While still on the Token configuration page, click Add groups claim
  20. Select All Groups...
  21. Click Add

    Once you complete the token configurations, you will see both optional claims

  22. On the left, select API permissions
  23. Click Add a permission
  24. Click Microsoft Graph

  25. Select Delegated permissions
  26. Expand OpenId permissions
  27. Select email
  28. Select profile

  29. In the Search permissions field, enter User.Read 
  30. Under Users, select User.Read
  31. Click Add permissions

  32. While still on the API permissions page, select Grant admin consent for <your_tenant_name>
  33. Select Yes
    1. You should see a notification similar to the one below and you should see a "Granted for <your_tenant_name> ..." message in the Status column next to each permission.

  34. Continue to the next section

Assign users and groups

  1. From the hamburger menu, click Azure Active Directory

  2. Click Enterprise applications

  3. Find and select the Kandji Passport app that was created earlier

  4. Click Users and groups
  5. Click Add user/group

  6. Select the users or groups that should be assigned to the Kandji Passport app

    If you see the message below, this means that the entry-level Azure AD license tier is being used, and you will only be able to add users to the Passport app.

  7. Click Select, then click Assign

  8. You should then be back on the Users and groups page
  9. Continue to the next section

Multi-factor Authentication (MFA) Considerations

To use Azure with Passport you will need to turn off Azure MFA using Security Defaults (Azure AD free tier), for all users (Microsoft 365 Business, E3, or E5), or with Azure AD Conditional Access (Azure AD Premium P1+). 

If Azure MFA was turned on using the legacy per-user method, it will need to turned off at that level as well so that the user can authenticate successfully using Passport.

Turn off legacy per-user MFA

If per-user MFA was turned on previously, it must be turned off for each user.

  1. Login to your O365 admin center
  2. In the left-hand navigation, click Users > Active users
  3. Click Multi-factor authentication
  4. Find each user that needs Multi-factor authentication turned off and set the status to Disabled

Turn off MFA using Security Defaults 

If your organization is using the free tier of Azure Active Directory licensing, you will need to turn off Security Defaults to allow users to authenticate with Passport. This will turn off MFA for the entire organization.
  1. From the Azure Active Directory module, select Properties
  2. Select Manage Security Defaults
  3. Change Enable Security Defaults to No

Exclude Kandji Passport from MFA using Azure AD Conditional Access

Azure AD Conditional Access is included with Azure Active Directory Premium or better. Be sure to turn off both per-user MFA and Security defaults before you turn on Azure AD Conditional Access policies. 

If Conditional Access is configured in Azure AD, Kandji Passport Enterprise app will need to be excluded from each Conditional Access policy where MFA is a requirement. Part of this process involves adding a redirect URI to the Kandji Passport Application Registration.

  1. To configure the redirect URI, select Azure Active Directory

  2. Click App Registrations
  3. Select the Kandji Passport application created earlier

  4. In the left navigation menu, click Authentication
  5. Click Add a Platform
  6. Click Web in the Configure Platforms blade

  7. In the Redirect URIs text field, enter
  8. Click Configure

  9. From the main menu, click Azure AD Conditional Access

    1. If Azure AD Conditional Access is not visible in the menu click More services

    2. Filter for conditional so that Azure AD Conditional Access appears
    3. Using the cursor, hover over Azure AD Conditional Access 
    4. Click the star(⭐️) in the popup that appears. This will put Azure AD Conditional Access in the main menu bar

  10. In the Policies section, select each policy that has MFA as a requirement. You can see which policies have MFA as a requirement within the Grant section of each policy.

  11. Click the link under Cloud apps or actions
  12. Click Exclude
  13. Click the link under Select excluded cloud apps
  14. Search for the Passport app that needs to be excluded
  15. Check the box next to the app
  16. Click Select and then click Save in the bottom-left corner.

  17. Repeat the same process for all Conditional Access policies that have MFA as a requirement.
With the Azure configuration complete, go to the Kandji web app to configure the Passport library item.

User account provisioning via Passport

If you are using the Specify per identity provider group option in the Passport Library item, use the Azure group ObjectID in the Identity provider group field.

Common Azure errors


  • Azure Message: Due to a configuration change made by your administrator or because you moved to a new location, you must use multi-factor authentication to access '{resource}' - User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, and requested by client, among others.
  • Remediation: Make sure to review the Multi-factor Authentication (MFA) Considerations section in this support article to ensure that Multi-factor Authentication is turned off for the Passport enterprise app in your Azure environment.


  • Azure Message: InvalidUserNameOrPassword - Error validating credentials due to invalid username or password. The user didn't enter the right credentials.  It's expected to see some number of these errors in your logs due to users making mistakes.
  • Remediation: This is a very generic Azure error message. In the context of Passport there have been a few scenarios where this error has been seen.
    • It is possible that the username or password is, in fact, incorrect.
    • It is possible that Azure is federated with AD FS or another Identity Provider. This will cause the authentication flow to result in an error being sent to Passport. See the Authentication Flow in a Federated Environment section of this article for more information.


  • Azure Message: The request body must contain the following parameter: 'client_assertion' or 'client_secret' - Developer error - the app is attempting to sign in without the necessary or correct authentication parameters.
  • Remediation: Make sure to have the setting Enable the following mobile and desktop flows set to Yes in Authentication section of the Passport Enterprise App in Azure.

To look up additional Azure error codes, you can use this link.