Passport Configuration with Microsoft Azure

By Nick Bickhart

Learn how to create an OpenID Connect (OIDC) application in Microsoft Azure (Azure AD) to be used when configuring Kandji Passport.

Article Contents

Before you begin

You will need access to an Azure admin user account to grant the proper permissions to the Passport app in Azure.

Create the App registration

  1. Login to portal.azure.com with an Azure admin user account
  2. From the hamburger menu, click Azure Active Directory


  3. On the left, select App registrations
  4. Click New registration



  5. Enter a name for the new application (such as Kandji Passport)
  6. In the Supported Account Types section, select Accounts in this organizational directory only (Default Directory only - Single tenant)


  7. For now, leave the Register URL (optional) section at its default. In order to avoid multiple situational branches in these instructions, there is a separate "Enable multi-factor authentication (MFA) support" of this document. No matter whether you want to enable MFA support or not for Passport, please continue with the next steps in this section.
  8. Click Register

  9. Open a secure text document where the values for this OIDC app can be temporarily stored. You will need these details when you configure the Passport Library Item.
  10. On the Overview page, copy the Application (client) ID to a temporary text document


  11. While still on the Overview page, click Endpoints
  12. Copy OpenID Connect metadata document (identity provider URL) to a temporary text document


  13. On the left, select Authentication
  14. Set Enable the following mobile and desktop flows to Yes
  15. Click Save

  16. On the leftselect Token configuration
  17. Click Add optional claims
  18. For the Token type, select ID
  19. For the Claim, select preferred_username
  20. Click Add


  21. While still on the Token configuration page, click Add groups claim
  22. Select All Groups...
  23. Click Add


    Once you complete the token configurations, you will see both optional claims



  24. On the left, select API permissions
  25. Click Add a permission
  26. Click Microsoft Graph


  27. Select Delegated permissions
  28. Expand OpenId permissions
  29. Select email
  30. Select profile


  31. In the Search permissions field, enter User.Read 
  32. Under Users, select User.Read
  33. Click Add permissions


  34. While still on the API permissions page, select Grant admin consent for <your_tenant_name>
  35. Select Yes
    1. You should see a notification similar to the one below and you should see a "Granted for <your_tenant_name> ..." message in the Status column next to each permission.



  36. Continue to the next section

Assign users and groups

By default, when you create a new App registration, the "Assignment required?" attribute is set to "No". However, if your Passport Enterprise app is set to require assignment, you will need to follow these steps to assign users in order to be able to use your Passport app.
  1. From the hamburger menu, click Azure Active Directory



  2. Click Enterprise applications



  3. Find and select the Kandji Passport app that was created earlier



  4. Click Properties
  5. Confirm that the Visible to users? setting is set to "No", otherwise users will see it in their portal. The Passport app is only useful as a replacement for the macOS login window.
  6. Inspect the Assignment required? setting. If it is set to "No", then you can skip the rest of this section. All users in Azure Active Directory will be able to use the Passport app.



  7. If the Assignment required? setting is set to "Yes", then click Users and groups
  8. Click Add user/group


  9. Select the users or groups that should be assigned to the Kandji Passport app

    If you see the message below, this means that the entry-level Azure AD license tier is being used, and you will only be able to add users (not groups) to the Passport app.


  10. Click None Selected
  11. In the right Users panel, select each user to assign. If the right panel is labeled Users and groups you can select users and groups, not just users.
  12. Confirm that all your intended users (and groups if your Azure tier allows it) are in the Selected items section.
  13. Click Select, then click Assign


  14. You should then be back on the Users and groups page
  15. With this portion of the Azure configuration complete, review the remaining sections of this document for your Microsoft Azure environment, such as for multi-factor authentication (MFA), then go to the Kandji web app to configure the Passport Library Item.

Enable Microsoft Multi-factor Authentication (MFA) (optional)

The first iteration of Passport did not support multi-factor authentication. If your organization turned off support for MFA for Microsoft Azure, you should use Microsoft’s documentation to re-enable MFA for Microsoft Azure Active Directory.


To use Passport with Microsoft Azure MFA, the requirements vary depending on your Azure subscription.

Please review the following subscription details corresponding to your license level:

Turn on MFA using Security Defaults 

If your organization uses the free tier of Azure Active Directory, you will need to turn on Security defaults (according to Microsoft, “If your tenant was created on or after October 22, 2019, security defaults may be enabled in your tenant"). Turning on security defaults turns on MFA for your entire organization.

Although Security defaults will require all users to register for Azure AD MFA, users will not be challenged to provide MFA when authenticating to Passport. This is because per-app MFA is not supported in the free-tier of Azure. Per-app MFA is a feature of Azure Conditional Access. If it is desirable that MFA is used when authenticating to Passport, legacy per-user MFA must be enabled. Please, note that Microsoft recommends to not use Legacy per-user MFA in favor of Conditional Access. Please review these recommenations before moving forward with per-user MFA.
  1. From the Azure Active Directory module, select Properties
  2. In the Access management for Azure resources section, click Manage Security Defaults
  3. Below Enable security defaults, click Yes

    Azure - Properties - Manage security defaults steps@2x
  4. Click Save

Add a Redirect URI to support multi-factor authentication (MFA)

  1. If you’re not signed in to Azure already, sign in to portal.azure.com
  2. Navigate to App Registrations
  3. Select your Kandji Passport app
  4. In the left navigation menu, select Authentication
  5. If the portal doesn’t display Web in the Platform configurations section, then skip to the next step. If the portal does display Web, we recommend that you use Mobile and desktop applications instead. Use the following steps to remove the Web redirect and Web client secret:
    1. In the upper-right corner of the Web section, click the trash icon to delete
    2. Near the bottom of the screen, click Save
    3. Confirm that the Platform configurations section doesn’t display a Web section
    4. In the left navigation pane, click Certificates & secrets
    5. If there is a Client secret, then to the right of the secret, click the trash icon to delete it
    6. In the confirmation pane, click Yes
    7. Confirm that there are no client secrets displayed
    8. In the left navigation menu, select Authentication
  6. In the Platform configurations section, click Add a platform

  7. Select Mobile and desktop applications
  8. Select the first checkbox: https://login.microsoftonline.com/common/oauth2/nativeclient
  9. Hover your pointer to the right of the value of the field from the previous step, then click the copy icon under the Copy to clipboard callout
  10. Paste the text into your secure document (in your Passport library item, in the Web Login authentication section, you’ll use this value in the “Redirect URI” field)
  11. Click Configure



  12. Confirm that the Platform configurations section contains the section Mobile and desktop applications, with the checkbox selected for https://login.microsoftonline.com/common/oauth2/nativeclient

  13. In the left navigation menu, select Token configuration
  14. Click Add optional claim
  15. For the Token type, select ID

  16. For the Claim, select preferred_username
  17. Click Add


    While still on the Token configuration page, click Add groups claim
  18. Select All groups (includes distribution lists but not groups assigned to the application)
  19. Click Add

    Once you complete the token configurations, Azure displays both optional claims.

    Azure - Token configuration - displayed@2x

  20. In the left navigation menu, select API permissions
  21. Confirm that the Configured permissions section already displays an entry for Microsoft Graph which is User.Read
  22. Click Add a permission
  23. Click Microsoft Graph

  24. Select Delegated permissions
  25. If OpenId permissions isn't already expanded, click the arrow to expand OpenId permissions

  26. Select the checkbox for email
  27. Select the checkbox for profile
  28. Click Add permissions
  29. Select Grant admin consent for <your_tenant_name>
  30. In the Grant admin consent confirmation, click Yes
  31. Confirm that Azure displays a notification similar to the one below:



  32. Confirm that in the Status column next to each permission, Azure displays "Granted for <your_tenant_name>":
  33. With this portion of the Azure configuration complete, review the remaining sections of this document for your Microsoft Azure environment, such as for Azure conditional access, then go to the Kandji web app to configure the Passport library item.

Azure Conditional Access Considerations

Azure AD Conditional Access is included with Azure Active Directory Premium or better. Be sure to turn off both per-user MFA and Security defaults before you turn on Azure AD Conditional Access policies.

If Azure is configured with an Azure AD Conditional Access policy that specifies MFA as a requirement and specifies all or specific cloud apps, you'll need to exclude the Enterprise application that you use for Passport from that policy. Another way to describe such a policy is that the policy uses both of these criteria:

  • Assignments: Cloud apps or actions: Cloud apps: All cloud apps or Select apps
  • Access controls: Grant: Grant access: Require multifactor authentication

Here's an example of a policy that you don't need to modify, because it doesn't use both of the criteria above (specifically, although it has the grant of Require multifactor authentication, it doesn't have the assignment for Cloud apps or actions of All cloud apps or Select apps):

Conditional Access - Policy - Default MFA - Grant@2x


And here's an example of a policy that you do need to modify to exclude the Enterprise application for Kandji Passport, because the policy uses both criteria:

Conditional Access - Policy - two criteria met@2x


Although it might seem counterintuitive that you need to exclude the Enterprise application from being required to use MFA, especially since you want Kandji Passport to allow MFA during the Web Login authentication mode. This is because the web view of the Web Login authentication mode does not use the Enterprise application, but the web view (the "Please enter your Microsoft Azure password" screen) does use the Enterprise application–and requires the resource owner password grant (ROPG) flow, and doesn't support MFA. So if you have any policies that require cloud apps to use MFA, simply add the Kandji Passport Enterprise application to the exclusion list.

In order for you to exclude the Enterprise application, it needs to have a Redirect URI value.

Add the cloud app exclusion

For each applicable policy, exclude the Enterprise app you use for Kandji Passport.

  1. In the upper-left corner, click the hamburger menu, and then click Azure AD Conditional Access
    1. If Azure AD Conditional Access is not visible in the menu, click More services



    2. In the Filter services field, enter conditional so that Azure AD Conditional Access appears
    3. Using the pointer, don't yet click, instead hover over Azure AD Conditional Access
    4. Click the star(⭐️) in the popup that appears. This adds Azure AD Conditional Access to your main menu bar
    5. Before you dismiss the popup that appeared, click View. Otherwise, click Conditional Access from your main menu bar



  2. Confirm that the portal displays each policy with a Policy Name and a State (among other information)

    Conditional Access - Policies@2x

  3. Select a policy that has the State of On
  4. If the Cloud apps or actions section displays No cloud apps, actions, or authentication contexts selected, then go back to the previous step and select the next policy

    No cloud apps@2x


    Otherwise, click the link under Cloud apps or actions

  5. Click Exclude

    Conditional Access - Cloud apps or actions@2x
  6. Review the list of excluded cloud apps (there may be no cloud apps excluded). If the Enterprise app for Kandji Passport is already excluded, you can return to step 3 and move on to the next policy
  7. Click the text link under Select excluded cloud apps


    Cloud apps - Exclusion list@2x
  8. In the Search field, enter the name of the Enterprise app you use for Kandji Passport. Note that the search doesn't just search for any part of the name; you need to enter at least the start of the name
  9. From the search results, select the checkbox for your Enterprise app for Kandji Passport
  10. At the bottom of the Select excluded cloud apps blade, click Select


    Conditional Access - Exclude Kandji Passport@2x

  11. Confirm that the Enterprise app was added to the list of excluded apps


    Confirm Kandji Passport is excluded@2x

  12. In the lower-left corner of the page, click Save
  13. Go back to step 3 and repeat for the next policy until you have examined or updated every Conditional Access policy

User account provisioning via Passport

If you use Specify per identity provider group option in the Passport Library Item, use the Azure group ObjectID in the Identity provider group field.


  1. In Microsoft Azure, navigate to the group you want to use
  2. Copy the Object Id for that group



  3. In the Kandji Passport Library Item, in the User Provisioning section, paste the value from the previous section into the Identity provider group field



  4. Repeat the previous steps for each additional Azure group you want to use
  5. In the Passport Library Item, click Save

Common Azure errors

AADSTS50076

  • Azure Message: Due to a configuration change made by your administrator or because you moved to a new location, you must use multi-factor authentication to access '{resource}' - User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, and requested by client, among others.
  • Remediation: Make sure to review the Multi-factor Authentication (MFA) Considerations section in this support article to ensure that Multi-factor Authentication is turned off for the Passport enterprise app in your Azure environment.


AADSTS50020

  • Azure Message: User account <user principal name> from identity provider <your Azure Active Directory Tenant ID> does not exist in tenant <your tenant name> and cannot access the application <your Passport Application (client) ID> in that tenant. The account needs to be added as an external user in the tenant first.
  • Remediation: In Azure Active Directory > Users confirm that the user exists.


AADSTS50034

  • Azure Message: The user account <user principal name without the @sign and domain> does not exist in <your tenant name> directory.
  • Remediation: In order to use Passport with MFA support, a user in Microsoft Azure Active Directory must have an Email attribute. If the user does not have an Email attribute, although the user will be able to authenticate with MFA in the web view for Microsoft Azure, the user will not be able to successfully authenticate at the "Enter your Microsoft Azure password" verification screen. In Azure Active Directory > Users, select the user, click Edit properties, then in the Email field, enter the user’s email address, and click Save. You must add a value, even if this is not an address that accepts email. It’s common to just use the same value as the user’s User principal name.


AADSTS50126

  • Azure Message: InvalidUserNameOrPassword - Error validating credentials due to invalid username or password. The user didn't enter the right credentials.  It's expected to see some number of these errors in your logs due to users making mistakes.
  • Remediation: This is a very generic Azure error message. In the context of Passport, there have been a few scenarios where this error has been seen.
    • It is possible that the username or password is, in fact, incorrect.
    • It is possible that Azure is federated with AD FS or another Identity Provider. This will cause the authentication flow to result in an error being sent to Passport. See the Authentication Flow in a Federated Environment section of this article for more information.

AADSTS700025

  • Azure Message: Client is public so neither ‘client_assertion’ nor ‘client_secret’ should be presented.
  • Remediation: In Azure > App registrations > [your Passport app] > Authentication > Platform configurations > Mobile and desktop applications, ensure that the Redirect URIs section has the checkbox selected for https://login.microsoftonline.com/common/oauth2/nativeclient. Navigate to Certificates & secrets and remove the Client secret. In Kandji, confirm that in your Passport library item, the Client secret (optional) field is empty.


AADSTS7000215

  • Azure Message: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value.
  • Remediation: In Azure > App registrations > [your Passport app] > Authentication > Platform configurations > Mobile and desktop applications, ensure that the Redirect URIs section has the checkbox selected for https://login.microsoftonline.com/common/oauth2/nativeclient. Navigate to Certificates & secrets and remove the Client secret. In Kandji, confirm that in your Passport library item, the Client secret (optional) field is empty.


To look up additional Azure error codes, you can use this link.



Top