Passport Configuration with Microsoft Entra ID (formerly Azure AD)

By Nick Bickhart

Learn how to create an OpenID Connect (OIDC) application in Microsoft Entra ID to be used when configuring Kandji Passport

Note: Microsoft Entra ID is the new name for Azure AD (Azure Active Directory)
If you experience any issues with Passport & Azure, read through our Passport Troubleshooting with Azure article for more information.

Before you begin

You will need access to a Microsoft Entra ID admin user account to grant the proper permissions to the Passport app in Azure.

Create the App registration

  1. Login to with an Azure admin user account
  2. From the hamburger menu, click Microsoft Entra ID

  3. On the left, select App registrations
  4. Click New registration

  5. Enter a name for the new application (such as Kandji Passport)
  6. In the Supported Account Types section, select Accounts in this organizational directory only (Default Directory only - Single tenant)

  7. For now, leave the Redirect URI (optional) section at its default. In order to avoid multiple situational branches in these instructions, there is a separate "Enable multi-factor authentication (MFA) support" of this document. No matter whether you want to enable MFA support or not for Passport, please continue with the next steps in this section.
  8. Click Register
  9. Open a secure text document where the values for this OIDC app can be temporarily stored. You will need these details when you configure the Passport Library Item.
  10. On the Overview page, copy the Application (client) ID to a temporary text document

  11. While still on the Overview page, click Endpoints
  12. Copy OpenID Connect metadata document (identity provider URL) to a temporary text document

  13. On the left, select Authentication
  14. Set Enable the following mobile and desktop flows to Yes
  15. Click Save

  16. On the leftselect Token configuration
  17. Click Add optional claim
  18. For the Token type, select ID
  19. For the Claim, select preferred_username
  20. Click Add

  21. While still on the Token configuration page, click Add groups claim
  22. Select All Groups...
  23. Click Add

    Once you complete the token configurations, you will see both optional claims

  24. On the left, select API permissions
  25. Click Add a permission
  26. Click Microsoft Graph

  27. Select Delegated permissions
  28. Confirm that the OpenId permissions section is expanded. If the OpenID permissions section isn't expanded, click the icon next to the OpenId permissions section to expand it.
  29. Select email
  30. Select profile

  31. In the Search permissions field, enter User.Read 
  32. In the User section, confirm that User.Read is already selected. If User.Read isn't selected, select it.
  33. Click Add permissions

  34. While still on the API permissions page, select Grant admin consent for <your_tenant_name>
  35. Select Yes

    1. You should see a notification similar to the one below and you should see a "Granted for <your_tenant_name> ..." message in the Status column next to each permission.

  36. Continue to the next section

Assign users and groups

By default, when you create a new App registration, the "Assignment required?" attribute is set to "No". However, if your Passport Enterprise app is set to require assignment, you will need to follow these steps to assign users in order to be able to use your Passport app.
  1. From the hamburger menu, click Microsoft Entra ID

  2. Click Enterprise applications

  3. Find and select the Kandji Passport app that was created earlier

  4. Click Properties
  5. Confirm that the Visible to users? setting is set to "No", otherwise users will see it in their portal. The Passport app is only useful as a replacement for the macOS login window.
  6. Inspect the Assignment required? setting. If it is set to "No", then you can skip the rest of this section. All users in Entra ID will be able to use the Passport app.

  7. If the Assignment required? setting is set to "Yes", then click Users and groups
  8. Click Add user/group

  9. Select the users or groups that should be assigned to the Kandji Passport app

    If you see the message below, this means that the entry-level Entra ID license tier is being used, and you will only be able to add users (not groups) to the Passport app.

  10. Click None Selected
  11. In the right Users panel, select each user to assign. If the right panel is labeled Users and groups you can select users and groups, not just users.
  12. Confirm that all your intended users (and groups if your Azure tier allows it) are in the Selected items section.
  13. Click Select, then click Assign

  14. You should then be back on the Users and groups page

With this portion of the Entra ID configuration complete, review the remaining sections of this document for your Microsoft Entra ID environment, such as for multi-factor authentication (MFA), then go to the Kandji web app to configure the Passport Library Item.

Enable Microsoft Multi-factor Authentication (MFA) (optional)

The first iteration of Passport did not support multi-factor authentication. If your organization turned off support for MFA for Microsoft Entra ID, you should use Microsoft’s documentation to re-enable MFA for Microsoft Entra ID Directory.

To use Passport with Microsoft Entra ID MFA, the requirements vary depending on your Entra ID subscription.

Please review the following subscription details corresponding to your license level:

Turn on MFA using Security Defaults 

If your organization uses the free tier of Microsoft Entra ID, you will need to turn on Security defaults (according to Microsoft, “If your tenant was created on or after October 22, 2019, security defaults may be enabled in your tenant"). Turning on security defaults turns on MFA for your entire organization.

Although Security defaults will require all users to register for Microsoft Entra ID MFA, users will not be challenged to provide MFA when authenticating to Passport. This is because per-app MFA is not supported in the free-tier of Entra ID. Per-app MFA is a feature of Azure Conditional Access. If it is desirable that MFA is used when authenticating to Passport, legacy per-user MFA must be enabled. Please, note that Microsoft recommends to not use Legacy per-user MFA in favor of Conditional Access. Please review these recommenations before moving forward with per-user MFA.
  1. From the Microsoft Entra ID module, select Properties
  2. In the Access management for Azure resources section, click Manage Security Defaults
  3. In the Security defaults drop-down, choose Enabled (recommended)

  4. Click Save

Add a Redirect URI to support multi-factor authentication (MFA)

  1. If you’re not signed in to Azure already, sign in to
  2. Navigate to App Registrations
  3. Select your Kandji Passport app
  4. In the left navigation menu, select Authentication
  5. If the portal doesn’t display Web in the Platform configurations section, then skip to the next step. If the portal does display Web, we recommend that you use Mobile and desktop applications instead. Use the following steps to remove the Web redirect and Web client secret:
    1. In the upper-right corner of the Web section, click the trash icon to delete
    2. Near the bottom of the screen, click Save
    3. Confirm that the Platform configurations section doesn’t display a Web section
    4. In the left navigation pane, click Certificates & secrets
    5. If there is a Client secret, then to the right of the secret, click the trash icon to delete it
    6. In the confirmation pane, click Yes
    7. Confirm that there are no client secrets displayed
    8. In the left navigation menu, select Authentication
  6. In the Platform configurations section, click Add a platform

  7. Select Mobile and desktop applications
  8. Select the first checkbox:
  9. Hover your pointer to the right of the value of the field from the previous step, then click the copy icon under the Copy to clipboard callout.
  10. Paste the text into your secure document (in your Passport library item, in the Web Login authentication section, you’ll use this value in the “Redirect URI” field)

  11. Click Configure

  12. Confirm that the Platform configurations section contains the section Mobile and desktop applications, with the checkbox selected for

    You may have already completed steps 13-32 earlier in this guide.  Please verify that steps 13-32 have been completed.

  13. In the left navigation menu, select Token configuration
  14. Click Add optional claim
  15. For the Token type, select ID

  16. For the Claim, select preferred_username
  17. Click Add

    While still on the Token configuration page, click Add groups claim
  18. Select All groups (includes distribution lists but not groups assigned to the application)
  19. Click Add

    Once you complete the token configurations, Azure displays both optional claims.

    Azure - Token configuration - displayed@2x

  20. In the left navigation menu, select API permissions
  21. Confirm that the Configured permissions section already displays an entry for Microsoft Graph which is User.Read
  22. Click Add a permission
  23. Click Microsoft Graph

  24. Select Delegated permissions
  25. If OpenId permissions isn't already expanded, click the arrow to expand OpenId permissions

  26. Select the checkbox for email
  27. Select the checkbox for profile
  28. Click Add permissions
  29. Select Grant admin consent for <your_tenant_name>
  30. In the Grant admin consent confirmation, click Yes
  31. Confirm that Entra ID displays a notification similar to the one below:

  32. Confirm that in the Status column next to each permission, Entra ID displays "Granted for <your_tenant_name>":

  33. With this portion of the Entra ID configuration complete, review the remaining sections of this document for your Microsoft Entra ID environment, such as for Entra ID Conditional Access, then go to the Kandji web app to configure the Passport library item.

Microsoft Entra ID Conditional Access Considerations

Microsoft Entra ID Conditional Access is included with Microsoft Entra ID Premium or better. Be sure to turn off both per-user MFA and Security defaults before you turn on Microsoft Entra ID Conditional Access policies.

If Entra ID is configured with a Microsoft Entra ID Conditional Access policy that specifies MFA as a requirement and specifies all or specific cloud apps, you'll need to exclude the Enterprise application that you use for Passport from that policy. Another way to describe such a policy is that the policy uses both of these criteria:

  • Assignments: Cloud apps or actions: Cloud apps: All cloud apps or Select apps
  • Access controls: Grant: Grant access: Require multifactor authentication

Here's an example of a policy that you don't need to modify, because it doesn't use both of the criteria above (specifically, although it has the grant of Require multifactor authentication, it doesn't have the assignment for Cloud apps or actions of All cloud apps or Select apps):

Conditional Access - Policy - Default MFA - Grant@2x

And here's an example of a policy that you do need to modify to exclude the Enterprise application for Kandji Passport because the policy uses both criteria:

Conditional Access - Policy - two criteria met@2x

Although it might seem counterintuitive that you need to exclude the Enterprise application from being required to use MFA, especially since you want Kandji Passport to allow MFA during the Web Login authentication mode. This is because the web view of the Web Login authentication mode does not use the Enterprise application, but the web view (the "Please enter your Microsoft Azure password" screen) does use the Enterprise application–and requires the resource owner password grant (ROPG) flow, and doesn't support MFA. So if you have any policies that require cloud apps to use MFA, simply add the Kandji Passport Enterprise application to the exclusion list.

In order for you to exclude the Enterprise application, it needs to have a Redirect URI value.

Add the cloud app exclusion

For each applicable policy, exclude the Enterprise app you use for Kandji Passport.

  1. In the upper-left corner, click the hamburger menu, and then click Microsoft Entra Conditional Access
    1. If Microsoft Entra Conditional Access is not visible in the menu, click More services

    2. In the Filter services field, enter conditional so that Microsoft Entra Conditional Access appears
    3. Using the pointer, don't yet click instead, hover over Microsoft Entra Conditional Access
    4. Click the star(⭐️) in the popup that appears. This adds Microsoft Entra Conditional Access to your main menu bar

    5. Before you dismiss the popup that appeared, click View. Otherwise, click Conditional Access from your main menu bar

  2. Confirm that the portal displays each policy with a Policy Name and a State (among other information)

  3. Select a policy that has the State of On
  4. If the Cloud apps or actions section displays No cloud apps, actions, or authentication contexts selected, then go back to the previous step and select the next policy

    No cloud apps@2x
    Otherwise, click the link under Cloud apps or actions

  5. Click Exclude

    Conditional Access - Cloud apps or actions@2x
  6. Review the list of excluded cloud apps (there may be no cloud apps excluded). If the Enterprise app for Kandji Passport is already excluded, you can return to step 3 and move on to the next policy
  7. Click the text link under Select excluded cloud apps

    Cloud apps - Exclusion list@2x
  8. In the Search field, enter the name of the Enterprise app you use for Kandji Passport. Note that the search doesn't just search for any part of the name; you need to enter at least the start of the name
  9. From the search results, select the checkbox for your Enterprise app for Kandji Passport
  10. At the bottom of the Select excluded cloud apps blade, click Select

    Conditional Access - Exclude Kandji Passport@2x

  11. Confirm that the Enterprise app was added to the list of excluded apps

    Confirm Kandji Passport is excluded@2x

  12. In the lower-left corner of the page, click Save
  13. Go back to step 3 and repeat for the next policy until you have examined or updated every Conditional Access policy

User account provisioning via Passport

If you use Specify per identity provider group option in the Passport Library Item, use the Entra ID group ObjectID in the Identity provider group field.

  1. In Microsoft Entra ID, navigate to the group you want to use
  2. Copy the Object Id for that group

  3. In the Kandji Passport Library Item, in the User Provisioning section, paste the value from the previous section into the Identity provider group field

  4. Repeat the previous steps for each additional Entra ID group you want to use
  5. In the Passport Library Item, click Save

If your Passport app is not showing up as an excludable app, you will need to add a web platform in your app registration.  Please follow the steps below.

  1. Navigate to Entra ID > App Registrations > Your Passport App > Authentication.  Select Add a platform
  2. Select Web

  3. Add a Redirect URI - https://localhost.redirect
  4. Select Configure

  5. Select Save

Microsoft Entra ID Troubleshooting

If you are experiencing issues with Entra ID Passport, please click here to learn more about common troubleshooting steps.