Passport Configuration with Microsoft Entra ID (formerly Azure AD)

By Nick Bickhart

Learn how to create an OpenID Connect (OIDC) application in Microsoft Entra ID to be used when configuring Kandji Passport

Note: Microsoft Entra ID is the new name for Azure AD (Azure Active Directory)
If you experience any issues with Passport & Azure, read through our Passport Troubleshooting with Azure article for more information.

Before you begin

You will need access to a Microsoft Entra ID admin user account to grant the proper permissions to the Passport app in Azure.

Create the App registration

  1. Login to portal.azure.com with an Azure admin user account.
  2. From the hamburger menu, click Microsoft Entra ID.
  3. On the left, select App registrations.
  4. Click New registration.
  5. Enter a name for the new application (such as Kandji Passport).
  6. In the Supported Account Types section, select Accounts in this organizational directory only (Default Directory only - Single tenant).

  7. For now, leave the Redirect URI (optional) section at its default. In order to avoid multiple situational branches in these instructions, there is a separate "Enable multi-factor authentication (MFA) support" of this document. No matter whether you want to enable MFA support or not for Passport, please continue with the next steps in this section.
  8. Click Register.
  9. Open a secure text document where the values for this OIDC app can be temporarily stored. You will need these details when you configure the Passport Library Item.
  10. On the Overview page, copy the Application (client) ID to a temporary text document.
  11. While still on the Overview page, click Endpoints.
  12. Copy OpenID Connect metadata document (identity provider URL) to a temporary text document.
  13. On the left, select Authentication.
  14. Set Enable the following mobile and desktop flows to Yes.
  15. Click Save.
  16. On the leftselect Token configuration.
  17. Click Add optional claim.
  18. For the Token type, select ID.
  19. For the Claim, select preferred_username.
  20. Click Add.


  21. While still on the Token configuration page, click Add groups claim.
  22. Select All Groups...
  23. Click Add.
    Once you complete the token configurations, you will see both optional claims.
  24. On the left, select API permissions.
  25. Click Add a permission.
  26. Click Microsoft Graph.
  27. Select Delegated permissions.
  28. Confirm that the OpenId permissions section is expanded. If the OpenID permissions section isn't expanded, click the icon next to the OpenId permissions section to expand it.
  29. Select email.
  30. Select profile.
  31. In the Search permissions field, enter User.Read 
  32. In the User section, confirm that User.Read is already selected. If User.Read isn't selected, select it.
  33. Click Add permissions
  34. While still on the API permissions page, select Grant admin consent for <your_tenant_name>.
  35. Select Yes.


    1. You should see a notification similar to the one below and you should see a "Granted for <your_tenant_name> ..." message in the Status column next to each permission.
  36. Continue to the next section.

Assign users and groups

By default, when you create a new App registration, the "Assignment required?" attribute is set to "No". However, if your Passport Enterprise app is set to require assignment, you will need to follow these steps to assign users in order to be able to use your Passport app.
  1. From the hamburger menu, click Microsoft Entra ID.
  2. Click Enterprise applications.
  3. Find and select the Kandji Passport app that was created earlier.
  4. Click Properties.
  5. Confirm that the Visible to users? setting is set to "No", otherwise users will see it in their portal. The Passport app is only useful as a replacement for the macOS login window.
  6. Inspect the Assignment required? setting. If it is set to "No", then you can skip the rest of this section. All users in Entra ID will be able to use the Passport app.
  7. If the Assignment required? setting is set to "Yes", then click Users and groups.
  8. Click Add user/group.
  9. Select the users or groups that should be assigned to the Kandji Passport app.

    If you see the message below, this means that the entry-level Entra ID license tier is being used, and you will only be able to add users (not groups) to the Passport app.
  10. Click None Selected.
  11. In the right Users panel, select each user to assign. If the right panel is labeled Users and groups you can select users and groups, not just users.
  12. Confirm that all your intended users (and groups if your Azure tier allows it) are in the Selected items section.
  13. Click Select, then click Assign.
  14. You should then be back on the Users and groups page.

With this portion of the Entra ID configuration complete, review the remaining sections of this document for your Microsoft Entra ID environment, such as for multi-factor authentication (MFA), then go to the Kandji web app to configure the Passport Library Item.

Enable Microsoft Multi-factor Authentication (MFA) (optional)

The first iteration of Passport did not support multi-factor authentication. If your organization turned off support for MFA for Microsoft Entra ID, you should use Microsoft’s documentation to re-enable MFA for Microsoft Entra ID Directory.

To use Passport with Microsoft Entra ID MFA, the requirements vary depending on your Entra ID subscription.

Please review the following subscription details corresponding to your license level:


Turn on MFA using Security Defaults 

If your organization uses the free tier of Microsoft Entra ID, you will need to turn on Security defaults (according to Microsoft, “If your tenant was created on or after October 22, 2019, security defaults may be enabled in your tenant"). Turning on security defaults turns on MFA for your entire organization.

Although Security defaults will require all users to register for Microsoft Entra ID MFA, users will not be challenged to provide MFA when authenticating to Passport. This is because per-app MFA is not supported in the free-tier of Entra ID. Per-app MFA is a feature of Azure Conditional Access. If it is desirable that MFA is used when authenticating to Passport, legacy per-user MFA must be enabled. Please, note that Microsoft recommends to not use Legacy per-user MFA in favor of Conditional Access. Please review these recommenations before moving forward with per-user MFA.
  1. From the Microsoft Entra ID module, select Properties.
  2. In the Access management for Azure resources section, click Manage Security Defaults.
  3. In the Security defaults drop-down, choose Enabled (recommended).
  4. Click Save.

Add a Redirect URI to support multi-factor authentication (MFA)

  1. If you’re not signed in to Azure already, sign in to portal.azure.com.
  2. Navigate to App Registrations.
  3. Select your Kandji Passport app.
  4. In the left navigation menu, select Authentication.
  5. If the portal doesn’t display Web in the Platform configurations section, then skip to the next step. If the portal does display Web, we recommend that you use Mobile and desktop applications instead. Use the following steps to remove the Web redirect and Web client secret:
    1. In the upper-right corner of the Web section, click the trash icon to delete.
    2. Near the bottom of the screen, click Save.
    3. Confirm that the Platform configurations section doesn’t display a Web section.
    4. In the left navigation pane, click Certificates & secrets.
    5. If there is a Client secret, then to the right of the secret, click the trash icon to delete it
    6. In the confirmation pane, click Yes.
    7. Confirm that there are no client secrets displayed.
    8. In the left navigation menu, select Authentication.
  6. In the Platform configurations section, click Add a platform.
  7. Select Mobile and desktop applications.
  8. Select the first checkbox: https://login.microsoftonline.com/common/oauth2/nativeclient.
  9. Hover your pointer to the right of the value of the field from the previous step, then click the copy icon under the Copy to clipboard callout.
  10. Click Configure.
  11. Paste the text into your secure document (in your Passport library item, in the Web Login authentication section, you’ll use this value in the “Redirect URI” field).
  12. Confirm that the Platform configurations section contains the section Mobile and desktop applications, with the checkbox selected for https://login.microsoftonline.com/common/oauth2/nativeclient.

    You may have already completed steps 13-32 earlier in this guide. Please verify that steps 13-32 have been completed.


  13. In the left navigation menu, select Token configuration.
  14. Click Add optional claim.
  15. For the Token type, select ID.

  16. For the Claim, select preferred_username.
  17. Click Add.
    While still on the Token configuration page, click Add groups claim.
  18. Select All groups (includes distribution lists but not groups assigned to the application).
  19. Click Add.
    Once you complete the token configurations, Azure displays both optional claims.
    In the left navigation menu, select API permissions.
  20. Confirm that the Configured permissions section already displays an entry for Microsoft Graph which is User.Read.
  21. Click Add a permission.
  22. Click Microsoft Graph.
  23. Select Delegated permissions.
  24. If OpenId permissions isn't already expanded, click the arrow to expand OpenId permissions.
  25. Select the checkbox for email.
  26. Select the checkbox for profile.
  27. Click Add permissions.
  28. Select Grant admin consent for <your_tenant_name>.
  29. In the Grant admin consent confirmation, click Yes.
  30. Confirm that Entra ID displays a notification similar to the one below:
  31. Confirm that in the Status column next to each permission, Entra ID displays "Granted for <your_tenant_name>":
  32. With this portion of the Entra ID configuration complete, review the remaining sections of this document for your Microsoft Entra ID environment, such as for Entra ID Conditional Access, then go to the Kandji web app to configure the Passport library item.

Microsoft Entra ID Conditional Access Considerations

Microsoft Entra ID Conditional Access is included with Microsoft Entra ID Premium or better. Be sure to turn off both per-user MFA and Security defaults before you turn on Microsoft Entra ID Conditional Access policies.

If Entra ID is configured with a Microsoft Entra ID Conditional Access policy that specifies MFA as a requirement and specifies all or specific cloud apps, you'll need to exclude the Enterprise application that you use for Passport from that policy. Another way to describe such a policy is that the policy uses both of these criteria:

  • Assignments: Target resources: Cloud apps: All cloud apps or Select apps
  • Access controls: Grant: Grant access: Require multifactor authentication

Here's an example of a policy that you don't need to modify, because it doesn't use both of the criteria above (specifically, although it has the grant of Require multifactor authentication, it doesn't have the assignment for Target resources.
And here's an example of a policy that you do need to modify to exclude the Enterprise application for Kandji Passport because the policy uses both criteria:
Although it might seem counterintuitive that you need to exclude the Enterprise application from being required to use MFA, especially since you want Kandji Passport to allow MFA during the Web Login authentication mode. This is because the web view of the Web Login authentication mode does not use the Enterprise application, but the web view (the "Please enter your Microsoft Azure password" screen) does use the Enterprise application–and requires the resource owner password grant (ROPG) flow, and doesn't support MFA. So if you have any policies that require cloud apps to use MFA, simply add the Kandji Passport Enterprise application to the exclusion list.

In order for you to exclude the Enterprise application, it needs to have a Redirect URI value.

Add the cloud app exclusion

For each applicable policy, exclude the Enterprise app you use for Kandji Passport. If the Passport app is not excludable, please visit the Passport app not excludable section first.

  1. In the upper-left corner, click the hamburger menu, and then click Microsoft Entra Conditional Access.
    1. If Microsoft Entra Conditional Access is not visible in the menu, click More services.
    2. In the Filter services field, enter conditional so that Microsoft Entra Conditional Access appears.
    3. Using the pointer, don't yet click instead, hover over Microsoft Entra Conditional Access.
    4. Click the star(⭐️) in the popup that appears. This adds Microsoft Entra Conditional Access to your main menu bar.
    5. Before you dismiss the popup that appeared, click View. Otherwise, click Conditional Access from your main menu bar.

  2. Confirm that the portal displays each policy with a Policy Name and a State (among other information).
  3. Select a policy that has the State of On.
  4. If the Target resources section displays No target resources selected, then go back to the previous step and select the next policy.
    Otherwise, click the link under Target resources.

  5. Click Exclude.
  6. Review the list of excluded cloud apps (there may be no cloud apps excluded). If the Enterprise app for Kandji Passport is already excluded, you can return to step 3 and move on to the next policy.
  7. Click the text link under Select excluded cloud apps.
  8. In the Search field, enter the name of the Enterprise app you use for Kandji Passport. Note that the search doesn't just search for any part of the name; you need to enter at least the start of the name.
  9. From the search results, select the checkbox for your Enterprise app for Kandji Passport.
  10. At the bottom of the Select excluded cloud apps blade, click Select.
  11. Confirm that the Enterprise app was added to the list of excluded apps.
  12. In the lower-left corner of the page, click Save.
  13. Go back to step 3 and repeat for the next policy until you have examined or updated every Conditional Access policy.

Passport app not excludable

If your Passport app is not showing up as an excludable app, you must add a web platform to your app registration. Please follow the steps below.

  1. Navigate to Entra ID > App Registrations > Your Passport App > Authentication. Select Add a platform.
  2. Select Web.
  3. Add a Redirect URI - https://localhost.redirect.
  4. Select Configure.
  5. Select Save.

User account provisioning via Passport

If you use Specify per identity provider group option in the Passport Library Item, use the Entra ID group ObjectID in the Identity provider group field.


  1. In Microsoft Entra ID, navigate to the group you want to use.
  2. Copy the Object Id for that group.
  3. In the Kandji Passport Library Item, in the User Provisioning section, paste the value from the previous section into the Identity provider group field.
  4. Repeat the previous steps for each additional Entra ID group you want to use.
  5. In the Passport Library Item, click Save.

Microsoft Entra ID Troubleshooting

If you are experiencing issues with Entra ID Passport, please click here to learn more about common troubleshooting steps.


Top