Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Passport Configuration with Microsoft Entra ID (formerly Azure AD)

            By Nick Bickhart

            Learn how to create an OpenID Connect (OIDC) application in Microsoft Entra ID to be used when configuring Kandji Passport

            Note: Microsoft Entra ID is the new name for Azure AD (Azure Active Directory)
            If you experience any issues with Passport & Azure, read through our Passport Troubleshooting with Azure article for more information.
            When logging in at the Passport Login Window, the full email address should always be used in the username field to ensure the authentication session is connected to the IdP and not local authentication. To avoid confusion with using email addresses at the FileVault Login Window, ensure that the Managed user visibility box is unchecked on the Login Window Library Item. You can read more about this in our Passport Compatibility article.

            Article Contents

            Before you begin

            You will need access to a Microsoft Entra ID admin user account to grant the proper permissions to the Passport app in Azure.

            Create the App registration

            1. Login to portal.azure.com with an Azure admin user account
            2. From the hamburger menu, click Azure Active Directory


            3. On the left, select App registrations
            4. Click New registration



            5. Enter a name for the new application (such as Kandji Passport)
            6. In the Supported Account Types section, select Accounts in this organizational directory only (Default Directory only - Single tenant)

            7. For now, leave the Redirect URI (optional) section at its default. In order to avoid multiple situational branches in these instructions, there is a separate "Enable multi-factor authentication (MFA) support" of this document. No matter whether you want to enable MFA support or not for Passport, please continue with the next steps in this section.
            8. Click Register
            9. Open a secure text document where the values for this OIDC app can be temporarily stored. You will need these details when you configure the Passport Library Item.
            10. On the Overview page, copy the Application (client) ID to a temporary text document

            11. While still on the Overview page, click Endpoints
            12. Copy OpenID Connect metadata document (identity provider URL) to a temporary text document

            13. On the left, select Authentication
            14. Set Enable the following mobile and desktop flows to Yes
            15. Click Save
            16. On the leftselect Token configuration
            17. Click Add optional claim
            18. For the Token type, select ID
            19. For the Claim, select preferred_username
            20. Click Add


            21. While still on the Token configuration page, click Add groups claim
            22. Select All Groups...
            23. Click Add


              Once you complete the token configurations, you will see both optional claims



            24. On the left, select API permissions
            25. Click Add a permission
            26. Click Microsoft Graph

            27. Select Delegated permissions
            28. Confirm that the OpenId permissions section is expanded. If the OpenID permissions section isn't expanded, click the icon next to the OpenId permissions section to expand it.
            29. Select email
            30. Select profile

            31. In the Search permissions field, enter User.Read 
            32. In the User section, confirm that User.Read is already selected. If User.Read isn't selected, select it.
            33. Click Add permissions

            34. While still on the API permissions page, select Grant admin consent for <your_tenant_name>
            35. Select Yes
              1. You should see a notification similar to the one below and you should see a "Granted for <your_tenant_name> ..." message in the Status column next to each permission.



            36. Continue to the next section

            Assign users and groups

            By default, when you create a new App registration, the "Assignment required?" attribute is set to "No". However, if your Passport Enterprise app is set to require assignment, you will need to follow these steps to assign users in order to be able to use your Passport app.
            1. From the hamburger menu, click Azure Active Directory



            2. Click Enterprise applications



            3. Find and select the Kandji Passport app that was created earlier



            4. Click Properties
            5. Confirm that the Visible to users? setting is set to "No", otherwise users will see it in their portal. The Passport app is only useful as a replacement for the macOS login window.
            6. Inspect the Assignment required? setting. If it is set to "No", then you can skip the rest of this section. All users in Azure Active Directory will be able to use the Passport app.



            7. If the Assignment required? setting is set to "Yes", then click Users and groups
            8. Click Add user/group

            9. Select the users or groups that should be assigned to the Kandji Passport app

              If you see the message below, this means that the entry-level Azure AD license tier is being used, and you will only be able to add users (not groups) to the Passport app.


            10. Click None Selected
            11. In the right Users panel, select each user to assign. If the right panel is labeled Users and groups you can select users and groups, not just users.
            12. Confirm that all your intended users (and groups if your Azure tier allows it) are in the Selected items section.
            13. Click Select, then click Assign

            14. You should then be back on the Users and groups page

            With this portion of the Azure configuration complete, review the remaining sections of this document for your Microsoft Azure environment, such as for multi-factor authentication (MFA), then go to the Kandji web app to configure the Passport Library Item.

            Enable Microsoft Multi-factor Authentication (MFA) (optional)

            The first iteration of Passport did not support multi-factor authentication. If your organization turned off support for MFA for Microsoft Entra ID, you should use Microsoft’s documentation to re-enable MFA for Microsoft Entra ID Directory.

            To use Passport with Microsoft Entra ID MFA, the requirements vary depending on your Entra ID subscription.

            Please review the following subscription details corresponding to your license level:

            Turn on MFA using Security Defaults 

            If your organization uses the free tier of Microsoft Entra ID, you will need to turn on Security defaults (according to Microsoft, “If your tenant was created on or after October 22, 2019, security defaults may be enabled in your tenant"). Turning on security defaults turns on MFA for your entire organization.

            Although Security defaults will require all users to register for Microsoft Entra ID MFA, users will not be challenged to provide MFA when authenticating to Passport. This is because per-app MFA is not supported in the free-tier of Entra ID. Per-app MFA is a feature of Azure Conditional Access. If it is desirable that MFA is used when authenticating to Passport, legacy per-user MFA must be enabled. Please, note that Microsoft recommends to not use Legacy per-user MFA in favor of Conditional Access. Please review these recommenations before moving forward with per-user MFA.
            1. From the Azure Active Directory module, select Properties
            2. In the Access management for Azure resources section, click Manage Security Defaults
            3. Below Enable security defaults, click Yes

              Azure - Properties - Manage security defaults steps@2x
            4. Click Save

            Add a Redirect URI to support multi-factor authentication (MFA)

            1. If you’re not signed in to Azure already, sign in to portal.azure.com
            2. Navigate to App Registrations
            3. Select your Kandji Passport app
            4. In the left navigation menu, select Authentication
            5. If the portal doesn’t display Web in the Platform configurations section, then skip to the next step. If the portal does display Web, we recommend that you use Mobile and desktop applications instead. Use the following steps to remove the Web redirect and Web client secret:
              1. In the upper-right corner of the Web section, click the trash icon to delete
              2. Near the bottom of the screen, click Save
              3. Confirm that the Platform configurations section doesn’t display a Web section
              4. In the left navigation pane, click Certificates & secrets
              5. If there is a Client secret, then to the right of the secret, click the trash icon to delete it
              6. In the confirmation pane, click Yes
              7. Confirm that there are no client secrets displayed
              8. In the left navigation menu, select Authentication
            6. In the Platform configurations section, click Add a platform

            7. Select Mobile and desktop applications
            8. Select the first checkbox: https://login.microsoftonline.com/common/oauth2/nativeclient
            9. Hover your pointer to the right of the value of the field from the previous step, then click the copy icon under the Copy to clipboard callout
            10. Paste the text into your secure document (in your Passport library item, in the Web Login authentication section, you’ll use this value in the “Redirect URI” field)
            11. Click Configure
            12. Confirm that the Platform configurations section contains the section Mobile and desktop applications, with the checkbox selected for https://login.microsoftonline.com/common/oauth2/nativeclient



              You may have already completed steps 13-32 earlier in this guide.  Please verify that steps 13-32 have been completed.


            13. In the left navigation menu, select Token configuration
            14. Click Add optional claim
            15. For the Token type, select ID

            16. For the Claim, select preferred_username
            17. Click Add


              While still on the Token configuration page, click Add groups claim
            18. Select All groups (includes distribution lists but not groups assigned to the application)
            19. Click Add

              Once you complete the token configurations, Azure displays both optional claims.

              Azure - Token configuration - displayed@2x

            20. In the left navigation menu, select API permissions
            21. Confirm that the Configured permissions section already displays an entry for Microsoft Graph which is User.Read
            22. Click Add a permission
            23. Click Microsoft Graph
            24. Select Delegated permissions
            25. If OpenId permissions isn't already expanded, click the arrow to expand OpenId permissions
            26. Select the checkbox for email
            27. Select the checkbox for profile
            28. Click Add permissions
            29. Select Grant admin consent for <your_tenant_name>
            30. In the Grant admin consent confirmation, click Yes
            31. Confirm that Azure displays a notification similar to the one below:



            32. Confirm that in the Status column next to each permission, Azure displays "Granted for <your_tenant_name>":
            33. With this portion of the Azure configuration complete, review the remaining sections of this document for your Microsoft Azure environment, such as for Azure conditional access, then go to the Kandji web app to configure the Passport library item.

            Microsoft Entra ID Conditional Access Considerations

            Microsoft Entra ID Conditional Access is included with Microsoft Entra ID Premium or better. Be sure to turn off both per-user MFA and Security defaults before you turn on Microsoft Entra ID Conditional Access policies.

            If Entra ID is configured with a Microsoft Entra ID Conditional Access policy that specifies MFA as a requirement and specifies all or specific cloud apps, you'll need to exclude the Enterprise application that you use for Passport from that policy. Another way to describe such a policy is that the policy uses both of these criteria:

            • Assignments: Cloud apps or actions: Cloud apps: All cloud apps or Select apps
            • Access controls: Grant: Grant access: Require multifactor authentication

            Here's an example of a policy that you don't need to modify, because it doesn't use both of the criteria above (specifically, although it has the grant of Require multifactor authentication, it doesn't have the assignment for Cloud apps or actions of All cloud apps or Select apps):

            Conditional Access - Policy - Default MFA - Grant@2x


            And here's an example of a policy that you do need to modify to exclude the Enterprise application for Kandji Passport, because the policy uses both criteria:

            Conditional Access - Policy - two criteria met@2x


            Although it might seem counterintuitive that you need to exclude the Enterprise application from being required to use MFA, especially since you want Kandji Passport to allow MFA during the Web Login authentication mode. This is because the web view of the Web Login authentication mode does not use the Enterprise application, but the web view (the "Please enter your Microsoft Azure password" screen) does use the Enterprise application–and requires the resource owner password grant (ROPG) flow, and doesn't support MFA. So if you have any policies that require cloud apps to use MFA, simply add the Kandji Passport Enterprise application to the exclusion list.

            In order for you to exclude the Enterprise application, it needs to have a Redirect URI value.

            Add the cloud app exclusion

            For each applicable policy, exclude the Enterprise app you use for Kandji Passport.

            1. In the upper-left corner, click the hamburger menu, and then click Azure AD Conditional Access
              1. If Azure AD Conditional Access is not visible in the menu, click More services



              2. In the Filter services field, enter conditional so that Azure AD Conditional Access appears
              3. Using the pointer, don't yet click, instead hover over Azure AD Conditional Access
              4. Click the star(⭐️) in the popup that appears. This adds Azure AD Conditional Access to your main menu bar
              5. Before you dismiss the popup that appeared, click View. Otherwise, click Conditional Access from your main menu bar



            2. Confirm that the portal displays each policy with a Policy Name and a State (among other information)

              Conditional Access - Policies@2x

            3. Select a policy that has the State of On
            4. If the Cloud apps or actions section displays No cloud apps, actions, or authentication contexts selected, then go back to the previous step and select the next policy

              No cloud apps@2x


              Otherwise, click the link under Cloud apps or actions

            5. Click Exclude

              Conditional Access - Cloud apps or actions@2x
            6. Review the list of excluded cloud apps (there may be no cloud apps excluded). If the Enterprise app for Kandji Passport is already excluded, you can return to step 3 and move on to the next policy
            7. Click the text link under Select excluded cloud apps


              Cloud apps - Exclusion list@2x
            8. In the Search field, enter the name of the Enterprise app you use for Kandji Passport. Note that the search doesn't just search for any part of the name; you need to enter at least the start of the name
            9. From the search results, select the checkbox for your Enterprise app for Kandji Passport
            10. At the bottom of the Select excluded cloud apps blade, click Select


              Conditional Access - Exclude Kandji Passport@2x

            11. Confirm that the Enterprise app was added to the list of excluded apps


              Confirm Kandji Passport is excluded@2x

            12. In the lower-left corner of the page, click Save
            13. Go back to step 3 and repeat for the next policy until you have examined or updated every Conditional Access policy

            User account provisioning via Passport

            If you use Specify per identity provider group option in the Passport Library Item, use the Entra ID group ObjectID in the Identity provider group field.


            1. In Microsoft Entra ID, navigate to the group you want to use
            2. Copy the Object Id for that group



            3. In the Kandji Passport Library Item, in the User Provisioning section, paste the value from the previous section into the Identity provider group field



            4. Repeat the previous steps for each additional Entra ID group you want to use
            5. In the Passport Library Item, click Save


            If your Passport app is not showing up as an excludable app, you will need to add a web platform in your app registration.  Please follow the steps below.


            1. Navigate to Azure AD>App Registrations>Your Passport App>Authentication.  Select Add a platform
            2. Select Web
            3. Add a Redirect URI - https://localhost.redirect
            4. Select Configure
            5. Select Save

            Microsoft Entra ID Troubleshooting

            If you are experiencing issues with Entra ID Passport, please click here to learn more about common troubleshooting steps.


            Top

            Preview
            0 of 0