Skip to main content

Outbound provisioning with Entra/Azure AD Hybrid

  • Updated

This guide details the process for an Entra/Azure AD Hybrid tenant to set up the outbound-provisioning feature.

Contents

 

Prerequisites

  • Ensure that the user has global administration privileges.
  • Configured the Beyond Identity Admin console as an application in Entra/Azure AD. For more information, see the Integration guide for Entra/Azure AD Hybrid.
    • Have access to the integration metadata like ObjectId, Application ID, Client Id, and Client Secret
    • Grant the following MS Graph API permissions to the application.
      • Directory.ReadWriteAll
      • Group.ReadWriteAll
      • GroupMember.ReadWriteAll
      • User.ReadWriteAll
    •  
  • Configured a Beyond Identity staged rollout
    • Have the group name that routes users to password-based authentication
  • Powershell and MS Graph API installed and can run powershell as an administrator. This solution is tested with the following versions

Run this command to find the powershell version:

$PSVersionTable.PSVersion

Major  Minor  Patch  PreReleaseLabel BuildLabel

-----    -----    -----    ---------------    ----------

7         2         6

 

Run this command to find the MS Graph API version:

Get-InstalledModule -NAME Microsoft.graph

Version              Name                           Repository           Description

-------              ----                                ----------             -----------

1.28.0               Microsoft.Graph            PSGallery             Microsoft Graph PowerShell module

 

 

12x12 blue dot.png Beyond Identity​

Actions to be performed in the Beyond Identity platform are highlighted in blue.

12x12 orange dot.png Entra/Azure AD​

Actions to be performed in the Entra/Azure platform are highlighted in orange.

12x12 green dot.png Microsoft Graph

Actions to be performed using Microsoft Graph are highlighted in green.

12x12 purple dot.png Powershell

Actions to be performed using powershell are highlighted in purple.

 

Add a custom attribute

12x12 orange dot.png Locate the Group ID in Entra/Azure AD

  1. Make sure that:
    • The users are members of the “Password_Authenticated_Users” group in Entra/Azure AD hybrid.
    • This group is synchronized to On-prem AD.
  2. Verify the configuration by logging into the Entra/Azure portal as a global administrator and navigate to Microsoft Entra Connect > Enable staged rollout for managed user sign-in.
  3. Click on Manage groups beside Password Hash Sync. 
    group id.png

  4. Note down the Group ID value. This is passed as an argument to the powershell script using MS graph API to remove the user from the group when the custom attribute value is set to True.
  5. When accessing the Beyond Identity Admin console, members of this group get redirected to Azure AD for authentication.
  6. Since the user is a member of “Password_Authenticated_Users” group, the user is presented with a password authentication screen when accessing the Beyond Identity Admin console.

 

12x12 orange dot.png Add a custom directory attribute for Entra/Azure AD

Microsoft Graph provides an extension to add a custom directory attribute for Entra/Azure AD. This extension allows you to discover and filter directory objects. 

Directory extensions are first registered on an application through the “Create extensionProperty” operation and must be targeted to specific and supported directory objects. Once approved, Entra can read/write data for any extension properties.

The custom extension attribute is registered on “Beyond Identity Admin Console – OIDC” as an application.

Navigate to Home > App registrations > Beyond Identity Admin Console – OIDC > Overview and note down the Object ID of the application.
get obj id.png

 

12x12 green dot.png Use MS Graph Explorer to create a custom attribute

Log into MS Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer using global admin credentials for the tenant.
graph explorer.png

The legend below highlights the specific areas of interest

red arrow.png  HTTP Method [GET, POST, PUT, PATCH, DELETE]

green arrow.png  API endpoint URL

yellow arrow.png  Request body

purple arrow.png  Response preview

 

Use the following data in Graph Explorer to create a custom attribute

 

Method: POST 

API endpoint URL: https://graph.microsoft.com/v1.0/applications/Object ID_of_application_noted_in_section_4/extensionProperties

 

Request body

{

    "name": "byndidregistered",

    "dataType": "boolean",

    "targetObjects": [

        "User"

    ]

}

 

After providing consent, the response preview section below will have the full name of the custom attribute.

 

{

    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications('2ff994a0-6c80-4571-ad0f-c5bd54d04d29')/extensionProperties/$entity",

    "id": "574694bb-d166-4757-9f8b-50b6d048f2aa",

    "deletedDateTime": null,

    "appDisplayName": "Beyond Identity Admin Console - OIDC",

    "dataType": "Boolean",

    "isSyncedFromOnPremises": false,

    "name": "extension_c7a82705cfc54223bd885b829cc9f558_byndidregistered",

    "targetObjects": [

        "User"

    ]

}

 

12x12 purple dot.png Set the custom attribute using a powershell script

A Beyond Identity deployment engineer will provide the custom powershell script. The script takes the following arguments:

  • Client secret from the Beyond Identity Admin console – OIDC application
  • Group ID of the group used for password authentication, noted in Locate the Group ID in Entra
  • User ID of the user to set the custom attribute
  • Name of the custom attribute, noted in Use MS Graph Explorer to create a custom attribute
  • Value of the attribute, “true” to signal that the user has registered a device in Beyond Identity

The script will set the custom attribute value to true and remove the user from the password authentication group.

 

12x12 blue dot.png Verify the Beyond Identity passwordless authentication flow

  1. Access the Beyond Identity Admin console.
  2. The user should be able to use the Beyond Identity passwordless authentication flow and access the console.

 

12x12 orange dot.png Configure Entra/Azure AD outbound provisioning

  1. Log into Entra and click App registrations > New registration and register an application. 
  2. In the left pane, click Certificates & Secrets and add a client secret for the OIDC/Oauth flow. Make a note of the client secret as it will only be accessible on creation.
  3. In the left pane, click API permissions > Add a permission and grant the application the required permissions, see the graphic below on what is needed. Be sure to grant Admin consent.
    api permissions.png

  4. In the left pane, click Expose an API and complete the information on the page to expose the API. expose api.png

  5. In the left pane, click Overview > Endpoints and make a note of the OAuth 2.0 token endpoint (v2).
    endpoints.png

 

12x12 blue dot.png Configure Beyond Identity

  1. Log into the Admin console and navigate to Integrations > Outbound Provisioning
  2. Click Install this service to the right of the Azure-AD Hybrid entry. 
    bi install azure.png

  3. Complete the registration dialog using the Client ID, secret, OAuth entry from the previous section and click Save Changes
    bi registration.png

 

Appendix

References

https://learn.microsoft.com/en-us/graph/

https://learn.microsoft.com/en-us/graph/extensibility-overview?tabs=http

 

Client secret considerations

Entra/Azure AD app registrations allows a max of two years for the Oauth client secret. There is currently no automated way to get notifications or regenerate client secrets. This could potentially break scripts/code using client secrets on expiry. A custom solution needs to be developed to address this.

 

Using the Managed identity instead of client id/client secrets for the script requires using VMs in Entra/Azure. As per current Entra/Azure architecture, managed identities can’t be used outside of Entra/Azure.

Related articles

Comments

0 comments

Please sign in to leave a comment.