Skip to main content

Just-in-time admin accounts

Connect Entra ID tenant

In this post we will see how you can connect Entra ID tenant to your idemeum customer tenant.

Create Entra ID application

  • Navigate to your idemeum customer tenant that you created with MSP admin portal, i.e. customer1-<msp-domain>.idemeum.com/adminportal
  • Access Applications and then choose Add app and then choose Managed password app
  • Now you will be able to set up Entra ID integration:
    • Give application a name, i.e. Entra ID - retail customer. This name will be shown to technicians when they access this application from web portal or browser extension.
    • Choose the application type to be Web
    • Choose Entra ID OIDC credentials
    • Click Authorize button. You will need to authenticate with Entra ID admin account and grant permissions to access Entra ID APIs. Once you successfully authorize access, there will be a green checkbox icon next to Authorize button, and we will show what account was used to authorize API access.
    • Choose how long you want the accounts to be enabled for before technicians need to request access again. The default time is 4 hours.
    • Enter the domain where you want idemeum to provision technician accounts
We only support managed domains (can be custom domains, or onmicrosoft.com domain). Today we do not support federated domains.
    • Choose the roles that you want to assign to accounts when they get created. You can choose from the Entra ID default built-in roles, and you can select multiple roles.
  • Save the configuration.

Create entitlement rule

Once you created Entra ID application you need to entitle it to technicians, meaning you need to allow technicians to access this application. The easiest way is to entitle Entra ID application to All admins group, and any technician who has access to customer tenant will automatically have access Entra ID application.

  • Access Entitlements and create a new rule
    • Give rule a name, i.e. Entra ID access for all admins
    • Choose Group for IF condition
    • Select All admins group
    • Choose the Entra ID application that you created in the previous step

Now any technician who has access to this customer tenant will be able to request Entra ID accounts.