Skip to main content

Elevated Entra ID access

How it works

High-level overview of how Elevated Access to Entra ID works.

Product components

Elevated Access to Entra ID is enabled by the following architecture components:

  1. Idemeum cloud - idemeum cloud is the management plane. You use your MSP admin portal to create customer tenants, and then connect these customer tenants with customer Entra ID tenants. Idemeum cloud will provision technician accounts on-demand, rotate passwords, control access, and allow technicians to retrieve account credentials.
  2. Entra ID tenant - you will connect customer Entra ID tenant with associated idemeum customer tenant. Connection is securely done using oAuth protocol so that client credentials can be obtained to perform API calls. When connecting Entra ID tenant you can set various settings, including what domain to use for account creation, how long the accounts should be active for, and more.
  3. Idemeum portal - idemeum portal allows technicians to conveniently request Entra ID accounts for the tenants they need to access, and also retrieve the credentials for their accounts. Access to the portal is protected with FIDO2 Passwordless MFA.
  4. Idemeum extension - idemeum browser extension allows to seamlessly autofill Entra ID credentials when technicians are accessing customer Entra ID tenant.

Technician access flow

Below is a high-level flow of how technicians will request Entra ID accounts, and how they can access Entra ID with credentials auto-fill.

  1. First you create an idemeum customer tenant and connect that tenant with your customer's Entra ID tenant. Connection is done leveraging oAuth authorization flow. You will need to use Entra ID admin account to authorize connection and provide idemeum cloud with permissions to create and manage Entra ID accounts. You can also specify additional settings, such as how long the accounts should be enabled for, and what roles to assign to technicians when accounts are created.
  2. Technician will access customer idemeum tenant with Passwordless MFA.
  3. Once logged in, technician will be able to access idemeum portal to request an Entra ID account. Using your idemeum MSP portal you control who from your technicians have access to what customer tenants.
  1. Idemeum cloud will call Entra ID APIs to create a just-in-time account for a technician, it will assign the required roles, and will start the timer for how long the account will need to be active.
  2. Technician can now retrieve the account credentials and access the Entra ID tenant manually, or launch an application from the portal or extension and have the credentials automatically filled.
  1. Once the application is launched, idemeum extension will autofill credentials so that technician does not need to manually copy and paste them.
  2. After the specified time, idemeum cloud will disable the account for the technician and capture all access information in the audit logs.

Questions?

If you have additional question about how Elevated Access to Entra ID works, reach out to us in Discord chat.