Skip to main content

JIT for Entra configuration

For this integration to work you need to connect Entra ID customer tenant to idemeum, so that we can provision admin accounts and manage their lifecycle.
  • Login to portal.azure.com with Global Admin account
    • Navigate to Entra ID directory
    • Go to ManageApp registrations
    • Click New registration
    Newreg
    • Provide the application name
    • Keep Accounts in this organizational directory only
    • Click Register
    Directory
We will need to obtain 3 things for integration: Application (client) ID, Directory (tenant) ID, and Client secret
  • First we will grab Application (client) ID and Directory (tenant) ID Appid
  • Navigate to Certificates and secrets section
  • Click New client secret Secret
  • Give secret a name and set the expiration time of 24 months 24month
  • Now click Add
  • Now you can copy the remaining parameter - secret value Value
Now we will need to assign API permissions to idemeum application.
  • Navigate to API permissions and click Add a permission Perm
  • Choose Microsoft Graph and then Application permissions Apiperm
  • Now click on Application permissions and add the following:
    • Organization.Read.All
    • User.Read.All
    • User.ReadWrite.All
    • User.Invite.All
    • Group.Read.All
    • RoleManagement.Read.All
    • RoleManagement.ReadWrite.Directory
    • User.EnableDisableAccount.All
    • User.ManageIdentities.All
    • Domain.ReadWrite.All
    • Directory.ReadWrite.All
    • User-PasswordProfile.ReadWrite.All
Once you add permissions make sure you click Grant admin consent
Perm1
  • Navigate to your customer / organization → choose Applications
  • Choose Managed password app
  • Provide application name
  • For application type choose Web application
  • For credentials choose Entra ID OIDC credentials
  • Now we will enter Directory (tenant) ID, Application (client) ID, and client secret value parameters that we obtained in the previous section Enter
  • Now click the Validate button
  • Once the validation is successful you can configure the additional values below
    • Choose how quickly you want Entra JIT account to be disabled
    • Choose the domain name where you want to provision Entra accounts
    • For group mapping choose what groups you want to assign to JIT accounts
    • Also specify LAPS account if you want idemeum to create and manage one for the Entra tenant
  • Save the configuration Almost