> ## Documentation Index
> Fetch the complete documentation index at: https://docs.idemeum.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure JIT for Entra

> Connect Entra ID tenant to idemeum for JIT account management.

## JIT for Entra configuration

For this integration to work you need to connect Entra ID customer tenant to idemeum, so that we can provision admin accounts and manage their lifecycle.

<AccordionGroup>
  <Accordion title="1. Create application in Entra ID customer tenant">
    * Login to `portal.azure.com` with `Global Admin` account

      * Navigate to Entra ID directory
      * Go to `Manage` → `App registrations`
      * Click `New registration`

          <img src="https://mintcdn.com/idemeum/hqsDBbePvfvKoJyW/images/newreg.png?fit=max&auto=format&n=hqsDBbePvfvKoJyW&q=85&s=5c63d42a4f08157c489dd0c020f941c4" alt="Newreg" width="1600" height="1068" data-path="images/newreg.png" />

      * Provide the application name
      * Keep `Accounts in this organizational directory only`
      * Click `Register`

          <img src="https://mintcdn.com/idemeum/AnMCtRwAN3xS8gaG/images/directory.png?fit=max&auto=format&n=AnMCtRwAN3xS8gaG&q=85&s=80fdc28fa110df4cd2d78d3dced1302c" alt="Directory" width="1600" height="1068" data-path="images/directory.png" />
  </Accordion>

  <Accordion title="2. Save integration parameters">
    <Note>
      We will need to obtain 3 things for integration: `Application (client) ID`, `Directory (tenant) ID`, and `Client secret`
    </Note>

    * First we will grab `Application (client) ID` and `Directory (tenant) ID`

          <img src="https://mintcdn.com/idemeum/AnMCtRwAN3xS8gaG/images/appid.png?fit=max&auto=format&n=AnMCtRwAN3xS8gaG&q=85&s=9df2821654b9dfd183d177d208c62cf8" alt="Appid" width="1600" height="1068" data-path="images/appid.png" />

    * Navigate to `Certificates and secrets` section

    * Click `New client secret`

          <img src="https://mintcdn.com/idemeum/hqsDBbePvfvKoJyW/images/secret.png?fit=max&auto=format&n=hqsDBbePvfvKoJyW&q=85&s=86a6f2a2296483754de9829b23a4abde" alt="Secret" width="1600" height="1068" data-path="images/secret.png" />

    * Give secret a name and set the expiration time of 24 months

          <img src="https://mintcdn.com/idemeum/AnMCtRwAN3xS8gaG/images/24month.png?fit=max&auto=format&n=AnMCtRwAN3xS8gaG&q=85&s=12df0a395c5bebe8883bc55bff2f0b2b" alt="24month" width="1600" height="1068" data-path="images/24month.png" />

    * Now click `Add`

    * Now you can copy the remaining parameter - `secret value`

          <img src="https://mintcdn.com/idemeum/hqsDBbePvfvKoJyW/images/value.png?fit=max&auto=format&n=hqsDBbePvfvKoJyW&q=85&s=6644007b0a9aa3f921a9e3fdfbdf0b3f" alt="Value" width="1600" height="1068" data-path="images/value.png" />
  </Accordion>

  <Accordion title="3. Create API permissions">
    Now we will need to assign API permissions to idemeum application.

    * Navigate to `API permissions` and click `Add a permission`

          <img src="https://mintcdn.com/idemeum/hqsDBbePvfvKoJyW/images/perm.png?fit=max&auto=format&n=hqsDBbePvfvKoJyW&q=85&s=56220b05319627e6545c14a05a9436f2" alt="Perm" width="1600" height="1068" data-path="images/perm.png" />

    * Choose `Microsoft Graph` and then `Application permissions`

          <img src="https://mintcdn.com/idemeum/AnMCtRwAN3xS8gaG/images/apiperm.png?fit=max&auto=format&n=AnMCtRwAN3xS8gaG&q=85&s=70746362c1c634c4b0297ea0a5f66b37" alt="Apiperm" width="1600" height="1059" data-path="images/apiperm.png" />

    * Now click on `Application permissions` and add the following:
      * `Organization.Read.All`
      * `User.Read.All`
      * `User.ReadWrite.All`
      * `User.Invite.All`
      * `Group.Read.All`
      * `RoleManagement.Read.All`
      * `RoleManagement.ReadWrite.Directory`
      * `User.EnableDisableAccount.All`
      * `User.ManageIdentities.All`
      * `Domain.ReadWrite.All`
      * `Directory.ReadWrite.All`
      * `User-PasswordProfile.ReadWrite.All`

    <Warning>
      Once you add permissions make sure you click `Grant admin consent`
    </Warning>

    <img src="https://mintcdn.com/idemeum/hqsDBbePvfvKoJyW/images/perm1.png?fit=max&auto=format&n=hqsDBbePvfvKoJyW&q=85&s=e8330cbeb0de0809479e177ec68a99ad" alt="Perm1" width="1600" height="1164" data-path="images/perm1.png" />
  </Accordion>

  <Accordion title="4.Configure Entra JIT in idemeum">
    * Navigate to your customer / organization → choose `Applications`

    * Choose `Managed password app`

    * Provide application name

    * For application type choose `Web application`

    * For credentials choose `Entra ID OIDC credentials`

    * Now we will enter `Directory (tenant) ID`, `Application (client) ID`, and `client secret value` parameters that we obtained in the previous section

          <img src="https://mintcdn.com/idemeum/q74yJ0PN8AhFsyfZ/images/enter.png?fit=max&auto=format&n=q74yJ0PN8AhFsyfZ&q=85&s=27055570e7ee92df318a7dcfd3ffaadd" alt="Enter" width="1600" height="1129" data-path="images/enter.png" />

    * Now click the `Validate` button

    * Once the validation is successful you can configure the additional values below
      * Choose how quickly you want Entra JIT account to be disabled
      * Choose the domain name where you want to provision Entra accounts
      * For group mapping choose what groups you want to assign to JIT accounts
      * Also specify LAPS account if you want idemeum to create and manage one for the Entra tenant

    * Save the configuration

          <img src="https://mintcdn.com/idemeum/q74yJ0PN8AhFsyfZ/images/almost.png?fit=max&auto=format&n=q74yJ0PN8AhFsyfZ&q=85&s=c2aff6771484a95c90e690c56669fd71" alt="Almost" width="1600" height="1129" data-path="images/almost.png" />
  </Accordion>
</AccordionGroup>