Setting Up Entra ID Service Account Authentication 🔐✨

Relevant Products

BREEZE PRINT BREEZE MFP PRO PRINT PRO MFP

Your Gateway to Automatic PC Client Login!

Ready to connect your SAFEQ Cloud to Microsoft Entra ID using Service Account authentication? This setup enables the PC Client to automatically authenticate users on Entra ID-joined computers, making the printing experience seamless and magical.

Think of this as creating a special backstage pass that lets SAFEQ Cloud peek into your Entra ID directory and recognize users automatically. It's like having a bouncer who already knows all the VIPs!

What This Accomplishes (The Big Picture) 🎯

Once you complete this setup:

  • PC Client automatically recognizes users on Entra ID-joined computers

  • Seamless authentication happens behind the scenes

  • Users get recognized without manual intervention

  • IT admins can display user departments in accounting reports

  • Card IDs and PINs stored in Entra ID become usable at MFDs

Note: This is specifically for the Service Account authentication method, which enables the PC Client's automatic login feature for domain-joined computers.

Before You Begin (Prep Time!) 📋

You'll need:

  • Azure Portal access with app registration permissions

  • SAFEQ Cloud Web UI admin access

  • A service account in your Entra ID (username and password)

  • Your SAFEQ Cloud domain (like print.acme.com )

  • Coffee (optional but recommended ☕)

  • Patience (Azure has many clicks, but we'll get through it together!)

Part 1: Creating Your Azure App Registration 🚀

Steps 1-4: The Foundation

  1. Log into Azure Portal and click "Manage Microsoft Entra ID"

    • Fun fact: It's still basically Azure AD, they just gave it a fancier name

  2. Click "App registrations"

  3. Click "+ New registration" (that friendly little plus sign!)

  4. Fill in the basics:

    • Name: Something descriptive like "SAFEQ Cloud Service Account"

    • Supported account types: Pick what matches your organization setup

    • Redirect URI: Leave this empty for now (we're keeping it simple!)

  5. Click "Register" and feel the satisfaction of creation! 🎉

Steps 5-7: Permission Configuration (The Important Stuff)

  1. Click "API permissions"

  2. Find "Microsoft Graph" and delete the default "User.Read" permission

    • Don't worry, we're going to add better permissions in a moment

Steps 8-11: Adding the Right Permissions

  1. Click "Add a permission"

  2. Select "Microsoft Graph" from the commonly used APIs

  3. Click "Delegated permissions"

  4. Search for and add these essential permissions:

    • Group.Read.All: Lets the app read group info and memberships

    • User.Read.All: Allows reading user profiles and properties

Pro tip: These are the minimum required permissions for this setup!

  1. Click "Grant admin consent for [your organization]"

  2. Click "Yes" to approve

    • This is where you use your admin superpowers to approve everything at once

Steps 13-14: Enable Public Client Flows

  1. Click "Authentication"

  2. Set "Allow public client flows" to "Yes"

    • This magical setting enables the service account to fetch user info from Entra ID

Follow the steps in the demo below if you need additional assistance.

Congratulations! Your Azure App Registration is complete! 🏆

Part 2: Configuring SAFEQ Cloud (The Grand Finale) ⚡

Step 15: Create the Authentication Provider

  1. Log into SAFEQ Cloud Web UI

  2. Go to Users → Authentication providers tab

  3. Click "Add" (another magical moment!)

  4. Fill in the general settings:

    • Type: Select "Microsoft Entra ID"

    • Name: Will auto-fill, but make it friendly if you want

    • Domains: Enter your Entra ID domain (like " http://acme.com " from john.doe@acme.com )

    • Priority: Set the authentication order (higher numbers go first)

    • Active: Make sure this is enabled

Configure Service Account Authentication:

  1. In the "Service Account Authentication" section:

    • Active: Turn this ON (this is the whole point!)

    • Application ID: Enter the ID from your Azure App Registration

    • User name: Your service account username

    • Password: Your service account password

    • Cache expiration: Set to at least 120 seconds (2 minutes recommended)

    • Service: Select your authentication service (or create one if needed)

  2. Click "Save" and bask in the glory of completion! ✨

What Happens Next? 🔮

Your setup is complete! Here's what you can expect:

  • PC Client will automatically recognize users on Entra ID-joined computers

  • User information syncs from your directory

  • Department data appears in accounting reports (if configured)

  • Card IDs and PINs from Entra ID become usable at MFDs

  • All users get assigned to the "Authenticated Users" group automatically

Troubleshooting (When Azure Gets Moody) 🤔

"I Can't Find My App Registration!"

  • Check the name - Azure is case-sensitive sometimes

  • Try refreshing the App registrations page

  • Look in Enterprise Applications too - it might show up there

"Permission Errors During Setup!"

  • Verify admin rights - you need proper permissions in Azure

  • Check the service account - make sure it's active and the password is correct

  • Double-check the Application ID - one wrong character breaks everything

"Users Aren't Getting Recognized!"

  • Confirm computers are Entra ID-joined - this only works for domain-joined machines

  • Check the domain matching - the domain in SAFEQ must match your Entra ID domain

  • Verify the authentication provider is active - sometimes the toggle gets missed

"Cache Issues or Slow Response!"

  • Increase cache expiration time - try 300 seconds (5 minutes)

  • Check network connectivity - SAFEQ needs to reach Microsoft's servers

  • Monitor the authentication service - make sure it's running properly

The Victory Celebration 🎊

You've successfully bridged the gap between Microsoft Entra ID and SAFEQ Cloud! Your Service Account authentication is now ready to make users' lives easier by providing automatic authentication on their domain-joined computers.

The PC Client can now tap into your Entra ID directory, recognize users automatically, and provide that seamless experience everyone loves. You've essentially created a VIP lane for your users' authentication journey.

Take a moment to appreciate what you've accomplished - you've connected two enterprise systems and made them work together harmoniously. That's some serious IT wizardry right there! 🧙‍♂️

Remember: If something seems broken, 90% of the time it's a typo in the Application ID or domain name. Check those first, and you'll save yourself hours of troubleshooting! 🔍