Microsoft Entra authentication

SAFEQ Cloud supports Microsoft Entra (formerly Azure AD) authentication, for direct real-time authentication of Entra users.

Note that SAFEQ Cloud Entra authentication does not support multi-factor authentication (MFA). If MFA is used, SAFEQ Cloud can access Entra ID by disabling MFA on the one user set up in Authentication, and whitelist the public IP-address of the gateway in Entra ID.

To configure Entra authentication, perform the following steps:

Log in to Azure Portal and click Manage Microsoft Entra ID.
Click App registrations.
Click the +New registration button.
Enter the name of your new application, select one of the supported account types, and fill in the Redirect URI field.
Clic Register.
Click API permissions.
Click Microsoft Graph (1) and delete the User.Read permission.
Click Add a permission.
Select Microsoft Graph from Commonly used Microsoft APIs.
Click Delegated permissions.
Search for the permissions required, and then click Add Permissions.

Minimum Permissions Required are:
- Directory.Read.All – Allows the app to read data in your organization’s directory, such as users, groups, and apps
- Group.Read.All – Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user
- User.ReadBasic.All – Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user
Grant the admin permissions by clicking Grant admin consent for, and then click Yes to approve.
Your App Registration should now display the following.

Additional permissions may be required for reading custom attributes or similar. These should be added based on the specific configuration of Entra ID and attribute mapping configured in SAFEQ Cloud.
In APP Registration under Authentication, set Allow public client flows to Yes.
Log in to SAFEQ Cloud Web UI and click Authentication.
Click Add and enter the following details:
1. Name – An internal name used for identifying the particular authentication provider configuration.
2. Domains – The domain names of the authenticating users. Domain aliases that the users can use to log in can be added here, together with the Entra domain names as configured in the Azure portal. At least one domain in the list should match the domain part of the fully qualified user name passed for authentication. If not strict domain, SAFEQ Cloud will attempt to authenticate the user with all domains in the list regardless of the domain entered in the credentials, in the order defined in the list. If strict domain, SAFEQ Cloud will attempt to authenticate only with the domain in the credentials.
  
  Specifying the correct domain name is especially important if using the Strict domain validation feature as it is otherwise not possible to detect to which domain a user belongs.
3. Priority – A number that determines the order in which authentication providers will be called until one succeeds. Higher-priority providers will be called first.
4. Active – If enabled, the authentication provider will be used for authentication. If disabled, this authentication provider will not be searched.
5. Application ID – The ID of your newly registered Entra application.
6. User name – Name of the user with permission to lookup the directory (Not a user with the Directory Role Global Administrator).
7. Password – Password for the above-mentioned user.
8. Cache expiration in seconds – Time to keep authentication information in the internal cache to reduce the calls from SAFEQ Cloud to Entra ID. Recommended to have at least 2 minutes.
9. Custom attributes – Expand custom attributes to change the Entra attributes in which usernames, card IDs, ShortIDs, and others are stored.
10. Service – Which Authentication Service will communicate to this Entra server. In case no service is already created, it can be added using the Add button. If the primary server has only one authentication service, or if there's only one authentication service in general, it is pre-selected by default.
Click Save.