eliott/authentik
1
0
Fork 0
mirror of https://github.com/goauthentik/authentik synced 2026-04-27 09:57:31 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
e7fcfb7e67d5df3e8a8a5da170f18fa4c6b98731
authentik/website/docs/add-secure-apps/providers/entra/configure-entra.md
Dewi Roberts cd53bc1d1d website/docs: entra id provider: add custom email domain info (#20444) 
* WIP

* WIP

* Apply suggestions from code review

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

---------

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dominic R <dominic@sdko.org>
2026-03-02 13:29:32 +00:00

46 lines
3.0 KiB
Markdown
Raw Blame History

---
title: Configure Entra ID
authentik_enterprise: true
---
For more information about using an Entra ID provider, see the [Entra ID Overview](./index.md) documentation.
Your Entra ID tenant must be configured before you [create a Entra ID provider](./create-entra-provider.md).
This involves creating an app registration, generating a secret, and configuring the required API permissions.
:::warning Email domains
When the default `authentik default Microsoft Entra Mapping: User` property mapping is used, authentik checks whether each user's email domain is verified in your Entra ID tenant.
In which case, you must configure each user's email domain as a [verified custom domain in Entra ID](https://learn.microsoft.com/en-us/entra/identity/users/domains-manage#add-custom-domain-names-to-your-microsoft-entra-organization); otherwise, provisioning fails. The tenant's default `onmicrosoft.com` domain (e.g., `@<tenant name>.onmicrosoft.com`), is considered a verified domain.
Alternatively, if you need to provision users with email domains that you don't control, refer to [Email handling](./create-entra-provider.md#email-handling) for more information.
:::
## Configuring you Entra ID tenant
1. Log in to the [Entra ID admin center](https://entra.microsoft.com).
2. Navigate to **App registrations**, click **New registration**, and set the following configurations:
- Provide a **Name** for the app registration (e.g. `authentik Entra Provider`)
- Under **Supported account types**, select **Accounts in this organizational directory only**
- Leave **Redirect URI** empty
3. Click **Register**.
4. On the app detail page, take note of the **Application (client) ID** and **Directory (tenant) ID**. These values will be required when you [create the Entra ID provider](./create-entra-provider.md) in authentik.
5. Next, in the near-left navigation pane, click on **Certificates and Secrets**.
6. On the **Client secrets** tab, click **New client secret** and set the following configuration:
- Provide a **Description** for the client secret
- Set an expiry period for the secret. Please note that you will need to rotate the secret value in Entra ID and authentik upon expiry.
7. Click **Add**.
8. The **Value** of the client secret is shown only once. Take note of the value as it will be required when you [create the Entra ID provider](./create-entra-provider.md) in authentik.
9. Next, in the near-left navigation pane, click on **API permissions**.
10. Click **Add a permission** and select **Microsoft Graph** as the API.
11. Select **Application permissions** as the permission type and assign the following permissions:
- `Group.Create`
- `Group.ReadWrite.All`
- `GroupMember.ReadWrite.All`
- `User.ReadWrite.All`
12. Click **Add permissions**.
13. Under **Configured permissions**, click **Grant admin consent for default directory**.
Now that you have configured your Entra ID tenant, you are ready to [create an Entra ID provider](./create-entra-provider.md).
Reference in New Issue View Git Blame Copy Permalink