Skip to content
Docs

Microsoft Entra ID (Azure AD) Integration Guide

Overview

Section titled “Overview”

Mideye Server 5.5+ supports Microsoft Entra ID (formerly Azure Active Directory) as a user repository. Users authenticate against Entra ID while Mideye provides the MFA second factor.

Requirements:

  • Mideye Server 5.5 or later
  • Azure/Entra ID tenant with Global Administrator access
  • App registration with Microsoft Graph API permissions

Starting from release 5.5 it is now possible to use Azure Active Directory (AAD) as a user repository for Mideye Server. A secure connection between the Mideye Server and Entra ID is established using Microsoft Graph. Complete the following steps to create a “App registration” in Entra ID.

App Registration

Section titled “App Registration”
  1. Navigate to portal.azure.com.
  2. Sign in as a global administrator and select “Azure Active Directory”.
  3. Click “App Registrations” and select “New registration”.
  4. Give the application a friendly name and select what user repository to be allowed to use the application.
  5. Select “Single-page application (SPA)” and leave the url blank. Complete the registration by clicking “Register”.

Microsoft Entra ID app registration form with name, supported account types, and redirect URI settings

App Configuration

Section titled “App Configuration”

Once the app is registered in Azure Active Directory it must be configured. Click the created app and complete the following steps:

  1. Navigate to “Certificates & secrets”
  2. Click “New client secret” and give the client secret a friendly name. Click “Add”
  3. Make note of the shared secret value. It will be needed later when configuring the Mideye Server.
![Microsoft Entra ID Certificates & secrets page showing client secret creation](./azure-ad/v5-entra-id-client-secret-creation.png)
  1. Navigate to API permissions and click “Add a permission”
  2. Select Microsoft Graph and Application permissions. Navigate to “User” and select “User.Read.All”. Click “Add permissions”
![Microsoft Graph API permissions showing User.Read.All application permission selection](./azure-ad/v5-entra-id-graph-api-permissions.png)
  1. (Optional). To be able to retrieve more information about a specific user, such as group membership a delegated permission must be added. Click “Add Permissions”. Select “Microsoft Graph” followed by “Delegated permissions”. Navigate to user and select “User.Read.All”. Click “Add permissions”
![Microsoft Graph delegated permissions showing User.Read.All for group membership retrieval](./azure-ad/v5-entra-id-delegated-permissions.png)
  Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access.

7. Last step is to grant admin consent for the app by clicking “Grant admin consent for app”.

Microsoft Entra ID API permissions page showing Grant admin consent button

Microsoft Entra ID admin consent confirmation dialog

Click “Yes” to grant permissions to the app. Navigate to “Overview” and take note of the following ID´s. These will be used later when configuring the Mideye Server.

  • Application ID
  • Object ID

Mideye Server configuration

Section titled “Mideye Server configuration”

Login to Mideye Server 5 as an administrator and navigate to “Configuration” followed by “Azure Active Directory”. Click “Create Azure Active Directory”. Add a Display name and paste the Tenant ID, Client ID and Client secret saved from previous steps.

Enter a friendly name followed by Tenant ID, Client ID and Client secret. Enter a friendly name followed by Tenant ID, Client ID and Client secret. Click “Verify Connection” followed by the UPN of a user that should be reachable in the tenant.

Ensure that users can be found using UPN.

Ensure that users can be found using the UPN.
Navigate to the “User Properties” tab and select what properties to be read to fetch the mobile phone number and Token number. Default values are mobilePhone and businessPhones.

Select that property to be used from Entra ID to read mobile phone and tokennumber.

Select that property to be used from Entra ID to read mobile phone and tokennumber.
Click the “Group Check” tab. If group membership should be retrieved from users, check the “Enable Group Check”. This will only work if the optional step in API-permissions is configured (LINK). The group must be added using the object ID of the group in Entra ID.

Add the group membership using the Object ID from Entra ID.

Add the group membership using the Object ID from Entra ID.

Copy the ObjectId of the group from Entra ID and paste it into the Mideye Server Allowed Groups ID.

Copy the ObjectId of the group from Entra ID and paste it into the Mideye Server Allowed Groups ID.
If needed, check the Enable Radius Translation and follow the instructions on how to create a new LDAP-RADIUS translation rule.

Click “Save”. To add a Entra ID profile to a RADIUS client, see

section