Set up Microsoft Entra ID with Open ID Connect Integration

There are multiple applications that may be needed when creating the application in Entra ID.

Secure Application Access authentication – Used for logging into the Universal ZTNA Agent or the End User web portal.
Secure Network Access authentication
User and User Group Synchronization

Use this task to set up Microsoft Entra with Open ID Connect (OIDC).

Log in to Microsoft Entra ID and select Applications > App Registrations.
To create a new registration, in the Name field, enter ExtremeCloud Universal ZTNA – OIDC and select Register.
Select Redirect URIs > Add a platform.
Copy the current URIs listed under Web > Redirect URIs.
The format of the URIs will be similar to this example:
- https://va2-uz.extremecloudiq.com/auth/api/v1/accounts/invite/microsoft/signup/callback/
- https://va2-uz.extremecloudiq.com/auth/api/v1/accounts/microsoft/login/callback/
Return to the Overview screen and take note of the Application (client) ID and the Directory (tenant) ID.
In the Client Credentials field, select Add a certificate or secret > New Client Secret > Add.

Note
Take note of the expiration date as the application will not be functional after the secret expires.
From the Certificates & Secrets screen, under the Clients Secret tab, in the Value field, copy the new token.
From the API Permissions screen, select Grant admin consent for [company name].
From the ExtremeCloud Universal ZTNA Identity Provider - Microsoft Entra ID screen, enter the noted Application (client) ID, Client Secret, and Directory (tenant) ID.
Optional: Select Secure Network Access if the Network Access functionality will be used. If so, the same application can be leveraged as Application access. However, if Multi-Factor Authentication is enabled in Entra ID, a separate application must be created, and a conditional access policy must be leveraged to disable MFA on this specific application.

If the Secure Network Access check box is checked, you can create separate Entra ID Application in Entra ID and provide the Client ID, Client Secret and Tenant ID or select Use Settings Above for Network Access to use same IDP credentials entered for app access for network access.
Optional: To provision users and user groups in Entra ID and then sync them with Universal ZTNA, Synchronize Users and Groups with Microsoft Entra ID.
Select Validate Information.
When validation is complete, select Update > Confirm.