Configure Microsoft Entra ID - OpenID Connect

Before you begin

There are two prerequisites to complete before configuring the Identity Provider in ExtremeCloud Universal ZTNA.
  • Create ClientID, Client Secret, and Discovery URL in Azure under App Registration. Save a copy of each to use in this procedure.
  • Your organization's AD-synced users must have administrative privileges in Azure so Microsoft can authorize the user during log in. To set the permission, navigate to App Registrations > [Your Application] > API Permissions.

About this task

Follow this procedure to configure a Microsoft Entra ID - OpenID Connect Identity Provider.

Procedure

  1. Select Onboarding.
    The welcome window displays.
  2. Select Secure Hybrid Access [Secure Application Access or Secure Network Access].
  3. On the Identity Provider window, select Microsoft Entra ID
  4. Select Continue.
    The Identity Provider window displays.
  5. Enter Client ID.
  6. Enter Client Secret.
  7. Enter Tenant ID.
    Note

    Note

    Redirect URLs are on the IdP set up page on the UI. You can copy and update redirect URLs in Azure. In Azure, specify the following URLs under the URI section. These URLs redirect the user to the portal after a successful authorization by Microsoft during log-in and sign-up.
    • https://server URL/auth/api/v1/accounts/microsoft/login/callback/
    • https://server URL/auth/api/v1/accounts/invite/microsoft/signup/callback/
  8. (Optional) Select Secure Network Access if you want to allow Multi-Factor Authentication (MFA) enabled users to authenticate with ExtremeCloud Universal ZTNAservers.
    If the Secure Network Access check box is checked, the administrator must create a separate Entra ID Application in Azure and provide the Client ID, Client Secret and Tenant ID.
  9. (Optional) To provision users and user groups in Azure and then sync them with Universal ZTNA, follow these steps:
    1. Follow the Setup Guidelines instructions.
      Note

      Note

      AD Syncing automatically updates Azure users and user groups and UZTNA users and user groups when users are removed or added.
    2. Select Sync AD Users and User Groups.
      Confirm AD Syncing pop-up window displays. This message cautions the user that they can no longer change the IdP settings if they proceed with syncing.
    3. (Optional) Select Send Invitations to synced users automatically.
    4. Select Confirm.
  10. (Optional) Select All Domains or Custom and enter the domain.
    If you select Custom, fill in the approved domains. Applicable for network and application access.
  11. Select Validate Information.
    A message in the upper right corner confirms the validation test passed.
  12. Select Update.
    Update Identity Provider pop-up window displays. This message cautions you that the Identity Provider change logs out current workspace users.
  13. If you decide to continue, select Confirm.
  14. Select Next.
    The Onboarding - Access Groups window displays.
  15. Configure Access Groups.
  16. Configure Resources.
  17. Configure Applications and Application Groups.
    You can skip this step if you are using Secure Network Access.
  18. Configure Policies.

Results

Your onboarding is complete. Your users, applications, and devices can now access the network securely.