Microsoft Entra ID Only Joined Devices

Imprivata Enterprise Access Management supports enterprises with devices joined to Microsoft Entra ID and users managed on Active Directory.  This topic describes a configuration where Microsoft Active Directory maintains users, and AD syncs with Microsoft Entra ID via Entra Connect.

Click to enlarge.

For other supported configurations, see Microsoft Entra ID Support.

Workflows

The following Imprivata Enterprise Access Management workflows are currently supported in this configuration:

• Imprivata Application Profile Generator (APG) for Single Sign-On (SSO)

• Imprivata Web SSO

• Clinical Workflows

• E-Prescription of Controlled Substances (EPCS)

• Self-Service Password Reset (SSPR)

• Shared Desktop

• Single-User Desktop

• Multi-User Desktop (MUD)

• Azure Virtual Desktop

Install and Configure Entra Connect

1. Download Entra Connect from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=47594

2. Install Entra Connect on a dedicated Windows Server.

3. Run Entra Connect Wizard:

   • Choose Customize for more options.

   • Select your sign-in method based on your needs:

     • Recommended — Pass-Through Authentication (PTA). Users validate their credentials directly against on-premises AD, without sorting password hashes in the cloud. PTA ensures that AD is always treated as the primary "source of truth" for password verification.

     • Password Hash Synchronization (PHS) Syncs password hashes from AD to Entra ID. PHS enables users to authenticate against Microsoft 365 and other cloud services using their on-premises AD credentials without needing AD FS or Pass-Through Authentication (PTA). However, PHS can cause a delay during password synchronization: the user must wait approximately 5 minutes after the password has been changed or reset before accessing an Entra ID-joined device.

   • Connect to your on-premises AD (enter Domain Admin credentials).

   • Connect to Entra ID (enter Global Admin credentials).

   • Configure Domain and OU filtering (if needed).

   • Enable Seamless SSO (optional but recommended).

4. Start Synchronization:

   • Sync users and groups.

   • Verify by viewing synchronized users on Microsoft Entra ID.

   • Verify that a user managed on AD can log onto an Entra-only joined device.

Entra ID Conditional Access Policies

You must exclude the Enterprise Access Management app from your MFA conditional access policies for this feature. This requirement is due to a Microsoft blocker.

1. In Entra ID, go to Security > Conditional Access, and select a policy that applies to your Imprivata app and requires MFA.

2. To exclude your Imprivata app, go to Cloud apps or actions > Cloud apps > Exclude > Select excluded cloud apps, and select the Imprivata app.

3. Click Save.

4. Repeat for all conditional access policies that apply to your Imprivata app and require MFA.

Best Practice — Turn Off Per-User MFA

Per-user MFA is no longer needed when MFA Conditional Access policies are in effect. Turning off per-user MFA is Microsoft's best practice.

1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator or Privileged Policy Administrator.

2. Browse to Users > All users and select the Per-user MFA button.

3. Select Disable MFA for all users who had this option enabled.

See this Microsoft article for details:

https://learn.microsoft.com/en-us/entra/identity/monitoring-health/recommendation-turn-off-per-user-mfa

Alternative — Add Imprivata Appliances as Trusted IPs

As an alternative to turning off per-user MFA, you can add your Imprivata appliances as Trusted IPs for egress traffic, within the per-user MFA section of Entra:

1. Go to Security > Named locations, and select Configure multifactor authentication trusted IPs.

2. Add your Imprivata Enterprise Access Management appliance IP addresses as trusted IPs.

   If you do not know your appliance IP addresses, you can find them in your Conditional Access audit logs. Click into a recently failed authentication.

Register EAM as an App

1. Log into https://entra.microsoft.com/ with a user with administrator privileges.

2. Go to Microsoft Entra ID > App registrations.

3. Click New registration.

4. On the Register an application page:

   • Provide a user-facing display name for your Enterprise Access Management application: for example, Imprivata, EAM or EAMTest.

   • Who can use this application or access this API? — leave the default selection Accounts in this organizational directory only.

   • Redirect URI where the authentication response is returned after successful authentication — select Web and provide any value.

5. Click Register.

Add A Secret

1. On your new app registration page > Overview > Client credentials, click Add a certificate or secret.

2. On the Add a secret page, add a secret that the application will use to prove its identity when requesting a token.

3. Microsoft requires an expiration date. By default, this secret expires after six months. You can set the expiration date for up to 24 months. Microsoft will send warning messages before the secret expires.

   CAUTION:

   If you do not change the secret before it expires in Entra ID, Enterprise Access Management authentication will fail.

4. Save this secret outside of this application.

   IMPORTANT:

   Save this secret securely outside of this application. After leaving this page, the value will be masked. Imprivata recommends using a very complex secret, and a Privileged Access Management system (for example, Imprivata Privileged Access Management), to manage this secret. Microsoft recommends changing this secret every 180 days.

Imprivata Appliance Configuration

Adding on-premises Active Directory to your existing Imprivata Enterprise Access Management setup:

1. In the Imprivata Admin Console, go to Users > Directories > Add

2. On the Select Directory Server page > Add New Imprivata Domain, select MS Active Directory, and click Next.

3. On the Connection Parameters page, enter the relevant information about your domain.

4. Click Save, or Synchronize Users to proceed with user synchronization.