Microsoft Entra ID Only Setup

Enterprise Access Management supports enterprises with users created in Microsoft Entra ID and devices joined to Entra ID. This topic describes the configuration where Microsoft Entra ID maintains the users, because there is no Microsoft Active Directory.

Click to enlarge.

Entra only support

For other supported configurations, see Microsoft Entra ID Support.

Entra ID Administrator Requirements

Your Entra ID administrator account must be created within Entra ID, not imported or migrated into Entra ID.

You must exclude the Enterprise Access Management app from your MFA conditional access policies for this feature. This requirement is due to a Microsoft blocker. See Entra ID Conditional Access Policies

The Entra ID administrator username and password must be entered in UPN format.

Limitations

  • Guest accounts are not supported.

  • Entra ID in Managed mode is supported. Federation mode is not supported at this time.

  • Entra ID directory structures based on Administrative Units are not supported.

  • Kerberos authentication (AD smartcards) is not supported.

BEST PRACTICE:

Create the Entra ID administrator account with the User Administrator role.

Workflows

Imprivata Enterprise Access Management supports enterprises with users created in Entra ID and devices joined to Entra ID. The following workflows are not supported:

  • Windows Hello

  • Citrix FAS

  • Passwordless

  • Citrix and VMware virtual desktops

  • Windows Smartcards

  1. Log into https://entra.microsoft.com/ with a user with administrator privileges.

  2. Go to Microsoft Entra ID > App registrations.

  3. Click New registration.

  4. On the Register an application page:

    • Provide a user-facing display name for your Enterprise Access Management application: for example, Imprivata, EAM or EAMTest.

    • Who can use this application or access this API? — leave the default selection Accounts in this organizational directory only.

    • Redirect URI where the authentication response is returned after successful authentication — select Web and provide any value.

  5. Click Register.

Add A Secret

  1. On your new app registration page > Overview > Client credentials, click Add a certificate or secret.

  2. On the Add a secret page, add a secret that the application will use to prove its identity when requesting a token.

  3. Microsoft requires an expiration date. By default, this secret expires after six months. You can set the expiration date for up to 24 months. Microsoft will send warning messages before the secret expires.

    CAUTION:

    If you do not change the secret before it expires in Entra ID, Enterprise Access Management authentication will fail.

  4. Save this secret outside of this application.

    IMPORTANT:

    Save this secret securely outside of this application. After leaving this page, the value will be masked. Imprivata recommends using a very complex secret, and a Privileged Access Management system (for example, Imprivata Privileged Access Management), to manage this secret. Microsoft recommends changing this secret every 180 days.

API Permissions

  1. On the Entra ID new app registration page > Manage > API permissions, click Add a permission > Microsoft Graph.

  2. Click Application permissions — your application runs as a background service or daemon without a signed-in user.

  3. Select a permission from the list, and click Add permissions. After it appears in a list of added permissions, grant admin consent.

  4. Add all of the following permissions. Note that some are Delegated permissions, and the remainder are Application permissions.

API name Type Description Admin consent required
Device.Read.All Application Read all devices Yes
Directory.AccessAsUser.All Delegated Access directory as the signed in user Yes
Domain.Read.All Application Read domains Yes
Group.Read.All Application Read all groups Yes
User.Read.All Application Read all users' full profiles Yes
User.ReadWrite Delegated Read and write access to user profile No
User.ReadWrite.All Delegated Read and write all users' full profiles Yes
UserAuthenticationMethod.ReadWrite.All Delegated Read write all users' authentication methods Yes

Entra ID Conditional Access Policies

You must exclude the Enterprise Access Management app from your MFA conditional access policies for this feature. This requirement is due to a Microsoft blocker.

  1. In Entra ID, go to SecurityConditional Access, and select a policy that applies to your Imprivata app and requires MFA.

  2. To exclude your Imprivata app, go to Cloud apps or actionsCloud appsExcludeSelect excluded cloud apps, and select the Imprivata app.

  3. Click Save.

  4. Repeat for all conditional access policies that apply to your Imprivata app and require MFA.

Per-user MFA is no longer needed when MFA Conditional Access policies are in effect. Turning off per-user MFA is Microsoft's best practice.

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator or Privileged Policy Administrator.

  2. Browse to Users > All users and select the Per-user MFA button.

  3. Select Disable MFA for all users who had this option enabled.

See this Microsoft article for details:

https://learn.microsoft.com/en-us/entra/identity/monitoring-health/recommendation-turn-off-per-user-mfa

Alternative — Add Imprivata Appliances as Trusted IPs

As an alternative to turning off per-user MFA, you can add your Imprivata appliances as Trusted IPs for egress traffic, within the per-user MFA section of Entra:

  1. Go to Security > Named locations, and select Configure multifactor authentication trusted IPs.

  2. Add your Imprivata Enterprise Access Management appliance IP addresses as trusted IPs.

    If you do not know your appliance IP addresses, you can find them in your Conditional Access audit logs. Click into a recently failed authentication.

Before Closing Entra ID

When adding your Microsoft Entra ID directory in the Imprivata Admin Console, you will need the Tenant ID, Client ID, Client Secret, and user's account credentials. On your new app registration page > Overview, copy these values for later.

Adding Entra ID to Imprivata

  1. In the Imprivata Admin Console, go to Users > Directories.

  2. In the Directories page, click Add.

  3. In the Add New Imprivata Domain wizard, from the list of Directory Servers, select MS Entra ID, and click Next.

  4. On the next page, enter the Tenant ID, Client ID, and Client Secret you saved earlier.

  5. Enter the Imprivata admin username and password.

  6. Click Save.

  7. In the Directories page, click on the new Imprivata Domain you just added.

  8. In the Edit directory page, click Next.

  9. In the Synchronize Users > Synchronize Rules page, click Synchronize Now (at the bottom of the page).

  10. When the synchronization is complete, the Directories page will display the results for how many users have been added and enabled to Imprivata.