# Configure the Entra ID Integration using Azure Portal This guide shows manual Entra ID configuration steps to set up Teleport Entra ID integration. See [getting started with Entra ID integration](https://goteleport.com/docs/identity-governance/integrations/entra-id/getting-started.md) for a guided Entra ID configuration. The set up is based on the [OIDC IdP authentication method](https://goteleport.com/docs/identity-governance/integrations/entra-id.md#choosing-the-microsoft-graph-api-authentication-method). ## Prerequisites - Teleport Identity Governance enabled for your Teleport cluster. - Your user must have privileged administrator permissions in the Microsoft Entra ID tenant. ## Step 1/5. Create enterprise application In the Azure Portal, under “Azure services”, select “Enterprise applications”. Click on `+ New Application` button, then click `+ Create your own application` button. Enter a name for your application and create the application. ![Entra ID Integration](/docs/assets/images/entra-create-enterprise-app-59fb4da5be0eec071342a50ffefd17c9.png) ## Step 2/5. Configure SSO Open the newly created enterprise application. Under “Manage” menu select “Single sign-on”. In this configuration UI, you will need to set up Teleport as an SAML service provider. Click edit button to configure “Basic SAML Configuration”. Enter the SAML assertion endpoint as Entity ID and ACS URL value. - **Entity ID and ACS URL:** SAML ACS endpoint of your Teleport cluster. E.g. `https://example.teleport.sh/v1/webapi/saml/acs/entra-id` For “Attributes & Claims”, attributes for the user will already be available for you but you will need to add a `groups` claim. ![Entra ID Integration](/docs/assets/images/entra-sso-config-a1b612aaefae4b2134be4dc3156f3e00.png) ## Step 3/5. Configure OIDC IdP Under “App registrations” from Azure services menu, find and open your enterprise application created in step 1. Select “Manage > Certificates & secrets” and then select “Federated credentials“. Click `+ Add credential` button. Under “Add a credential” UI, configure credential with the following values: - **Federated credential scenario:** Other issuer Under “Connect your account”, configure the following values: - **Issuer:** `https://example.teleport.sh` (replace this value with your Teleport cluster proxy address) - **Type:** Explicit subject identifier - **Value:** teleport-azure Under “Credential details”, configure the following values: - **Name:** teleport-oidc - **Description:** Teleport OIDC Identity Provider ![Entra ID Integration](/docs/assets/images/entra-setup-oidc-2ce037d9cb662c17d0f6b31eef01cfc6.png) ## Step 4/5. Configure API permissions Under the same App registration UI for your enterprise application, select “Manage > API permissions”. You can add a new graph permission by clicking on `+ Add a permission` button and then selecting “Microsoft Graph > Application permissions”. The following permissions need to be added to the application. - `Application.ReadWrite.OwnedBy` - `Group.Read.All` - `User.Read.All` ![Entra ID Integration](/docs/assets/images/entra-api-permission-3f0be1383cd922a8c10696c8e8f9fa24.png) ## Step 5/5. Install the Entra ID plugin Now run the `tctl plugins install entraid` command, including the name of the Access List owner: ``` $ tctl plugins install entraid \ --name entra-id-default \ --auth-connector-name entra-id \ --default-owner=Access List owner \ --no-access-graph \ --manual-setup ``` The `--name` flag specifies the resource name of the Entra ID plugin. The `--auth-connector-name` flag specifies the name of the auth connector this integration will create. The `--default-owner` flag specifies default owners for the Access Lists that will be created in Teleport based on the groups imported from the Entra ID. The `--manual-setup` flag specifies a manual Entra ID configuration is selected by the user. `tctl` will then prompt for Entra ID tenant ID and application ID of the enterprise application created in step 1. After you enter these values, Entra ID plugin will be installed with the OIDC IdP based authentication method. ## Next steps - [Configure Access](https://goteleport.com/docs/identity-governance/integrations/entra-id/configure-access.md) for Entra ID users. - Configure [group filters](https://goteleport.com/docs/identity-governance/integrations/entra-id/advanced-options.md#group-filters). - Learn more about [Access List](https://goteleport.com/docs/identity-governance/access-lists.md) management. - Take a deeper look into setting up [Entra ID auth connector](https://goteleport.com/docs/zero-trust-access/sso/integrate-idp/entra-id.md). - Learn how the [Identity Security integration with Entra ID](https://goteleport.com/docs/identity-security/integrations/entra-id.md) works. - See [FAQs](https://goteleport.com/docs/identity-governance/integrations/entra-id/faq.md) related to the Teleport Entra ID integration.