Configure Entra ID
Enterprise
For more information about using an Entra ID provider, see the Entra ID Overview documentation.
Your Entra ID tenant must be configured before you create a Entra ID provider.
This involves creating an app registration, generating a secret, and configuring the required API permissions.
Configuring you Entra ID tenant
- Log in to the Entra ID admin center.
- Navigate to App registrations, click New registration, and set the following configurations:
- Provide a Name for the app registration (e.g.
authentik Entra Provider) - Under Supported account types, select Accounts in this organizational directory only
- Leave Redirect URI empty
- Provide a Name for the app registration (e.g.
- Click Register.
- On the app detail page, take note of the Application (client) ID and Directory (tenant) ID. These values will be required when you create the Entra ID provider in authentik.
- Next, in the near-left navigation pane, click on Certificates and Secrets.
- On the Client secrets tab, click New client secret and set the following configuration:
- Provide a Description for the client secret
- Set an expiry period for the secret. Please note that you will need to rotate the secret value in Entra ID and authentik upon expiry.
- Click Add.
- The Value of the client secret is shown only once. Take note of the value as it will be required when you create the Entra ID provider in authentik.
- Next, in the near-left navigation pane, click on API permissions.
- Click Add a permission and select Microsoft Graph as the API.
- Select Application permissions as the permission type and assign the following permissions:
Group.CreateGroup.ReadWrite.AllGroupMember.ReadWrite.AllUser.ReadUser.ReadWrite.All
- Click Add permissions.
- Under Configured permissions, click Grant admin consent for default directory.
Now that you have configured your Entra ID tenant, you are ready to create an Entra ID provider.