User Authentication with Azure AD / Entra ID¶

Our Microsoft authentication authority lets you log users in at the agent against Azure AD (now called Entra ID). Our tight Azure AD integration means that you can:

Apply Conditional Access to user logins.
Use any MFA mechanism supported by Azure for authentication.
Log users in via their existing domain-joined credentials on Windows devices if you are using AD Sync.
Audit user login events through Microsoft's tooling.
Use your existing Security Groups to segment network access.

Tenant ID¶

When defining your Trust Requirement, you should provide the Tenant ID, which indicates which Azure AD tenant the user should exist in.

You can get your Tenant ID from the Azure Portal:

Azure AD Tenant ID

Security Group¶

In addition to generally requiring authentication via your tenant, you can also specify an Azure AD Security Group ID. Users must then be a member of that security group in order to meet the trust requirement.

Using security groups, you can create finely-grained connectivity rules that map your user security assignments to the resources they can access.

The Security Group ID is the "Object ID" in Azure for that group:

Getting a Security Group ID from Azure

Token Refresh¶

An Azure AD user may be granted system access through Azure Conditional Access or Privileged Identity Management (PIM) policies to block access from less trusted locations, force users to reauthenticate periodically or enforce device security compliance posture via Intune.

Enclave will revaluate group membership each time we receive a new access token from your Azure tenant. This happens whenever the access token expires, which is governed by Azure policy.

The default access token lifetime is between 60-90 minutes, but if needed conditional policy can be applied to the Enclave app integration in the Azure tenant to reduce the token lifespan.