Contents x
Microsoft Entra ID (formerly Azure Active Directory) (App Registration)
  • 29 Apr 2024
  • 4 Minutes to read
  • Contributors
Contents

Microsoft Entra ID (formerly Azure Active Directory) (App Registration)

  • Updated on 29 Apr 2024
  • 4 Minutes to read
  • Contributors
Article Summary

Introduction

This guide explains how to enable users to log in using a Microsoft Entra ID (formerly Azure Active Directory) account, either from your company or from external directories. 

The process involves registering your application through the Microsoft Azure portal

If you have an Office 365 account, you can use the account's Microsoft Entra ID instance instead of creating a new one. To find your Office 365 account's Microsoft Entra ID instance:

  1. Sign in to Office 365.
  2. Navigate to the Office 365 Admin Center.
  3. Open the Admin centers menu options located on the left menu.
  4. Select Azure AD.
    This will take you to the Admin Center of the Entra IDinstance backing your Office 365 account.
    Follow the steps below to connect your Harmony SASE Account to Azure Active Directory (images below):
  5. Create a new application.
  6. Configure the permissions.
  7. Allow access from external organizations (optional).
  8. Create the key.
  9. Configure Reply URLs.
  10. Configure Harmony SASE IDP connection.

Steps

  1. Log in to Microsoft Azure and choose Azure Active Directory from the sidebar.
    ֿ3600042023401.png

3600042023602.png
2. Under Manage, select App registrations.
3600042023803.png
3. Select New Registration to add a new application.
3600042024004.png
4. Enter the name "Harmony SASE" for the application, select Web app/API as the Application Type, and for Sign-on URL enter your application URL with your workspace name: [https://workspace.perimeter81.com for US based platform or https://workspace.eu.sase.checkpoint.com for EU based platform].
3600042024205.png

Configuring the permissions

  1. Once the application has been created, you will have to configure the permissions. Select the name of the application Harmony SASE to open the Settings section.
    3600042024406.png
  2. Select API permissions.
    3600042679197.png
  3. Select Add a permission.
    3600042023208.png
  4. Select Microsoft APIs and choose Microsoft Graph to change the access level.

The following page displays:

5. The next step is to modify permissions so your app can read the directory. Under Delegated permissions, check next to Sign in and read user profile and Read directory data.
6. Grant Admin Consent if requested.

Support user groups

  1. If you want to enable user group support you will need to enable the following permissions:
  • Application Permissions: Read directory data
  • Delegated Permissions: Access the directory as the signed-in user.
  1. Select Save at the top to save these changes.
  2. Grant Admin Consent if requested.

Allowing access from external organizations (optional)

  1. If you want to allow users from external organizations (such as other Entra IDs) to log in, you will need to enable the Multi-Tenant option for this application. In the Authentication section, choose the Multi-tenant option
  2. Select Save at the top to save these changes.
  3. Grant Admin Consent if requested.
    36000426793912.png

Configuring Reply URLs

  1. Next, you need to ensure that your Auth0 callback URL is listed in the allowed reply URLs for the created application.
  2. Navigate to Azure Active Directory, then Apps registrations and select the Harmony SASE app. Then select Authentication, go to Redirect URLs and add the following link:
    https://auth.perimeter81.com/login/callback for US based platform or https://auth.eu.sase.checkpoint.com/login/callback for EUbased platform
    36000426797916.png
  3. Select Save.

Configuring the key

  1. You will need to create a key (secret password) that will be used as the Client Secret in the Harmony SASE IDP connection. Select Certificates and secrets from the Application menu.
  2. Click + New Client Secret
    36000426795913.png
  3. Enter a name for the key and choose the desired duration.
    • This is an expiring key, make sure to record the expiration date in your calendar, as you will need to renew the key (get a new one) before that day to ensure users don't experience a service interruption.
  4. Select Add and the key will be displayed.

36000420252014.png

Secret Value
  • Make sure to copy the Secret Value field of this key before leaving this screen. Otherwise, you may need to create a new key. 
  • This will later be pasted into the Client Secret field in the Harmony SASE Admin console.
  • You do not need to copy the "Secret ID"

Configuring IDP connection

  1. Log in to your Harmony SASE Management Platform, navigate to Settings, and then IdentityProviders.
    360008599600addprovider1.png
  2. Select + Add Provider.
  3. Choose Microsoft Azure AD.
    360009947740azuread-domaincopy.png
  4. Fill in Microsoft Azure AD Domain (your domain - for example harmonysase.com), Domain Aliases (optional), Client ID, and Client Secret
    • The Client ID value is stored as the Application ID in Microsoft Entra ID, you can copy that from the "Overview" section.
      36000420260020.png
  5. For the Client Secret use the value that was shown for the key when you created it in the previous step.
  6. Under Domain set the name of the Microsoft Azure AD Domain and under Domain Aliases insert any email domain that you may be using.
  7. Select Done.

Recommendations

  • Assign access to users or groups. For the Microsoft Entra ID free edition, you might need to select individual users instead of groups.
  • Ensure placeholders like YOURWORKSPACEHERE are replaced with your actual workspace name.
  • Periodically review your Microsoft Entra ID configuration settings to ensure alignment with any updates or changes in the Harmony SASE platform

Troubleshooting

If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

Support Contacts

If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success

Was this article helpful?
What's Next