---
title: "Azure Active Directory (Enterprise Application)"
slug: "azure-active-directory-enterprise-application"
updated: 2026-04-07T08:24:40Z
published: 2026-04-07T08:24:40Z
canonical: "support.perimeter81.com/azure-active-directory-enterprise-application"
stale: true
---
> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Microsoft Entra ID (formerly Azure Active Directory) (Enterprise Application)
This guide explains how to enable users to log in using a Microsoft Entra ID (formerly Azure Active Directory) account, either from your company or from external directories.
The process involves registering your application through the Microsoft Entra ID portal
If you have an Office 365 account, you can use the account's Microsoft Entra ID instance instead of creating a new one. To find your Office 365 account's Microsoft Entra ID instance:
1. Sign in to Office 365.
2. Navigate to the **Office 365 Admin Center**.
3. Open the Admin centers menu options located on the left menu.
4. Select **Azure AD**.
This will take you to the **Admin Center** of the Entra ID instance backing your Office 365 account.
Follow the steps below to connect your Check Point SASE Account to Microsoft Entra ID (images below):
5. Create a new application.
6. Configure the permissions.
7. Allow access from external organizations (optional).
8. Create the key.
9. Configure Reply URLs.
10. Configure Check Point SASE IDP connection.
## Steps
1. Log in to Microsoft Azure and choose **Azure Active Directory** from the sidebar.
ֿ
2. Under **Manage**, select **Enterprise applications**.
3. Select **New application** and then **Create your own application** to add a new application.
4. Enter a name for the application (for example "P81"), leave the default settings as is**,** and click on Create.
5. Once the application was created, browse to **App registrations**, locate the created application, and click on it.
6. From the left pane select **Authentication**, click on **Add a platform** and select **Web**.
7. In the **Configure Web**screen, enter your workspace name:
- US based platform - https://***workspace***.perimeter81.com
- EU based platform - https://***workspace***[.eu.sase.checkpoint.com](//.eu.sase.checkpoint.com)
- AU based platform - https://***workspace***[.au.sase.checkpoint.com](//.au.sase.checkpoint.com)
- IN based platform - https://***workspace***.in.sase.checkpoint.com
8. Select **Configure**.
9. Under **Redirect URLs** add the following link:
- US based platform - [https://auth.perimeter81.com/login/callback](https://auth.perimeter81.com/login/callback)
- EU based platform - [https://auth.eu.sase.checkpoint.com/login/callback](https://auth.eu.sase.checkpoint.com/login/callback)
- AU based platform - [https://auth.au.sase.checkpoint.com/login/callback](https://auth.au.sase.checkpoint.com/login/callback)
- IN based platform - [https://auth.in.sase.checkpoint.com/login/callback](https://auth.in.sase.checkpoint.com/login/callback)
10. Select **Save**.
11. Under **Front-channel logout URL**enter your workspace name:
- US based platform - https://***workspace***.perimeter81.com
- EU based platform - https://***workspace***.eu.sase.checkpoint.com
- AU based platform - https://***workspace***.au.sase.checkpoint.com
- IN based platform - https://***workspace***.in.sase.checkpoint.com
Under **Supported account types**, select the applicable option for Supported account types.
12. Click on **Save**.
## Configuring the permissions
1. From the left sidebar select **API permissions**.
2. Select **Add a permission**.
3. Select **Microsoft APIs** and choose **Microsoft Graph** to change the access level.
4. The following page displays:  5. The next step is to modify permissions so your app can read the directory. Under **Delegated** **permissions,** check next to **Sign in and read user profile and Read directory data**. 6. Grant Admin Consent if requested.
### Support user groups
1. If you want to enable [user group](https://support.perimeter81.com/v1/docs/360023404974-creating-user-groups) support you will need to enable the following permissions:
- **Application Permissions:** Read directory data
- **Delegated Permissions:** Access the directory as the signed-in user.
1. Select **Save** at the top to save these changes.
2. Grant Admin Consent if requested.
## Allowing access from external organizations (optional)
1. If you want to allow users from external organizations (such as other Entra ID directories) to log in, you will need to enable the **Multi-Tenant** option for this application. In the **Authentication** section, choose the **Multi-tenant option**.
2. Select **Save** at the top to save these changes.
3. Grant Admin Consent if requested.
## Configuring the key
1. You will need to create a key (secret password) that will be used as the **Client Secret** in the Check Point SASE IDP connection. Select **Certificates and secrets** from the **Application** menu.
2. Click **+ New Client Secret**
3. Enter a name for the key and choose the desired duration.
- This is an expiring key, make sure to record the expiration date in your calendar, as you will need to renew the key (get a new one) before that day to ensure users don't experience a service interruption.
4. Select **Add** and the key will be displayed.
Secret Value
- Make sure to copy the***Secret Value***field of this key before leaving this screen. Otherwise, you may need to create a new key.
- This will later be pasted into the **Client Secret** field in the Check Point SASE Admin console.
- You do not need to copy the "Secret ID"
.png)
## Configuring IDP connection
1. Log in to your Check Point SASE Management Platform, navigate to **Settings,** and then **Identity****Providers**.
2. Select **+ Add Provider**.
3. Choose **Microsoft Azure AD**.
4. Fill in Microsoft Azure AD **Domain** (your domain - for example harmonysase.com), **Domain Aliases** (optional), **Client ID,** and **Client Secret**.
- The **Client ID** value is stored as the **Application ID** in Entra ID, you can copy that from the "Overview" section.
5. For the **Client Secret** use the value that was shown for the key when you created it in the previous step.
6. Under **Domain** set the name of the **Microsoft Azure AD Domain** and under **Domain Aliases** insert any email domain that you may be using.
7. Select **Done**.
If your users are getting access errors after the configuration, please [follow these steps.](https://support.perimeter81.com/docs/360025958673)
### Assigning Users/Groups
1. Log in to Microsoft Azure and choose **Azure Active Directory** from the sidebar.ֿ
2. Under **Manage**, select **Enterprise applications**.
3. Navigate to the enterprise application you created and click on “Users and groups” in the left-side navigation pane.
4. Click on “+ Add user/group” on the top action bar
5. On the next screen, under “Users and groups” click “None Selected.”
6. Search for the user(s)/group(s) that should be assigned to the SCIM application
7. Select the user(s)/group(s) and click on the “Select” button and then the “Assign” button
8. Those users/groups are now assigned to the application