Configuring Entra ID Authentication
To log in to this software with Entra ID authentication, both Microsoft Entra admin center and this software must be configured.
Configure the Various Settings in Microsoft Entra Admin Center
IMPORTANT |
For environments using a proxy, the appropriate network and security settings must be configured in order to access the various servers required for authentication. |
NOTE |
For information on operating Microsoft Entra admin center, see the documentation from Microsoft. If this software is configured to send e-mail using Microsoft Exchange Online, it is only necessary to allow access to the Graph API required for authentication, in step 4. |
1.
Sign in to Microsoft Entra admin center with an administrator account that can operate Microsoft Entra ID.
2.
Register an application to Entra ID.
Register the information for this software to Entra ID.
Enter a name of your choice as the application name.
Select the type of supported accounts.
Select the optimal account type for your environment.
Register the URL for this software as the redirect URI.
The redirect URI for this software is displayed in the [Redirect URI] field if you log in to this software as a user with administrator privileges and select the [Enable login using Microsoft Entra ID] check box on the following screen.
[System] menu > [Preferences] > [Authentication Server Settings]
3.
To use a client secret for authentication, add the client secret.
NOTE |
You can also use a key and certificate for authentication. In that case, it is necessary to configure Entra ID in this software, then upload the key to Microsoft Entra admin center. For information on the procedure, see the following. |
In Microsoft Entra admin center, add the client secret.
In the list of client secrets, copy the following information, paste it to a text editor such as Notepad, then save it.
Value of the client secret that was added (not the ID)
Expiration date
NOTE |
This information is required in the settings of this software. |
4.
Add access permissions for Graph API.
Select the following access permissions as delegated access permissions.
User.Read.All
Group.Read.All
GroupMember.Read.All
Grant administrator agreement.
5.
Copy the following information on the screen of Microsoft Entra admin center, paste it to a text editor such as Notepad, then save it.
Application (client) ID
Directory (tenant) ID
URL to use for logging in
URL for Graph API
NOTE |
This information is required in the settings of this software. |
Configuring This Software to Log In with Entra ID
1.
Log in to this software as the system manager.
2.
Select the [System] menu > [Preferences].
3.
In the drop-down list on the top of the [Preferences] page, select [Authentication Server Settings].
4.
Select [Enable login using Microsoft Entra ID].
5.
Enter the values you confirmed in Microsoft Entra admin center.
If Microsoft Exchange Online has been configured on the [E-Mail Settings] page
Click [Copy from Microsoft Exchange Online settings].
The settings for Microsoft Exchange Online on the [E-Mail Settings] page are copied to the [Authentication Server Settings] page.
Proceed to step 10.
If Microsoft Exchange Online has not been configured on the [E-Mail Settings] page
Enter the values you confirmed in Microsoft Entra admin center.
[Directory (tenant) ID] | Enter the directory (tenant) ID you made a note of when operating Microsoft Entra admin center. |
[Application (client) ID] | Enter the application (client) ID you made a note of when operating Microsoft Entra admin center. |
[Microsoft Entra ID Authentication URL] | A URL is entered by default. To use another URL, change the URL. |
[Microsoft Graph API endpoint] | A URL is entered by default. To use another URL, change the URL. |
6.
Configure the settings for using a client secret in the application authentication.
This operation is not required when using a key and certificate for authentication. Perform the operations from step 7.
NOTE |
If there is less than one month until the secret expires or the secret has expired, an error message is displayed when a user with the system administrator role logs in to this software. If that happens, update the client secret. |
Select [Use client secret for authentication].
Enter the values you confirmed in Microsoft Entra admin center.
[Client Secret] | Client secret value you made a note of when operating Microsoft Entra admin center |
[Expiration] | Client secret expiration date you made a note of when operating Microsoft Entra admin center |
Click [Save] on the bottom of the [Authentication Server Settings] page.
7.
To use a key and certificate for application authentication, register the key and certificate to this software.
When using a client secret for authentication, the operations from step 7 are not required. Perform the operation in step 6.
NOTE |
Authentication can use either a self-signed certificate generated in this software or a certificate issued by a certificate authority. The generated or uploaded certificate is saved to this software. A certificate that is already registered will be overwritten. You can use a certificate with 2048-bit RSA as the key algorithm and SHA256/SHA384/SHA512 as the signing algorithm. |
Select [Use key/certificate for authentication].
When Using a Self-Signed Certificate
Click [Generate Key] next to [Generate Key for Self-Signed Certificate].
Information on the generated key is displayed in [Key Registered for Authentication].
When Using a Certificate Issued by a Certificate Authority
Click [Upload Key for Authentication].
Select the certificate file to upload.
Files with the".pfx" or ".p12" extension can be selected.
Enter the password for the selected file.
Click [Upload].
Information on the uploaded certificate is displayed in the [Key Registered for Authentication] field.
8.
Download the key and certificate.
Click [Download Certificate] next to [Key Registered for Authentication].
Click [Save] on the bottom of the [Authentication Server Settings] page.
9.
Register the downloaded certificate to the Entra ID application.
Sign in to Microsoft Entra admin center with an administrator account that can operate Microsoft Entra ID.
Upload the certificate that you downloaded.
10.
Configure the roles and region.
In [Role Settings], enter the Entra ID group name to associate with the various roles of this software.
To associate multiple groups with a single role, enter the group names separated with a comma.
NOTE |
Group names that include a comma cannot be registered to this software. It is not possible to log in with Entra ID authentication unless the group name to associate has been entered. |
In [Region Settings], enter the Entra ID group name to associate with the region already created in this software.
Select the [Set the region associated with the group name as the user's region] check box.
In the [Group Name] setting for each region, enter the group name to associate. To associate multiple groups with a single region, enter the group names separated with a comma.
NOTE |
Group names that include a comma cannot be registered to this software. A single group can be assigned to multiple regions. Users in groups that are not associated with a region do not belong to any region. For information on configuring the region, see the following. |
11.
Click [Save].