Overview
Following these instructions will result in the selected Entra Tenant being federated with IdRamp. All authentication will flow through IdRamp for any and all connected Entra services connected to this tenant. Please proceed carefully.
If you instead want to allow IdRamp to act as an Authority Issuer for your Entra Tenant please see IdRamp Authority Services for Entra which is part of the IdRamp Tools for Entra product suite.
AZURE Console
Add a Custom Domain
Log into Azure Portal
Click the shortcut to Microsoft Entra ID
Click the Custom domain names link on the left.
Click Add custom domain.
Enter your domain in the Custom domain name field and click Add domain.
Register IdRamp application
From the Entra/Azure home screen, select Azure Active Directory > App registrations > New registration.
Enter the application name IdRampAuth
Select Accounts in this organizational directory only.
Click Register when done.
On the “Overview” page, make a note of the following values which you’ll need later when configuring the integration in the IdRamp Entra Tools:
Application (client) ID
Directory (tenant) ID
Grant Required API Permissions
From the Entra/Azure Active Directory screen, select App registrations and choose IdRampAuth.
Select API permissions. By default, the application will already have Microsoft Graph’s User.Read. This isn’t required, so remove it by clicking the … icon and choosing Remove permission. Click Yes, remove to confirm when prompted.
Click + Add a permission.
Select Microsoft Graph as the API to configure permissions for.
Select Application permissions.
Search for and select User.ReadWrite.All.
Click Add permissions to save the changes.
Click Grant admin consent to apply the permissions and click Yes to confirm when prompted.
Create a Client Secret
Select Certificates & secrets, then click + New client secret.
Enter a Description and an Expires date of 24 months.
Make a note of the client secret value now so you can use it later when connecting Entra/Azure to IdRamp.
If you return to this screen later, Entra will mask the value and you won’t be able to copy it.
IDRAMP Dashboard
Add New Service
In order for IdRamp to communicate with Azure/Entra a service must be created specifically for Azure directory and the custom domain.
Log into IdRamp Admin
On the services page click on the ADD NEW button
Enter a name for the new service.
Select Azure Federated ID as the Service Type.
Optionally, upload an icon for the service.
Finally, click the CONTINUE button.
Add an IDP to the Service
Click the ADD IDP button
Select your IDP from the list
Click the ADD button
On the ACCESS tab click on the switch next to Currently Disabled to enable the IDP
Change the access rights as applicable.
Configure the IDP Connector
Click CONNECTORS tab
Click the ADD button
Select Microsoft Graph Get User from the drop down
Click the SAVE button
Click the pencil next to the new connector to Edit Configuration
Enter the Entra App Registration “Application Id”
Enter the Client Secret from the application registered using the Azure Portal
Optionally, enter the name of the Entra user object field which will be used to find the user. If empty, the connector will search against the user’s userPrincipalName
Select the field in the user’s IdRamp session which will be used to find the user in the Entra tenant
Enter the Tenant Id of the application registered using the Azure Portal
Search On is a field name from Entra (mail, principal user name, display name, etc.) if left blank the principal user name will be used.
Search Using is a field from the selected IDP
Click SAVE button
IdRamp ENTRA TOOLS
Connect Everything Together
Azure doesn’t have an interface to configure Entra services. IdRamp’s Entra Tools uses Microsoft’s APIs to do the configuration.
Log into IdRamp's Entra Tools
(with Microsoft Azure credentials)
Click on Domains
Click on the newly created domain
Click on Edit
Update info
Click on Save
Your Entra Tenant is now federated with IdRamp.