This document outlines the steps required to complete an application registration for Microsoft Entra ID that will provide account binding to a CLEAR identity. This process provides the foundation for any subsequent integrations that rely on a CLEAR-bound identity.

Prerequisites for this integration include:

1. A working Microsoft Entra tenant.
   
   

2. An account with Global Administrator or Authentication Policy Administrator privileges.

Create a new App Registration

A new App Registration is required to provide IdRamp access to the Entra tenant. The following configuration is required:

• Account Types: single tenant (step 5 below)
  
  

• API Permissions (steps 13 - 22 below)

  • Delegated

    • openid

    • email

    • profile

    • User.Read

  • Application

    • User.ReadWrite.All
      
      

• Assign a Directory Role (steps 23 - 28 below) - One of the following (MS doc with permission matrix):

  • Authentication Administrator

  • User Administrator

  • Privileged Authentication Administrator (minimum required to reset “admin” account passwords)

  • Global Administrator (not recommended)

Keep the App ID, TenantID, ObjectID, and Client Secret for later configuration.

Create a new App Registration (step-by-step)

If you have already completed the creation of the App Registration with the information above, skip this section.

1. Sign in to the Microsoft Entra admin center.
   
   

2. Browse to Identity > Applications > App registrations.
   
   

3. Click New Registration.
   
   

4. Set a Name for the Application. (ie. Account Recovery with IdRamp)
   
   

5. For Supported account types select “Accounts in this organizational directory only”
   
   

6. Click Register. (Leave Redirect URI empty for now.)
   
   

7. On the Overview tab, copy the following details for later:

   1. Application (client) ID

   2. Object ID

   3. Directory (tenant) ID

8. Within the App Registration, browse to  Manage > Certificates & secrets.
   
   

9. Click New client secret.
   
   

10. Set a Description. (ie. IdRamp)
    
    

11. Set a value for Expires.

Note: Setting a shorter value will require updating the secret with IdRamp more often.

12. Copy the Value of the new client secret for use later.
    Note: this value can only be read at creation time. If it is lost, a new client secret will need to be created.

13. Browse to Manage > API permissions.
    
    

14. Select Add a permission.
    
    

15. Within the App Registration, browse to Microsoft Graph > Delegated Permissions > OpenId permissions.
    
    

16. Select email, openid, and profile.
    
    

17. Click Add permissions.
    
    

18. Select Add a permission.
    
    

19. Browse to Microsoft Graph > Application Permissions > User.
    
    

20. Select User.ReadWrite.All.
    
    

21. Click Add permissions.
    
    

22. Click Grant admin consent for … and click Yes on the pop-up.

23. From the top level Entra navigation, browse to Identity > Roles & admins > Roles & admins.
    
    

24. Find and select one of the following roles :

    • Authentication Administrator

    • User Administrator

    • Privileged Authentication Administrator (minimum required to reset “admin” account passwords)

    • Global Administrator (not recommended)
      
      

Note: Setting/ resetting passwords is a sensitive action within Entra, so the App Registration must be assigned one of these roles directory roles. For more information on which accounts each role will allow the App Registration to effect, see this MS documentation.

25. Click Add assignments.
    
    

26. Search using either the new App Registration’s Name or App ID.
    
    

27. Select the App Registration.
    
    

28. Click Add.

Configure a new Directory Extension property

The password reset process requires users to enroll with verified identity. This will result in their Entra user account being associated with their identity verification. This association value will be stored in a directory extension property for users. This property needs to be created before it can be used. 

1. Open Microsoft Graph Explorer.
   
   

2. In the upper right corner, select the Sign In icon
   

3. Authenticate to the Entra tenant where the App Registration was created above.
   
   

4. Select POST and specify the following URL, replacing {application ObjectId} with the App Registration’s Object ID (kept from Create a new App Registration above)

   • https://graph.microsoft.com/v1.0/applications/{application ObjectId}/extensionProperties

   • Example: https://graph.microsoft.com/v1.0/applications/00000000-0000-0000-0000-000000000000/extensionProperties
     
     

5. Specify the Request body as follows:
   
   

{

    "name": "clearVerified",

    "dataType": "String",

    "isMultiValued": false,

    "targetObjects": [

        "User"

    ]

}

6. Click Modify permissions.
   
   

7. Confirm that consent has been provided for at least one of the listed permissions. If not, click Consent next to one of the permissions and follow the prompts.

   
   

   
   
   

   
   

8. Click Run query.
   
   

9. If the query is successful, copy the Response and save it for later.

Configure the IdRamp Entra ID Account Recovery Service

Creating an Entra ID Account Recovery Service in IdRamp will provide an endpoint for the Entra Application Registration configuration. Additionally, this IdRamp wizard will also create an account recovery URL This Recovery URL is not needed to complete the enrollment process but is created by default by the IdRamp process. To configure the IdRamp Entra ID Account Recovery Service please login to your IdRamp Orchestration dashboard and complete the following steps:

1. Sign into the IdRamp Orchestration dashboard. Select Services, then Add New. 
   
   
   
   

2. Enter Display Name and select Account Recovery for MS ENTRA as the service type. 

3. Select Continue to save the service record.
   
   

4. Enter your Microsoft Entra tenant ID, App ID, Object ID, Client Secret from the App Registration steps above, and the name value from the GraphAPI query “Response” in the form field and select save.
   
   

5. Copy the Account Recovery for MS ENTRA MetaData Redirect URI from the IdRamp service page to complete the configuration in your Entra tenant.

Update the App Registration

To the App Registration created earlier, add the Redirect URI from the previous step as a Web Redirect URI.

1. Sign in to the Microsoft Entra admin center.
   
   

2. Browse to Identity > Applications > App registrations.
   
   

3. Find the App Registration created earlier.
   
   

4. Browse to Manage > Authentication.
   
   

5. Under Platform configurations, click Add Platform.
   
   

6. Click Web.
   
   

7. Copy the Redirect URI returned by IdRamp to the list of Redirect URIs.
   This URI will look like the following:

   1. https://app.idramp.com/openid2/idp/auth/{identifier}

8. Click Configure.

Enrollment

Users will complete a simple enrollment process to verify account ownership. Use the Enrollment URL provided in the IdRamp Account Recovery service metadata to initiate enrollment. You can distribute the Enrollment URL to users through standard business communication channels. During enrollment, users will sign in to Microsoft Entra and complete the identity verification process.

This process will update the extension attribute with the globally unique CLEAR user identifier, creating the foundation for services such as account recovery or Identity Bound Verified ID issuance.

Once the Enrollment configuration is complete and users have followed the Enrollment URL to complete the enrollment flow, additional services can be configured.