Before Security Center can use Microsoft Entra ID to authenticate users with OpenID Connect, setup is required in Config Tool and the Microsoft Entra ID Portal.
This example shows how to set up third-party authentication with Microsoft Entra ID using OpenID Connect (OIDC) access tokens. The procedure is divided into three sections:
- Preparing Security Center
- Preparing Microsoft Entra ID
- Integrating Security Center with Microsoft Entra ID
- Locating the properties in the Microsoft Entra ID portal
- Understanding the significance of each property
- Validating the properties before you can proceed
- Accessing corresponding help topics
To implement third-party authentication, you must have administrator rights in Security Center and Microsoft Entra ID.
1 - Preparing Security Center
- Open Config Tool and connect to the Security Center main server as an administrator.
- From the Config Tool homepage, open the System task and click the Roles view.
- Click Add an entity (
) > Authentication Service.
The Creating a role: Authentication Service window opens.
- In the Specific info section, select the identity provider
and the authentication protocol and click Next.
- Provider
- AzureAD
- Protocol
- OpenID Connect
- In the Basic information section, enter a name and optional
description for the new Authentication Service role.
- If there are partitions in your system, select the partition of which this role
is a member and click Create.
Partitions determine which Security Center users have access to this entity. Only users who have been granted access to the partition can see this role.
- From the App registration page, copy the redirect
and logout URIs.
For more information, see About role endpoints configuration.
- Click .NOTE: The Suspend button allows you to save and exit the configuration wizard temporarily. You can suspend the configuration at any time during the process.
2 - Preparing Microsoft Entra ID
- Have a Microsoft Entra ID that represents your domain.
- Have provisioned at least one user.
- Have provisioned at least one user group that contains the users you want to grant access to Security Center.
- In the Microsoft Entra ID Portal, open the Microsoft Entra ID for your tenant.
- In the left menu, select App registrations and click
New registration.
- Enter a Name, select Single tenant
under Supported account types and click
Register.
- In the left menu for your application, select
Authentication, click Add a
platform, and select Web.
- In Configure Web, enter the first redirect URI for
Security Center to Redirect URIs and click
Configure.
NOTE: OIDC doesn’t require the explicit Logout URL. - Under Redirect URIs for the Web platform, click
Add URI, enter the remaining redirect,
logout URIs for Security Center, and click
Save.
- In the left menu for your application, select Certificates &
secrets, open the Client secrets tab, and
click New client secret to generate a client secret for
Security Center.
Best Practice: After generating your secret, copy it from the Value column header and keep it safe until the integration is complete. It’s impossible to retrieve a client secret from the Microsoft Entra ID configuration. If the secret is lost, you must generate a new one.
NOTE: You can also add a certificate credential to configure client authentication. For more information about client authentication, see Configuring client authentication in OpenID Connect. - In the left menu for your application, select Token configuration.
- Click Add groups claim, select the group type you want to
grant access to Security Center, select Group ID for the
Access token type, and click Add.
IMPORTANT: To avoid hitting a group overage claim, we recommend that large enterprise systems select Groups assigned to the application instead of All groups in the Edit groups claim section. See this Microsoft Learn topic for more information. - Click Add optional claim, select the
Access token type, select the
UPN claim, and click
Add.NOTE: Security Center requires a unique identifier for the user. UPN is one possibility, but other optional claims, such as email, can be used instead.
- In the left menu for your application, select Manifest,
set accessTokenAcceptedVersion to 2, and click
Save.
- In the left menu for your application, select Expose an API.
- Click Add next to Application ID URI
to specify a globally unique URI for the Security Center application, and click
Save.
Microsoft Entra ID automatically generates a usable URI. You can use the default or change it as required.
- Click Add a scope, fill in the required fields with
values of your choice, and click Add scope.NOTE: A custom scope ensures that Microsoft Entra ID targets Security Center. The scope can specify anything.
3 - Integrating Security Center with Microsoft Entra ID
- Before configuring an Authentication Service in Security Center, you must register the redirect and logout URIs in the Microsoft Entra ID Portal.
- The system validates the properties at each step before you can proceed.
- In Config Tool, select the Authentication Service role created earlier and click
Configuration.
The App registration page of the Creating a role: Authentication Service window opens and you can resume the configuration.
- On the App registration page, click Next.
- On the Communicate with provider page, click
Start, enter an issuer URI and application (client)
ID, and click Next.
- Issuer
- Secure URL (HTTPS) pointing to the OpenID Connect metadata document. Copy it from Endpoints in the Microsoft Entra ID application configuration.
- Application (client) ID
- A unique identifier that represents Security Center in Microsoft Entra ID. Copy it from Overview in the Microsoft Entra ID application configuration.
- In the Metadata section, enter the URL and click
Next.
- URL
- Secure URL (HTTPS) pointing to the OpenID Connect metadata document. Copy it from Endpoints in the Microsoft Entra ID application configuration.
- On the Accepted domains page, configure the
Default provider option:
- This option is turned off by default. When turned off, you must add at
least one domain name of users who can authenticate using this
Authentication Service.
- Turn on the Default provider option to use this
identity provider to authenticate users from all domains.
If you have multiple Authentication Service roles, only one role can be set as the default provider, and this option is disabled for all other roles.
CAUTION:Turning on the Default provider option deletes all domain names that were previously added.
- This option is turned off by default. When turned off, you must add at
least one domain name of users who can authenticate using this
Authentication Service.
- Specify whether or not to use this identity provider as a sign in option.
If you select Yes, enter the name of the identity provider to be displayed on the sign in screen with the text "Sign in with <display name>".
- Click Next.
- (Optional) On the Client authentication page, turn on Proof Key for Code Exchange (PKCE) and configure the Confidential client option. For more information about client authentication, see Configuring client authentication in OpenID Connect.
- On the Claims and scopes page, select the following properties:
- Username claim
- OpenID claim returned by the identity provider that contains the
username of the authenticated party.
Select: preferred_username
- Group claim
- OpenID claim returned by the identity provider that contains the
groups the authenticated party belongs to.
Select: groups
- Click Next.
- On the Groups page, click Add an item
(
), select an existing group or create a new user group, and click Next.Tip: You can bulk download user groups from Microsoft Entra ID as a CSV file and import those groups into Security Center. The external unique identifier of the imported groups must match the Object Id of those groups in Microsoft Entra ID. - On the Test the configuration page, click Test
logon to validate the configuration, and click
Next.
For more information, see Testing a third-party authentication setup.
- On the Creation outcome page, verify that the information is correct and click .