Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Microsoft Entra ID
Policy Manager can interact with Microsoft Entra ID (formally Azure) to retrieve directory objects and perform policy enforcement. This source is only capable of authorization, not authentication.
Appropriate Microsoft Graph permissions must be granted to the Microsoft Entra ID application in order for Policy Manager to fetch the expected directory objects. Figure 1 displays the permissions that must be granted to fetch user group information.
|
Aruba recommends a new Microsoft Graph Application.Read.All default permission be granted. This default permission will enable Policy Manager to provide a notification if the clear text secrets configured for the current Microsoft Entra ID application connected to Policy Manager are expiring. |
Figure 1 Grant Appropriate Microsoft Graph Permissions
To configure the Microsoft Entra ID service:
1. Navigate to Configuration > Authentication > Sources. The page opens.
2. Click the link. The page opens with the General tab displayed. Each configuration parameter is empty, and the authentication source type is undefined.
When Microsoft Entra ID is selected as the source type, the General tab displays session timeout information unique to Microsoft Entra ID.
Figure 2 Microsoft Entra ID > General Tab
3. Specify the following > tab parameters:
Parameter |
Action/Description |
Name |
Specify a unique name of the Microsoft Entra ID service. |
Description |
Provide additional information to identify and differentiate the Microsoft Entra ID source from others with similar attributes. |
Type |
Select the type of source. In this context, select Microsoft Entra ID. |
Cache Timeout |
Sets the time (in seconds) Microsoft Entra ID session data remains in server cache before it is removed. |
Timeout |
Set the time a Microsoft Entra ID request should wait for a response from the server before it can terminate. |
4. Use the Primary tab to define settings for the Microsoft Entra ID primary server resource.
Figure 3 Microsoft Entra ID > Primary Tab
5. Specify the following > tab parameters:
|
For ClearPass to access user details from Microsoft Entra ID, a ClearPass administrator needs to create an application and register it. Once registered, obtain Tenant ID and Client ID details from the application’s Overview page. The application also requires certain permissions in order for ClearPass to integrate smoothly. |
Figure 4 Entra ID > Primary Tab Parameters
Parameter |
Action/Description |
The server where Policy Manager can fetch required tokens that are used when fetching Microsoft Entra ID directory objects during authorization. |
|
Tenant ID |
Enter the Tenant ID that uniquely defines the application registered in the Microsoft Entra ID's App Short form for application. It generally refers to the application that is downloaded and used on mobile devices. Registration page and used by Policy Manager to connect to Microsoft Entra ID and fetch directory objects. |
Client ID |
Enter the Client ID that uniquely defines the application registered in the Microsoft Entra ID's App Short form for application. It generally refers to the application that is downloaded and used on mobile devices. Registration page and used by Policy Manager to connect to Microsoft Entra ID and fetch directory objects. |
Secret Type |
Select either Client Secret or Client Certificate as the sensitive information type requiring authentication as a protected resource. |
Client Secret |
The Client Secret is a clear text shared secret Policy Manager uses, along with the tenant id and client ID, to fetch the required authentication tokens used when fetching Microsoft Entra ID directory objects during authorization. The tokens are hashed and stored in Policy Manager. Create and configure secrets from the Microsoft Entra ID Portal by selecting App Short form for application. It generally refers to the application that is downloaded and used on mobile devices. Registrations from the left-hand menu and locate the application configured for Policy Manager. Once the application is located, select Certificates & secrets from the left-hand menu and configure the secret. |
Secret ID |
The Secret ID is the unique identifier for the clear type text secret. The Secret ID is used to check the expiration of the client secret and notifiy. |
Client Certificate |
The Client Certificate is a server certificate that can be used instead of the clear text secret. Like the Client Secret, the Client Certificate is used by Policy Manager to fetch the required authentication tokens used when fetching Microsoft Entra ID directory objects during authorization. The two prerequisites required when using Client Certificates are: For Policy Manager: The certificates must be uploaded, or created from the Policy Manager Certificate Store. For Microsoft Entra ID Portal: The same certificate must be uploaded to the Microsoft Entra ID Portal. Select App Short form for application. It generally refers to the application that is downloaded and used on mobile devices. Registrations from the Microsoft Entra ID Portal left-hand menu and locate the application configured for Policy Manager. Once the application is located, select Certificates & secrets from the left-hand menu and configure the secret. |
Select the Attributes tab to set Microsoft Entra ID query filters and the attributes fetched by using the filters.
Figure 5 Microsoft Entra ID > Attributes Tab
6. Select Add More Filters as needed, and set Microsoft Entra ID query filters. Supported query types include:
User-Group Query:users:users/?$select=userPrincipalName,displayName,id,accountEnabled,companyName,createdDateTime,department,employeeId,lastPasswordChangeDateTime,registeredDevices&$filter=mail eq %{Authentication:Username};group:/users/%{users:id}/memberOf?$select=displayName,id,groupTypes
Device-Group Query:
device:devices?$select=id,displayName&$filter=displayName eq %{Certificate:Subject-CN};deviceGroups:devices/%{device:id}/memberOf?$select=displayName
Figure 6 Microsoft Entra ID Configure Filter Screen
Table 2: Microsoft Entra ID Configure Filter Page Parameters
Parameter |
Action/Description |
Filter Name |
Enter the name of the selected filter. |
Filter Query |
Supported query types include:
User-Group Query:
users:users/?$select=userPrincipalName,displayName,id,accountEnabled,companyName,createdDateTime,department,employeeId,lastPasswordChangeDateTime,registeredDevices&$filter=mail eq %{Authentication:Username};group:/users/%{users:id}/memberOf?$select=displayName,id,groupTypes
Device-Group Query:
device:devices?$select=id,displayName&$filter=displayName eq %{Certificate:Subject-CN};deviceGroups:devices/%{device:id}/memberOf?$select=displayName |
Name |
Specify the name of the attribute. |
Alias Name |
Select the alias name for the attribute. By default, this is the same as the attribute name. |
Data Type |
Specifies the data type for this attribute as either String, Integer, Integer64, Date-Time, or Boolean. |
Enabled As |
Specify whether the value to be used directly as a role or attribute in an enforcement policy. This bypasses the step of assigning a role in Policy Manager through a role-mapping policy. |