Add Zero Trust Network Access as an external authentication method (EAM) in Entra ID

In this topic, you will find instructions on how to add Portnox™ Zero Trust Network Access as an external authentication method (EAM) in Microsoft Entra ID.

Before you begin, read the following important notes:

  • To add Portnox Zero Trust Network Access as an external authentication method in Entra ID, you need a Microsoft Entra ID P1 license. This functionality isn’t available in lower-tier licenses.

  • Currently, Entra ID doesn’t support configuring external authentication methods as authentication strengths. This means all available authentication methods are treated equally in terms of strength. For example, if Microsoft Authenticator is still enabled, users can authenticate using either Portnox ZTNA or Microsoft Authenticator. Until Microsoft releases this feature, there’s no way to require both Microsoft Authenticator and Portnox Zero Trust Network Access for three-factor authentication. To prevent users from using Microsoft Authenticator, you’ll need to disable it for specific users or groups.

  • If Microsoft Authenticator is available, users will always see it as the first option when signing in. To log in using Portnox Zero Trust Network Access, they will need to click the I can’t use my Microsoft Authenticator app right now link when prompted by the Microsoft Authenticator sign-in request. After that, they can choose to log in with Portnox Zero Trust Network Access.

  • Microsoft still allows organizations to use outdated Entra ID configurations (pre-migration), so some organizations continue to manage multi-factor authentication on a per-user basis. If your organization hasn’t completed this migration, ensure that users you want to use Portnox Zero Trust Network Access are set up to require multi-factor authentication for login.

  • If you need more help with setting up the integration, we recommend that you read Microsoft’s guide to managing external authentication methods.

Create a Portnox Cloud application configuration

In this step, you will create a new EAM (OIDC) application configuration in Portnox Cloud.

  1. In a new tab of your browser, open your Portnox Cloud account by accessing the following URL: https://clear.portnox.com/

    From now on, we will call this tab the Portnox tab.

  2. In the top menu, click on the Zero Trust Resources option.

  3. On the Resources screen, click on the Create resource button.

  4. In the What type of resource is this? section, select the SSO web application option, and in the Authentication protocol section, select the EAM option. Then, click on the Next button.

  5. In the Resource details section, enter a Resource name and optionally a Description.

  6. Keep this browser tab open. You will need it later.

Create a new Entra ID application

In this section, you will access the Microsoft Azure administrative interface and use it to create a new Entra ID application.

  1. In another tab of your browser, open your Microsoft Azure Portal by accessing the following URL: https://portal.azure.com/

    From now on, we will call this tab the Entra App tab.

  2. In the Azure Portal main menu, click on the Microsoft Entra ID option.

  3. In the left-hand side menu, click on the Manage > App registrations option.

  4. In the top menu of the App registrations screen, click on the New registration button.

  5. On the Register an application screen, in the Name field, enter a name for this app.

    This name will only be visible in Entra ID. You can use any name you like. In this example, we used the name Portnox Conditional Access EAM.

  6. In the Portnox tab, click on the  ⧉  icon next to the Authorization Endpoint field to copy the value to your clipboard.

  7. In the Entra App tab, in the Redirect URI (optional) section, select the Web value in the first field, and paste the value copied from Portnox Cloud in the second field. Then, click on the Register button to register the app.

  8. After the app is registered, in the top menu of the app screen, click on the Endpoints button.

  9. On the app screen, hover your mouse pointer over the value of the Application (client) ID field, and then click on the  ⧉  icon to copy the value to your clipboard.

  10. In the Portnox tab, click on the Set up an identity provider to get started link to create a new EAP identity provider.

    Note:
    If you already have one EAM identity provider and you do not see this link, to create a new EAM identity provider, open a new browser tab, log in to Portnox Cloud, and create a new identity provider by going to: Settings > Integration Services > IDENTITY PROVIDER SERVICE.
  11. In the Add a new EAM (OIDC) identity provider window, enter the Identity provider name and the Description (Optional) for the new identity provider.

  12. Paste the copied value into the Client ID field.

  13. In the Entra App tab, in the Endpoints pane, click on the  ⧉  icon next to the OpenID Connect metadata document field.

  14. In the Portnox tab, in the Add a new EAM (OIDC) identity provider window, paste the copied value in the Issuer URL field. Then, remove the following trailing text: /.well-known/open-id-configuration, so that the URL ends with the string v2.0.
    Note:
    The final format of the value should be: https://login.microsoftonline.com/your_tenant_id/v2.0. There should be no trailing slash.

  15. Click on the Save and Close button in the Add a new EAM (OIDC) identity provider window to save your identity provider configuration.

Create a new Entra ID authentication method

In this section, you will access the Microsoft Azure administrative interface and use it to create a new Entra ID authentication method.

  1. In another tab of your browser, open your Microsoft Azure Portal again by accessing the following URL: https://portal.azure.com/

    From now on, we will call this tab the Entra Auth tab.

    Note:
    You can also perform these steps in the existing Entra App tab but you need to copy some values from the application configuration fields and paste them into the authentication method configuration fields, so it is more convenient to do so using a separate tab.
  2. In the Entra ID search bar (Search resources, services, and docs), enter authentication methods, and then click on the Microsoft Entra authentication methods option below.

  3. On the Authentication Methods | Policies screen, in the top menu, click on the Add external method (Preview) button.

  4. On the Add external method (Preview) screen, in the Name field, type the name that you want your users to see on the button when authenticating with Portnox Zero Trust Network Access.
    Important:
    You cannot change this name later.

    In this example, we used the name Portnox Conditional Access , so the users that are authenticating see the following text on the button: Approve with Portnox Conditional Access .

  5. In the Portnox tab, click on the  ⧉  icon next to the Client ID field to copy the value to your clipboard.

  6. In the Entra Auth tab, paste the copied value into the Client ID field.

  7. In the Portnox tab, click on the  ⧉  icon next to the Discovery Endpoint field to copy the value to your clipboard.

  8. In the Entra Auth tab, paste the copied value into the Discovery Endpoint field.

  9. In the Entra App tab, hover your mouse pointer again over the value of the Application (client) ID field, and then click on the  ⧉  icon to copy the value to your clipboard.

  10. In the Entra Auth tab, paste the copied value into the App ID field.

  11. Click on the Request permission button.

    The Microsoft Permissions requested window will appear. Click on the Accept button to confirm the permission. The Request permission button will disappear, and you will see the Admin consent granted message in its place.

  12. In the Enable and target section, turn on the Enable switch.

  13. In the Include section, click on the Add Target button and select the Select Targets option from the menu. Then, select the users or groups that should be allowed to use Portnox Zero Trust Network Access to log in.

    Note:
    You can also choose the All Users option to allow all users in your organization to use Portnox Zero Trust Network Access to log in. This does not enforce the use of Portnox Zero Trust Network Access, it just offers it as an option among other multi-factor authentications that are available.
  14. Click on the Save button to save the authentication method.

Create a new Entra ID conditional access policy

In this section, you will access the Microsoft Azure administrative interface and use it to create a new Entra ID conditional access policy.

Note:
This policy will enforce multi-factor authentication for selected users and/or groups. If Portnox Zero Trust Network Access is not the only active multi-factor authentication method, other methods such as Microsoft Authenticator will also be available.
  1. In another tab of your browser, open your Microsoft Azure Portal again by accessing the following URL: https://portal.azure.com/

    From now on, we will call this tab the Entra CA tab.

    Note:
    You can also perform these steps in the existing Entra App or Entra Auth tab but it’s more convenient to keep these tabs open in case any changes in configuration are needed after testing.
  2. In the Entra ID search bar (Search resources, services, and docs), enter conditional access, and then click on the Microsoft Entra Conditional Access option below.

  3. In the top menu, click on the Create new policy button.

  4. In the New Conditional Access Policy pane, in the Name field, enter a name for this policy.

    This name will only be visible in Entra ID. You can use any name you like. In this example, we used the name CAA EAM Policy.

  5. In the Users section, click on the 0 users and groups selected link. On the right-hand side, in the Include and Exclude sections, select the users that are required to use multi-factor authentication.
    Warning:
    We strongly recommend using a limited number of users to test the configuration first, to avoid being locked out of all Entra ID access in case of an error in configuration, especially if no other multi-factor authentication methods are active. We also recommend that you have at least one emergency access account in Entra ID that does not require multi-factor authentication.

  6. In the Target resources section, click on the No target resources selected link. On the right-hand side, in the Include and Exclude sections, select the applications that will require multi-faction authentication.
  7. In the Grant section, click on the 0 controls selected link. In the Grant pane, select the Grant access option, and activate the Require multifactor authentication checkbox. Then, click on the Select button.

  8. Set the Enable policy switch to On and click on the Create button to create the conditional access policy.

Important:
We strongly recommend that you go through your other active Entra ID Conditional Access policies and make sure they do not have conflicts with the new policy. For example, a Microsoft-managed policy may interfere with the EAM policy if it sets a required MFA authentication strength – in such case, the EAM users must be excluded from such a policy.

Test your integration

In this section, you will learn how to test and troubleshoot your integration.

We suggest that you keep all the configuration tabs open until you finish testing.

Important:
Changes in Microsoft Entra ID configurations, especially the Entra ID Conditional Access and authentication method configurations, are not instantaneous. Before testing and after changing any configurations, we recommend that you wait at least 10 to 15 minutes. In case of errors, try again after a short while to make sure that the error was not caused by Microsoft caching the old configuration.
  1. Open a private browser window and try to log in to one of the applications selected in your Entra ID Conditional Access policy as one of the users selected in your Entra ID Conditional Access policy.
  2. If your user has Microsoft Authenticator as an active MFA method, you will see the Microsoft Authenticator prompt. Click on the I can’t use my Microsoft Authenticator app right now link.
  3. Click on the button representing Portnox Zero Trust Network Access.

  4. In case of errors, we recommend that you look through user logs by going to Entra ID > Users > username > Sign-in logs > log entry > Conditional Access.