Add Microsoft Entra ID as an OIDC identity provider for Zero Trust Network Access

In this topic, you will find instructions on how to add Microsoft Entra ID as an OIDC identity provider for Portnox™ Zero Trust Network Access.

Prerequisites:

  • You must first integrate your Portnox Cloud instance with your Microsoft Entra ID repository (Azure Active Directory) as an authentication provider. For more information, see the following topic: Integrate with Microsoft Entra ID.

Note: Microsoft Entra ID is a new name for Microsoft Azure Active Directory.

Create a new identity provider configuration in Portnox Cloud

In this section, you will create a new OIDC identity provider configuration in Portnox Cloud

  1. In a new tab of your browser, open your Portnox Cloud account by accessing the following URL: https://clear.portnox.com/

    From now on, we will call this tab the Portnox tab.

  2. In the Cloud portal top menu, click on the Settings option.

  3. In the Cloud portal left-hand side menu, click on the Integration Services > IDENTITY PROVIDER SERVICE > Identity Provider menu option.

  4. Click on the Add a new identity provider link and from the drop-down menu, select the Add an OIDC identity provider option.

  5. In the Identity provider details section, enter an Identity provider name and optionally a Description.

    In this example, we used the name Entra ID OIDC for the new identity provider but you can use any name you like.

  6. Keep this browser tab open. You will need it later.

Create a new identity Entra ID application registration

In this section, you will access the Microsoft Azure administrative interface and use it to create a new Entra ID application registration that will handle integration with Portnox Cloud.

  1. In another tab of your browser, open your Microsoft Azure Portal by accessing the following URL: https://portal.azure.com/

    From now on, we will call this tab the Azure tab.

  2. In the Search resources, services, and docs field, type: app registrations, and then click on the App registrations entry in the drop-down menu.

  3. In the App registrations pane, click on the New registration button.

  4. In the Register an application pane, in the Name field, enter a name for the enterprise application.

    In this example, we used the name Portnox ZTNA OIDC, but you can use any name you like.

  5. In the Supported account types field, select an option as needed by your organization’s Entra ID tenant configuration.
    Note: In most cases, the default option is sufficient.
  6. In the Portnox tab, click on the  ⧉  icon next to the Redirect URI field to copy the value to your clipboard.

  7. In the Azure tab, in the Redirect URI field, select the Web option, and then paste the value that you just copied to your clipboard.

  8. Click on the Register button.

Copy configuration values from the Azure tab to the Portnox tab

In this section, you will copy the values displayed by the Entra ID application setup section and paste them in the relevant fields in Portnox Cloud.

  1. In the Azure tab, in the Essentials section, click on the  ⧉  icon next to the Application (client) ID field to copy the value.

  2. In the Portnox tab, in the Identity provider properties section, click on the empty field under the Client ID heading and paste the value copied from Azure.

  3. In the Azure tab, in the Essentials section, click on the  ⧉  icon next to the Directory (tenant) ID field to copy the value.

  4. In the Portnox tab, in the Identity provider properties section, click on the empty field under the Issuer URL heading and enter the following value: https://login.microsoftonline.com/TENANTID/v2.0, where TENANTID is the value that you copied from the Azure tab.

  5. In the Azure tab, create a secret.
    1. in the left-hand side menu, click on the Manage > Certificates & secrets option.

    2. In the right-hand side pane, click on the New client secret button.

    3. In the Add a client secret pane, enter a description for this secret (for example, Portnox ZTNA OIDC secret), select the expiration time, and then click on the Add button.

    4. In the table under the New client secret button, find the newly created secret, and then click on the  ⧉  icon next to the value in the Value column to copy it to your clipboard.

      Warning: You will not be able to copy this value later. We recommend that you store this value in a secure place for the future, for example, in a password manager application.
  6. In the Portnox tab, in the empty field under the Client secret heading, paste the value that you copied from the Azure tab.

  7. In the Portnox tab, click on the Save and Close button.