Configuring Microsoft Entra¶

Zero Touch PKI supports single sign-on through Microsoft Entra, which is an OpenID Connect (OIDC) identity provider. To use Microsoft Entra, you register Zero Touch PKI as a web application, with permissions granted through through Microsoft Graph. Then, you test the integration.

Prerequisites¶

• An understanding of how to register web applications in Microsoft Entra.
• An understanding of Microsoft Graph permissions.
• The sign-in URL for your Zero Touch PKI instance.
• A Zero Touch PKI Account Admin role.
• (Optional) Parent and child accounts in Zero Touch PKI. If creating separate applications for multiple accounts, complete this tutorial once for each account.

• The redirect URI for your Zero Touch PKI instance based on its region:

  • Americas: https://zerotouchpki.us.auth0.com/login/callback
  • Europe: https://zerotouchpki.eu.auth0.com/login/callback
  • Asia-Pacific: https://zerotouchpki.au.auth0.com/login/callback

Step 1: Register Zero Touch PKI as an application¶

In Microsoft Entra, register a new web application and grant permissions. You'll need to supply your Zero Touch PKI redirect URI to return authenticated users to Zero Touch PKI.

To configure Microsoft Entra using OIDC:

1. Register Zero Touch PKI as an application: Create a web application in Microsoft Entra. See Register an application.

2. Create a secret: Add credentials to the application. See Add credentials to an app.

3. Grant permissions: Grant the appropriate permissions for your organization. See Add permissions.

   To enable extended attributes such as Extended Profile or Security Groups, add these permissions for the Microsoft Graph API:

   • Users > User.Read : Your app can sign in users and read their profiles.
   • Directory> Directory.Read.All : Your app can read directory data on a user's behalf.

Step 2: Configure single sign-on in Zero Touch PKI¶

1. Sign in to Zero Touch PKI.

2. Click Admin > Accounts.

3. In Select an account to work on, select your Zero Touch PKI account.

4. In SSO Config, click the pencil icon.

5. (Optional) In Modify SSO Config, edit the Slug, which is based on your account name and appears at the end of your sign-in URL, for example https://ztpki.venafi.com/login/your-account-name.

6. In Modify SSO Config, under Type, select Azure AD.

   Tip

   Azure Active Directory is Microsoft Entra's former name.

7. Under Options, select Enable Testing to temporarily enable password sign-in.

   Disable password sign-in after testing

   Use password sign-in during testing to maintain access while you configure SSO. Disable it before your instance goes live.

8. Under Application Details, add the following:

   • Domain: The tenant domain name for your organization.
   • Client ID: The Application (client) ID from your application.
   • Client Secret: The secret from your application.

9. Click Save SSO Config. Under SSO Configuration, your SSO status appears, with a Direct Login URL.

   About direct login URLs

   The direct login URL where users access your instance combines its location and the account slug:

   • Americas: https://ztpki.venafi.com/login/your-account-name
   • Europe: https://ztpki.eu.venafi.com/login/your-account-name
   • Australia: https://ztpki.au.venafi.com/login/your-account-name

Step 3: Test the instance and disable password sign-in¶

1. In a private browser window, go to the instance URL and click Use Connection. If configured correctly, the Zero Touch PKI dashboard appears.

2. Click Admin > Accounts.

3. In Select an account to work on, select your Zero Touch PKI account.

4. In SSO Config, click the pencil icon.

5. In Modify SSO Config under Options, clear Enable Testing to disable password sign-in.

Related links¶

• About single sign-on
• Register an application
• Add credentials to an app
• Add permissions