Microsoft Entra ID Setup — Cloud Only

Enterprise Access Management supports enterprises with all users and devices joined to Microsoft Entra ID. This topic describes the configuration where Microsoft Entra ID maintains the users, because there is no Microsoft Active Directory.

Click to enlarge.

Entra only support

For other supported configurations, see Microsoft Entra ID Support.

Entra ID Administrator Requirements

Your Entra ID administrator account must be created within Entra ID, not imported or migrated into Entra ID.

You must exclude the Enterprise Access Management app from your MFA conditional access policies for this feature. This requirement is due to a Microsoft blocker. See Entra ID Conditional Access Policies

The Entra ID administrator username and password must be entered in UPN format.

BEST PRACTICE:

Create the Entra ID administrator account with the User Administrator role.

Register EAM, Add Secret

  1. Log into https://entra.microsoft.com/ with a user with administrator privileges.

  2. Go to Microsoft Entra ID > App registrations.

  3. Click New registration.

  4. On the Register an application page:

    • Provide a user-facing display name for this application: for example, Imprivata, EAM or EAMTest.

    • Who can use this application or access this API? — leave the default selection Accounts in this organizational directory only

    • Redirect URI where the authentication response is returned after successful authentication — select Web and provide any value

  5. Click Register.

  6. On your new app registration page > Overview > Client credentials, click Add a certificate or secret.

  7. On the Add a secret page, add a secret that the application will use to prove its identity when requesting a token. Save this secret outside of this application.

    IMPORTANT:

    Save this secret securely outside of this application, because after leaving this page, the value will be masked. Imprivata recommends using a very complex secret and a Privileged Access Management system, for example, Imprivata Privileged Access Management, to manage this secret. Microsoft recommends changing this secret every 180 days.

API Permissions

  1. On your new app registration page > Manage > API permissions, click Add a permission > Microsoft Graph.

  2. Click Application permissions — your application runs as a background service or daemon without a signed-in user.

  3. Select a permission from the list, and click Add permissions. After it appears in a list of added permissions, grant admin consent.

  4. Add all of the following permissions. Note that some are Delegated permissions, and the remainder are Application permissions.

API name Type Description Admin consent required
Device.Read.All Application Read all devices Yes
Directory.AccessAsUser.All Delegated Access directory as the signed in user Yes
Domain.Read.All Application Read domains Yes
Group.Read.All Application Read all groups Yes
User.Read.All Application Read all users' full profiles Yes
User.ReadWrite Delegated Read and write access to user profile No
User.ReadWrite.All Delegated Read and write all users' full profiles Yes
UserAuthenticationMethod.ReadWrite.All Delegated Read write all users' authentication methods Yes

Entra ID Conditional Access Policies

You must exclude the Imprivata Azure AD Sync app from your MFA conditional access policies for this feature. This requirement is due to a Microsoft blocker.

  1. In Entra ID, go to SecurityConditional Access, and select a policy that applies to your Imprivata users and requires MFA.

  2. To exclude your Imprivata app, go to Cloud apps or actionsCloud appsExcludeSelect excluded cloud apps, and select the Imprivata Azure AD Sync app.

  3. Click Save.

  4. Repeat for all conditional access policies that apply to your Imprivata app and require MFA.

NOTE:

Microsoft-managed policies don't allow you to exclude specific cloud apps. If you have a Microsoft-managed policy that requires MFA, recreate it so you can exclude the Imprivata Azure AD Sync app, and then turn off the Microsoft-managed policy.

Before Closing Entra ID

When adding your Microsoft Entra ID directory in the Imprivata Admin Console, you will need the Tenant ID, Client ID, Client Secret, and user's account credentials. On your new app registration page > Overview, copy these values for later.

Adding Entra ID to Imprivata

  1. In the Imprivata Admin Console, go to Users > Directories.

  2. In the Directories page, click Add.

  3. In the Add New Imprivata Domain wizard, from the list of Directory Servers, select MS Entra ID, and click Next.

  4. On the next page, enter the Tenant ID, Client ID, and Client Secret you saved earlier.

  5. Enter the Imprivata admin username and password.

  6. Click Save.

  7. In the Directories page, click on the new Imprivata Domain you just added.

  8. In the Edit directory page, click Next.

  9. In the Synchronize Users > Synchronize Rules page, click Synchronize Now (at the bottom of the page).

  10. When the synchronization is complete, the Directories page will display the results for how many users have been added and enabled to Imprivata.