Microsoft Entra ID Setup — Cloud Only

Enterprise Access Management supports enterprises with all users and devices joined to Microsoft Entra ID.

Click to enlarge.

Entra ID Administrator Requirements

Your Entra ID administrator account must be created within Entra ID, not imported or migrated into Entra ID.

You must exclude Enterprise Access Management app from your MFA conditional access policies for this feature. This requirement is due to a Microsoft blocker.

The Entra ID administrator username and password must be entered in UPN format.

Register EAM, Add Secret

1. Log into https://entra.microsoft.com/ with a user with administrator privileges.

2. Go to Microsoft Entra ID > App registrations.

3. Click New registration.

4. On the Register an application page:

   • Provide a user-facing display name for this application: for example, Imprivata, EAM or EAMTest.

   • Who can use this application or access this API? — leave the default selection Accounts in this organizational directory only

   • Redirect URI where the authentication response is returned after successful authentication — select Web and provide any value

5. Click Register.

6. On your new app registration page > Overview > Client credentials, click Add a certificate or secret.

7. On the Add a secret page, add a secret that the application will use to prove its identity when requesting a token. Save this secret outside of this application.

   IMPORTANT:

   Save this secret securely outside of this application, because after leaving this page, the value will be masked. Imprivata recommends using a very complex secret and a Privileged Access Management system, for example, Imprivata Privileged Access Management, to manage this secret. Microsoft recommends changing this secret every 180 days.

API Permissions

1. On your new app registration page > Manage > API permissions, click Add a permission > Microsoft Graph.

2. Click Application permissions — your application runs as a background service or daemon without a signed-in user.

3. Select a permission from the list, and click Add permissions. After it appears in a list of added permissions, grant admin consent.

4. Add all of the following permissions. Note that some are Delegated permissions, and the remainder are Application permissions.

API name	Type	Description	Admin consent required
Device.Read.All	Application	Read all devices	Yes
Directory.AccessAsUser.All	Delegated	Access directory as the signed in user	Yes
Domain.Read.All	Application	Read domains	Yes
Group.Read.All	Application	Read all groups	Yes
User.Read.All	Application	Read all users' full profiles	Yes
User.ReadWrite	Delegated	Read and write access to user profile	No
User.ReadWrite.All	Delegated	Read and write all users' full profiles	Yes
UserAuthenticationMethod.ReadWrite.All	Delegated	Read write all users' authentication methods	Yes

Before Closing Entra ID

When adding your Microsoft Entra ID directory in the Imprivata Admin Console, you will need the Tenant ID, Client ID, Client Secret, and user's account credentials. On your new app registration page > Overview, copy these values for later.

Adding Entra ID to Imprivata

1. In the Imprivata Admin Console, go to Users > Directories.

2. In the Directories page, click Add.

3. In the Add New Imprivata Domain wizard, from the list of Directory Servers, select MS Entra ID, and click Next.

4. On the next page, enter the Tenant ID, Client ID, and Client Secret you saved earlier.

5. Enter the Imprivata admin username and password.

6. Click Save.

7. In the Directories page, click on the new Imprivata Domain you just added.

8. In the Edit directory page, click Next.

9. In the Synchronize Users > Synchronize Rules page, click Synchronize Now (at the bottom of the page).

10. When the synchronization is complete, the Directories page will display the results for how many users have been added and enabled to Imprivata.