Microsoft Entra ID

Overview

Integrating IPI Server with Microsoft Entra ID allows organizations to automate user management, enable secure Single Sign-On (SSO), and perform remote password rotation. This integration improves security and reduces administrative overhead.

Key benefits:

  • User Import: Automatically sync users from Microsoft Entra ID into IPI Server based on group membership.

  • SSO Enablement: Users can log in to Windows workstations via IPI Keys or mobile apps using Entra ID credentials — without entering passwords.

  • Password Management: Passwords of selected users can be automatically rotated in Entra ID. This requires that users belong to a specific group and have a IPI Key assigned.

Use Case

  1. The administrator creates user groups in Entra ID and adds target users who will later be imported to IPI Server.

  2. An application is registered in Entra ID to establish a connection with IPI Server.

  3. API permissions are granted to allow user import and password management.

  4. The administrator configures integration settings on the IPI Server side and synchronizes users.

  5. An invite is sent to users via email.

  6. Each user opens the invite and selects a preferred sign-in method.

  7. The user can then authenticate into integrated web services via SSO and log in to Windows PCs. This allows seamless access to both web applications and Windows workstations with a unified, passwordless experience.

There are two available integration modes:

  1. User import only — synchronizing Entra ID users to IPI Server for authentication and SSO.

  2. User import with automatic password rotation — IPI Server periodically updates Entra ID passwords for selected users.

    • This scenario requires using a IPI Key.

    • After the import and password change:

      • The user’s password is updated in their Entra ID account.

      • A corresponding user account is automatically created in IPI Server with the new password.

      • This account and its password are automatically copied to the IPI Key once it’s connected to the user's workstation.

Note: If you plan to use only the IPI Key for proximity-based PC lock/unlock without accessing web services via SSO, enabling SSO is not required.

Prerequisites

Before starting integration, ensure the following:

  • Admin access to both Microsoft Entra ID and IPI Server.

  • An active Microsoft Entra ID tenant.

  • Permission to register applications in Entra ID.

  • IPI Server is accessible over HTTPS.

Step 1: Prepare Microsoft Entra ID Groups

To control user synchronization and password management, create the following groups in Microsoft Entra ID:

  1. IPI Users Sync Add to this group all users who should be imported into IPI Server.

  2. IPI Key Auto Password Change (optional) Add to this group users whose passwords should be automatically rotated via IPI Server using the IPI Key. These users must also be members of IPI Users Sync.

Step 2: Register an Application in Microsoft Entra ID

  1. Log in to the Microsoft Entra admin portal.

  2. Navigate to Azure Active Directory → App registrations.

  3. Click New registration and fill out the form:

    • Name: IPI Server Integration

    • Supported account types: Single tenant

    • Redirect URI (optional): Leave empty or set later

  4. Click Register.

  5. On the app’s Overview page, copy:

    • Application (Client) ID

    • Directory (Tenant) ID

Step 3: Generate a Client Secret

  1. In the app registration, go to Certificates & secrets.

  2. Click New client secret → set a description and expiration.

  3. Click Add.

  4. Copy the generated value from the Value column — this is your Client Secret.

Step 4: Assign API Permissions

  1. Go to API permissions → Add a permissionMicrosoft Graph.

  2. Choose Application permissions.

  1. Add the following permissions:

For user import:

  • User.Read.All

  • Group.Read.All

  • Domain.Read.All &#xNAN;(or use Directory.Read.All as a more general alternative)

For password management:

  • User.ReadWrite.All

  • User-PasswordProfile.ReadWrite.All

These permissions allow IPI Server to change passwords directly in Microsoft Entra ID accounts. Passwords will be updated automatically based on the interval specified in Auto Password Change (days) in IPI Server.

  1. Click Grant admin consent to apply all permissions.

Step 5: Configure Integration on the IPI Server Side

  1. Log in to the IPI Server admin panel.

  2. Go to Settings → Parameters and click Add Domain Settings.

  3. Select the Azure Active Directory option.

  4. Fill in the form with the values from previous steps:

    • Domain – your Microsoft Entra domain (e.g., yourcompany.onmicrosoft.com)

    • Application ID – Client ID from app registration

    • Client Secret – value from Step 3

    • Tenant ID – Directory ID

    • Auto Password Change (days) – e.g., 28 (optional)

    • Behavior when removing a user from a sync group:

      • Keep – The user remains on the IPI Server after being removed from the synchronization group. SSO login and PC unlock remain available.

        Deactivate – The user is deactivated but not deleted. SSO login is disabled, while PC unlock remains available. Reactivation must be done manually by an administrator.

        Delete – The user is permanently removed from the IPI Server. Both SSO login and PC unlock become unavailable.

  5. Click Save.

Note: After saving, login credentials will be hidden for security reasons.

Step 6: Enable SSO on IPI Server for Imported Users

You can enable SSO for all imported users from Entra ID at once during the import process, or leave the setting disabled and activate SSO individually for specific users in their profile.

To enable SSO behavior for all users imported from Entra ID:

  1. Navigate to Settings → Parameters → Active Directory, choose your Entra ID integration, then open Default Single Sign-On Settings.

  2. Click Edit.

  1. Enable the SSO option and choose the appropriate login method:

  • Passwordless login via the IPI Authenticator app, IPI Key, or passkey.

  • Login with username and password plus a second factor (IPI Authenticator app, IPI Key, passkey, or OTP).

This allows users to:

  • Sign in to IPI Server with their Entra ID credentials.

  • Access third-party services via IPI Server using standard SSO protocols (SAML, OIDC, WS-Fed).

  • Unlock their workstations using passwordless methods via the IPI Authenticator app.

Note: In this section, you can also download the certificate required for configuring Workstation Passwordless Logon Settings, which are necessary for enabling passwordless Windows PC login on machines joined to Entra ID.

More details about passwordless Windows PC login are available at the following link: Learn more.

Step 7: Import Users into IPI Server

  1. Navigate to Users → Import from AD.

  2. IPI Server will retrieve and list users from the IPI Users Sync group in Entra ID.

  3. Select and import the desired users into the server.

Notes

  • Password rotation will only apply to users in the IPI Key Auto Password Change group.

  • For hybrid infrastructure, enable Microsoft Entra password writeback.

  • For Linux environments, ensure that the server is joined to the Active Directory domain.

  • Removing Entra ID credentials from IPI Server will disable all sync functionality.

  • Multiple domains can be added — each is managed independently.

PreviousConfiguration OIDC (OpenID Connect)NextImport and Sync Users from Entra ID

Last updated