Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Integrate Microsoft Entra ID as an Identity Provider

To integrate Microsoft Entra ID with Juniper Mist, create an app registration in the Entra ID portal and then add it as an Identity Provider in your Juniper Mist organization.

About Microsoft Entra ID Integrations

Microsoft Entra ID is an identity and access management solution. It was formerly known as Azure AD and Azure Active Directory. With Juniper Mist Access Assurance, you can integrate an authentication service into Entra ID by using OAuth to perform:

  • User authentication with Extensible Authentication Protocol–Tunneled TLS (EAP-TTLS)
    • Performs delegated authentication, that is, checks username and password by using OAuth.
    • Retrieves user group membership information to support authentication policies that are based on this user identity.
    • Gets the status—active or suspended—of an user account.
  • User Authorization with Extensible Authentication Protocol–Transport Layer Security (EAP-TLS) and EAP-TTLS
    • Retrieves user group membership information to support authentication policies that are based on this user identity.
    • Gets the status—active or suspended—of an user account

  • EAP-TTLS with Password Authentication Protocol (PAP)

    • Performs delegated authentication, that is, checks username and password by using OAuth or Resource Owner Password Credentials (ROPC).
    • Retrieves user group membership information to support authentication policies that are based on this user identity.
    • Gets the status—active or suspended—of an user account

Preparations in the Entra ID Portal

Before you can integrate Entra ID with Juniper Mist, you need to create an app registration in your Microsoft Entra admin center for Juniper Mist Access Assurance connector. Use the following tips to configure your app registration with the appropriate settings.

Note:

As an Entra ID admin, refer to Entra ID resources if you need step-by-step help. For example, consider using this Entra ID help topic: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app. (This link is provided as a suggestion only. Search and browse through your Entra ID documentation as needed.)

Tips for Your Microsoft Entra App Registration

  • Use an Entra ID admin account with at least the Application Developer role.

  • Name—Give your registration a descriptive name that you can later incorporate into the IdP name in your Juniper Mist organization.
  • Supported Account Type—Select Accounts in this organizational directory only (Default Directory only - Single tenant).

  • In the Overview section of your app registration, under Client credentials, add a secret. Copy the Value to use later in this procedure. Be sure to copy the value immediately after creating the secret because it appears on screen only at this time.

  • In the Authentication section of your app registration, and select Yes to Allow public client flows.

  • In the API permissions section of your app registation, under Microsoft Graph, add the permissions below. These settings give your application the required access permissions to use Microsoft Graph API to fetch information about users.

    • Device.Read.All—Set the type to Application, and Grant admin consent for this tenant.
    • Group.Read.All—Set the type to Application, and Grant admin consent for this tenant.
    • User.Read—Set the type to Delegated, and Grant admin consent for this tenant.
    • User.Read.All—Set the type to Application, and Grant admin consent for this tenant.

  • Make sure that you have the following information:

    • Application (Client) ID from the Overview section of your app registration
    • Directory (Tenant) ID from the Overview section of your app registration

    • Value for the client secret that you added to the Client Credentials

Add Your Entra ID App Registration as an Identity Provider in Juniper Mist

Before You Begin

You must have an Juniper Mist admin account with the Super User role.

You'll need the following information from the Entra ID portal:

  • Application (Client) ID from the Overview section of your app registration
  • Directory (Tenant) ID from the Overview section of your app registration

  • Value of the client secret that you added to the Client Credentials

To add your Entra ID app registration as an Identity Provider in Juniper Mist:

  1. From the left menu of the Juniper Mist portal, select Organization> Access > Identity Providers.

    The Identity Providers page displays any configured identity providers.

  2. Click Add IDP, near the top-right corner of the page.
  3. On the New Identity Provider page, enter the following settings.
    Table 1: Juniper Mist IdP Settings for an Entra ID Integration
    Field Description
    Name Enter a descriptive name to identify this IdP. You might find it helpful to incorporate the words Entra ID and the name that you used as the name of the app registration in the Entra ID portal. Example: EntraID-MyMistApp
    IDP Type Select OAuth.
    OAuth Type Select Azure.
    OAuth Tenant ID Enter the directory (tenant) ID that you copied from the Entra ID portal.
    Domain Names Enter the domain name, that is, the user's username (For example: username@domain.com). The domain name field examines incoming authentication requests, identifying the respective username and associated domain. A connector uses the domain name that you set up to identify the tenant that the connector needs to communicate with.
    Default IDP Select this option to get machine group memberships.
    OAuth Client Credential (CC) Client id Enter the Application (Client) ID that you copied from the Entra ID portal.
    OAuth Client Credential (CC) Client secret Enter Value of the client secret that you copied from the Entra ID portal.
    OAuth Resource Owner Password Credential (ROPC) Client id Enter the Application (Client) ID that you copied from the Entra ID portal.
  4. Click Create at the top-right corner of the New Identity Provider page.
After setting up a new integration, you should make some test connections and verify that everything is working as expected. See Verify a New Integration.

EAP-TTLS Authentication with Azure AD and ROPC

EAP-TTLS leverages Resource Owner Password Credentials (ROPC) OAuth flow with Azure AD to authenticate users and retrieve user group information. You must consider several factors when you use a legacy authentication such as ROPC flow, which verifies only user name and password and skips multi-factor authentication (MFA).

  • You must configure the client devices with the correct wireless profile, either by using mobile device management (MDM) or a Group Policy Object (GPO). If you provide only user name and password at the login prompt, legacy authentication fails to work for some operating systems.
  • The username that a user enters must be in the User Principal Name (UPN) format (username@domain).
  • You must configure clients to trust the server certificate.
  • Users must log in at least once to the Azure portal before attempting access using ROPC authentication. This step is important to test user accounts.
  • The Azure portal must store user passwords either in full cloud accounts, or in a local AD where password synchronization is enabled with Azure AD Connect. Federated Authentication users are not supported.
  • You must disable MFA for users who select ROPC authentication. One way to achieve MFA bypass for EAP-TTLS is to mark Mist Access Assurance Source IP addresses as trusted locations using following procedure:
    1. In the Microsoft Entra portal, go to Protection > Conditional Access > Named locations and select New location.
    2. In the New location (IP ranges), enter the details.
      Figure 1: Bypass MFA for Sign in from a Trusted IP Address Range Bypass MFA for Sign in from a Trusted IP Address Range
    3. Enter a name for the location.
    4. Select Mark as trusted location.
    5. Enter the IP range for Juniper Mist Access Assurance IP addresses.
    6. Click Create.
    7. In the Conditional Access MFA policy, refer the trusted IP sources as exclusion criteria.
      Figure 2: Exclude Named Location from Access Policy Exclude Named Location from Access Policy