1.0 Introduction
The purpose of this article is to outline the necessary steps for configuring the connection between Fortanix Key Insight on Azure and Microsoft Entra ID as an Open ID Connect (OIDC) identity provider (IdP).
Federated authentication in Azure refers to the process of enabling users to access Azure resources using their existing credentials from an external identity provider (IdP), such as PingOne, Microsoft Entra ID, and so on.
Configuring Microsoft Entra ID as an Open ID Connect IdP in Azure involves the following steps:
Register a client application with Microsoft Entra ID.
Configure the redirect Uniform Resource Locator (URL) on the client application.
Gather the Client ID, a unique identifier for your registered application.
Gather the OpenID configuration document (well-known) URI specific to your IdP tenant or account.
Provide permissions to your Azure application to scan resources.
2.0 Register a Client Application with Microsoft Entra ID
Perform the following steps to register a client application with Microsoft Entra ID:
Set up an OIDC web application in Microsoft Entra ID.
Navigate to the Azure portal and search for Microsoft Entra ID.
Select App registrations under Manage in the left navigation menu on the Microsoft Entra ID page.
NOTE
You can also directly search for App registrations in the Microsoft Azure search bar.
Click New registration.
On the Register an application page, configure the following fields and click Register to register an application:
Name: The user-facing display name for this application. For example, key-insight-app.
Supported account type: Select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant).
Redirect URI: This is optional.
.png?sv=2022-11-02&spr=https&st=2025-04-04T20%3A05%3A22Z&se=2025-04-04T20%3A18%3A22Z&sr=c&sp=r&sig=bieuL0B8WgcyJlRMcycVqK4uuSFhrUtJnUCeBO%2F8QRw%3D)
Figure 1: Register the New Application
For more details, refer to Quickstart: Register an Application with the Microsoft Identity Platform.
Configure the platform settings using the following:
In the Microsoft Entra ID, in App registrations, select your application.
In your application, select Manage → Authentication.
On the Authentication page, under Platform configurations, click Add a platform.
On the Add a Platform page, under Configure platforms, add Single-page application and configure it as follows:
.png?sv=2022-11-02&spr=https&st=2025-04-04T20%3A05%3A22Z&se=2025-04-04T20%3A18%3A22Z&sr=c&sp=r&sig=bieuL0B8WgcyJlRMcycVqK4uuSFhrUtJnUCeBO%2F8QRw%3D)
Figure 2: Configure Authentication
NOTE
Do not create client secrets or configure certificates during your application registration.
Configure API permissions for OIDC using the following steps:
In the Microsoft Entra ID, in App registrations, select your application.
In your application, select Manage → API permissions.
Select delegated permissions and OpenId permissions: openid, email, profile, and offline_access.
3.0 Configure the Redirect URL on the Client Application
The redirect URL is the address to which Microsoft Entra ID forwards the OIDC response after authentication.
Following is the redirect URL for Azure Microsoft Entra ID IdP:
https://armor.fortanix.com/system/discovery/oauth/callbackFor more details, refer to Add a Redirect URI.
4.0 Gather the Client ID
A client ID is a unique identifier for the registered client application. It allows you to validate the security tokens you receive from the IdP.
To retrieve the client ID,
In the Microsoft Entra ID, in App registrations, select your application.
In your application, select the Overview page.
Copy the
Application(client)IDfrom the Overview page.
For more details, refer to Obtain Client ID.
NOTE
Ensure to copy and save the Directory (tenant) ID and Application (client) ID values. These values are required during the Azure cloud connection setup on the Fortanix Key Insight.
5.0 Gather the OpenID Configuration Document (Well-Known) URL
An OpenID Connect (OIDC) provider provides a standard well-known URL that your client application can use to discover information about the provider's configuration dynamically.
This URL is specific to your IdP tenant or account.
To retrieve this value, copy OpenID Connect metadata documentvalue from the Endpoints section of the registered application.
Figure 3: Obtain Well-Known URL
NOTE
Ensure to record the well-known URL value as it is necessary for the identity provider configuration when setting up the Azure cloud connection in the Fortanix Key Insight user interface (UI).
6.0 Provide Permissions to your Azure Application to Scan Resources
Applications are authorized to call APIs when they are granted permissions by users or administrators (admins) as part of the consent process.
Ensure you have added the following permissions to your application to scan Azure resources on Fortanix Key Insight:
.png?sv=2022-11-02&spr=https&st=2025-04-04T20%3A05%3A22Z&se=2025-04-04T20%3A18%3A22Z&sr=c&sp=r&sig=bieuL0B8WgcyJlRMcycVqK4uuSFhrUtJnUCeBO%2F8QRw%3D)
Figure 4: Configure Permissions
NOTE
The user_impersonation permissions may require user or admin consent based on the tenant's application consent policies. If admin consent is necessary, obtain admin consent for these permissions following your organization's security or IT policy before configuring federated authentication in Fortanix Key Insight.
For more details, refer to Overview of permissions and consent in the Microsoft identity platform.