Microsoft Entra ID (formerly Azure AD) (Enterprise Application)

You can enable users to log in using a Microsoft Entra ID (formerly Azure AD) account, either from your computer or from the external directory.

Registering Application through the Microsoft Azure Portal

In the What's the name of your app filed, enter a name for your application.

Note - Do not change the default setting.

Browse to App registrations, locate and select your application.
Click Manage > Authentication > Add a platform.

The Configure platforms window appears.
Select Web.
In the Redirect URI (Optional) field, select Web from the type of application list and enter the relevant URI where the access token is sent to:
- For US data residency - https://<workspace>.perimeter81.com
- For EU data residency - https://<workspace>.eu.sase.checkpoint.com
Click Configure.
In the Redirect URIs section, enter:
- For US data residency - https://auth.perimeter81.com/login/callback
- For EU data residency - https://auth.eu.sase.checkpoint.com/login/callback
In the Front-channel logout URL section, enter https://{{WORKSPACE}}.perimeter.com where {{WORKSPACE}} refers to your Harmony SASE workspace name.
To allow access from external organizations, in the Supported account types section, select Accounts in any organizational directory (Any Azure AD directory - Multitenant).
Click Save.

To configure the permissions for the application:

Log in to your Microsoft Azure Portal.
Click Identity > Applications > App registrations > All applications.
Select your application.
Click Overview > Manage > API Permissions.
Click Add a permission.

The Request API permissions page appears.
Click Microsoft APIs and select Microsoft Graph from the list of available APIs to change the access level.
Click Delegated permissions.
Select the User.Read and Directory.Read.All checkbox to modify the permissions so your application can read the directory..
Click Add permissions > Configured permissions > Grant admin consent for approval of your app API permissions.
Click Yes.

Your application gets the granted permissions.
To enable user group support, enable:
1. Application Permissions: Read directory data.
2. Delegated permissions: Access the directory as the signed in user.
Click Save to save the changes.
To remove the Windows Azure Active Directory API permission, see Appendix A - Removing Microsoft Entra ID (formerly Azure AD) API Permissions.

To get the secret value of the key, go to the Client secrets tab and copy the secret Value.

This value is the Client Secret in Harmony SASE Admin console. .

Note - The Secret value of the key need to be copied before you close the screen. If not, you need to create a new key.

Access the Harmony SASE Administrator Portal and click Settings > Identity Providers.

The Identity Providers page appears.
Click Add Provider.

The Add identity provider window appears.
Select Microsoft Azure AD.
Click Continue.

The Microsoft Azure AD page appears.
In the Microsoft Azure AD Domain field, enter the domain name.
In the Domain Aliases field, enter the email ID(s) separated by commas or spaces.
In the Client ID field, enter the Application (client) ID in Microsoft Azure AD:
1. Log in to your Microsoft Azure Portal.
2. Go to Identity > Applications > App registrations > All applications.
3. Browse to App registrations, locate and select your application.
4. Go to Overview > Application (client) ID.
5. Copy the Application (cient) ID value.
In the Client Secret field, enter the secret value. See step 9 in Configuring the Key.
In the Azure AD Edition, select either:
1. PI
2. P2
Click Done.

Search and select the user(s) or group(s) you want to add to the application.

Note - Special characters are not supported in groups.