{"id":98,"date":"2025-03-29T17:15:57","date_gmt":"2025-03-29T17:15:57","guid":{"rendered":"https:\/\/sme-access.com\/?p=98"},"modified":"2025-04-12T22:23:18","modified_gmt":"2025-04-12T22:23:18","slug":"how-to-configure-microsoft-entra-id-with-cyberark-identity-as-an-external-authentication-method-eam","status":"publish","type":"post","link":"https:\/\/sme-access.com\/?p=98","title":{"rendered":"Adding CyberArk Identity as an External Authentication method in Entra ID"},"content":{"rendered":"\n

CyberArk has long been at the forefront of identity security, with deep expertise in Privileged Access Management (PAM). Organizations around the world rely on PAM Solutions to secure access to cloud consoles and protect their most sensitive assets. But securing the cloud is an evolving challenge\u2014one that requires a blend of traditional PAM and modern identity security strategies.<\/p>\n\n\n\n

In this post, we\u2019ll explore how to integrate CyberArk Identity as an External Authentication Method (EAM)<\/strong> to enhance security for Azure privileged accounts<\/strong> managed within CyberArk PAM (Self-Hosted or PCloud)<\/strong>. You’ll get a step-by-step guide on configuring CyberArk Identity as an Entra ID MFA provider<\/strong>, ensuring both security and a frictionless login experience.<\/p>\n\n\n\n

Create a new OIDC app with Microsoft Entra ID<\/strong><\/h2>\n\n\n\n

Go to https:\/\/portal.azure.com\/<\/a><\/p>\n\n\n\n

Navigate to “App registrations<\/strong>“<\/p>\n\n\n\n

Click “New registration<\/strong>” to create and register a new app.<\/p>\n\n\n\n

Give it a name and choose “Accounts in any organizational directory (Any Microsoft Entra ID tenant – Multitenant)<\/strong>” in the “Supported account types”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Click Next<\/strong><\/p>\n\n\n\n

In the Authentication<\/strong> Section > Add Platform<\/strong> > Web<\/strong><\/p>\n\n\n\n

In the URL<\/strong> add:<\/p>\n\n\n\n

https:\/\/login.microsoftonline.com\/organizations\/oauth2\/v2.0\/authorize<\/strong><\/p>\n\n\n\n

https:\/\/{{tenant_id}}.id.cyberark.cloud\/OAuth2\/Authorize\/{{oidc_id}}<\/strong><\/p>\n\n\n\n

*We will define the CyberArk Identity oidc app later<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In the Implicit grant and hybrid flows section<\/strong>, choose: ID tokens<\/strong> (used for implicit and hybrid flows)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In Certificates & secrets<\/strong> page create a client secret<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

NB : save the value in a secure vault like workforce password manager<\/a> before closing the window<\/em><\/strong><\/p>\n\n\n\n

In the API permissions<\/strong> click on Add a permission<\/strong>, select Microsoft Graph<\/strong> and choose Delegated permissions<\/strong> then select the following permission and click on Grant admin consent<\/strong>:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In the Overview<\/strong> page, click on Endpoints and note : OpenID Connect metadata document<\/strong><\/p>\n\n\n\n

Create a new OIDC web app in CyberArk Identity<\/strong><\/h2>\n\n\n\n

Go to your tenant’s admin portal<\/p>\n\n\n\n

Navigate to “web apps<\/strong>” and add an OpenID Connect<\/strong> application<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In the Settings<\/strong> page, provide an Application ID<\/strong>, Name<\/strong> and change the logo<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In the trust page Select “Login initiated by the relying party (RP)<\/strong>” and add<\/strong> the following Authorized redirect URIs<\/strong>:<\/p>\n\n\n\n