Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Overview
  • Types of SSO Integrations Available
  • Prerequisites
  • OIDC SSO Method
  • Set up and configure Oort App Registration in Microsoft Entra ID
  • Enter SSO App Information in the Duo Admin Panel
  • IMPORTANT: Provision the Entra App to Users
  • SAML SSO Method
  • Create a New SAML SSO App
  • Appendix: Enable Microsoft Entra ID resource provider
  1. Configuring Integrations

Microsoft Entra ID (Azure AD) SSO Integration

01/22/2025

PreviousMicrosoft Entra ID (Azure AD) Data IntegrationNextAzure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)

Last updated 1 month ago

Overview

You can connect your Microsoft Entra ID to Cisco Identity Intelligence (CII) to enable SSO to your organization. Enable and control your organization members access to the CII platform easily, by following this guide to setting up CII as an app in your Microsoft Entra ID console.

Types of SSO Integrations Available

CII supports two methods of SSO integration with Microsoft Entra ID:

  1. - this method provides a fast and simple App Registration flow for SSO to your CII tenant. Note that full RBAC group management within the CII tenant is not supported with Entra ID OIDC.

  2. - a SAML integration with CII for sign-on provides the ability to enable for full admin, help desk, and read-only roles. NOTE - the current cross-tenant integration with Duo Security and CII does NOT support the in-product provisioning of SAML authentication for your CII tenant. Use the OIDC SSO Method or contact your Duo / CII representative to discuss setting up SAML authentication with Microsoft.

This article provides instructions for both methods. In many cases, an CII tenant may start with OIDC-based SSO and migrate to SAML SSO to enable RBAC functionality, as mentioned above.

Prerequisites

To add the necessary configuration in Microsoft Entra ID you need:

  • Microsoft Entra ID - Global Administrator or Service Administrator role ​

  • Microsoft Entra ID Subscription - Owner role

  • Microsoft Entra ID resource provider enabled. In most existing tenants, this is already done, but if not, please see

OIDC SSO Method

Set up and configure Oort App Registration in Microsoft Entra ID

You will need to create the app registration in your Entra ID tenant, assign the correct permissions, and add an API secret.

Add an app in your Microsoft Entra ID tenant

  1. Go to Microsoft Entra ID → App registrations

  1. Click on New registration

  1. Fill in the details for the new app

  • Enter an app Name

  • In “Who can use this application or access this API?” Select: Accounts in this organizational directory only (<tenant name> – Single tenant)

  • In “Redirect URI”:

    • select Platform: Web

    • Enter the redirect URI: US production tenants: https://login.oort.io/login/callback EU production tenants: ​https://login.eu.oort.io/login/callback AU production tenants: ​ https://login.au.oort.io/login/callback JP production tenants: ​ https://login.jp.oort.io/login/callback UK production tenants: ​ https://login.uk.oort.io/login/callback Canada production tenants: ​ https://login.ca.oort.io/login/callback Singapore production tenants: ​ https://login.sg.oort.io/login/callback

  1. Click on Register

  1. Copy and save the Application ID and save it for later use.

Add API Permissions

  1. Go to API Permissions under your newly created Oort Integration app

  2. Click on Add a permission

  3. Click on Microsoft Graph

  1. Click on Application Permissions

  2. Search for “Directory.Read.All”

  3. Check the box next to Directory.Read.All

  1. Search for “User.Read.All”

  2. Check the box next to “User.Read.All”

  1. Once added to the list, click Add Permissions

  2. Click on Grant admin consent for <tenant name>

  1. Click Yes to accept admin consent.

Create API secret

  1. Go to Certificates & Secrets under your Oort Integration app

  2. Click on New client secret

  3. Fill in the details for the secret and click Add

  1. Save the Secret Value

  • Click the copy icon to copy and save it somewhere

  • Important: Once you leave this page you WILL NOT be able to get the key again and will have to delete and create a new one.

Enter SSO App Information in the Duo Admin Panel

IMPORTANT: Provision the Entra App to Users

We strongly recommends you do two things in the Enterprise App object that was created in parallel to the new SSO app registration:

  1. Set assignment required to YES (the default is NO, making the app open to all tenant end users)

  2. Set app visible to YES, so that they have quick access to the CII console from their Entra ID My Apps page.

Instructions

  1. Navigate Enterprise Applications

  1. Find the CII SSO app in the list and click it.

  2. In the app’s page, click Properties in the Menu

  3. Select Yes for Assignment required and for Visible to users

  4. Click Save

  1. Navigate to the Users and Groups tab of the enterprise app. Assign the appropriate individual users and/or groups that should have access. (Group usage is recommended)

SAML SSO Method

This method uses SAML, which enables the provider (Microsoft Entra ID) to pass group information that will be used in the Role-based Access (RBAC) and Tenant Access Logs configuration for your tenant.

NOTE FOR DUO CUSTOMERS - the current cross-tenant integration with Duo Security and CII does NOT support the in-product provisioning of SAML authentication for your CII tenant. Use the OIDC SSO Method or contact your Duo / CII representative to discuss setting up SAML authentication with Microsoft.

Create a New SAML SSO App

  1. Within Microsoft Entra ID Enterprise Apps blade, click Create your own application and provide a name as shown. Then click Create and the bottom of the slide-out.

  2. From this page, click Set up single sign on

  3. Click SAML

  4. Click the Edit button for the Basic SAML Configuration section

  5. At this point, the values entered will differ depending on the deployment location of your CII tenant, such as US, EU, AU, CA, UK, SG or JP environments. Please discuss with your Cisco technical representative to ensure the right configuration. US Production Identifier (Entity ID): urn:auth0:oort:<companyname>-saml Production Reply URL: https://login.oort.io/login/callback EU Identifier (Entity ID): urn:auth0:oort-eu:<companyname>-saml Production Reply URL: https://login.eu.oort.io/login/callback AU Identifier (Entity ID): urn:auth0:oort-au:<companyname>-saml Production Reply URL: https://login.au.oort.io/login/callback JP Identifier (Entity ID): urn:auth0:oort-jp:<companyname>-saml Production Reply URL: https://login.jp.oort.io/login/callback UK Identifier (Entity ID): urn:auth0:oort-uk:<companyname>-saml Production Reply URL: https://login.uk.oort.io/login/callback CA Identifier (Entity ID): urn:auth0:oort-ca:<companyname>-saml Production Reply URL: https://login.ca.oort.io/login/callback SG Identifier (Entity ID): urn:auth0:oort-sg:<companyname>-saml Production Reply URL: https://login.sg.oort.io/login/callback

  6. Save the config.

  7. Click Edit for section 2 - Attributes & Claims

  8. Click Add new claim

  9. Configure the claim as shown below: Name: groups Namespace: http://oort.io In the Claim conditions section, add a row for each RBAC of the three groups that you've created for Oort roles in your Microsoft Entra ID tenant. If you haven't created them yet, do that now and populate them with the appropriate users. User type: Any Scoped group: Select one for each row Source: Transformation Values: Transformation: IfNotEmpty() Attribute name (Input): user.userprincipalname Attribute name (Output): <name of group specified for this condition, case sensitive>

  10. Click enter and then save this configuration after adding a row for all three groups.

  11. In section 3, Download the Base64 Certificate

  13. Provide both the downloaded certificate and the URL to your Oort representative.

  14. See the section #make-the-azure-app-visible-to-end-users

Appendix: Enable Microsoft Entra ID resource provider

Enable AzureAD resource provider under your license.

  1. Go to Home → Subscriptions

  1. Click your subscription (the relevant subscription)

  1. Click Resource Providers in the menu

  2. Search for Microsoft.AzureActiveDirectory and select it.

  3. If the Status says NotRegistered

  4. Click on the Register button to register the Microsoft AzureAD resource provider.

From the Entra ID overview page, copy the Tenant ID. The Entra ID OIDC Discovery URL takes the form of: where TENANT is your Tenant ID.

If using Duo Security to provision your tenant from the Duo admin panel, continue the configuration in that console using the app ID, tenant ID, and app secret according to .

In section 4, copy the Login URL value.

🧩
https://login.microsoftonline.com/TENANT/v2.0/.well-known/openid-configuration
https://duo.com/docs/identity-security#provision-your-cisco-identity-intelligence-tenant
RBAC groups
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin​
OIDC
SAML
Appendix: Enable Azure AD resource provider