# Hideez Server as an External Authentication Method for Microsoft Entra ID via OIDC ## **Configure OIDC for Entra ID** {% hint style="info" %} This guide provides step-by-step instructions to configure **Hideez Identity Cloud** as an **External Authentication Method (EAM)** for **Microsoft Entra ID** using **OIDC (OpenID Connect)**. This setup facilitates seamless external authentication and ensures secure user login through an additional **MFA (Multifactor Authentication)** step. #### **Important Notes** * **Hideez Server** as an **External Authentication Method (EAM)** does not enable direct login to **Microsoft Entra ID**. It serves solely as an additional **MFA verification method**. * This functionality is **only supported for standard user accounts**. Using Hideez Identity Cloud as an EAM **is not possible for administrator accounts**. * To enable this feature, an **Entra ID P1 license** is required. {% endhint %}

{% hint style="success" %} **Additional Resources** For further setup guidance, refer to the following articles: * [**Validating tokens issued by Microsoft Entra ID**](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-external-method-provider#validating-tokens-issued-by-microsoft-entra-id) {% endhint %} ## **Step 1: Register the App in Microsoft Entra** 1. Log in to the [**Microsoft Entra Admin Center**](https://entra.microsoft.com/). 2. Navigate to **Identity → Applications → App Registrations**. 3. Click **+ New registration**.

4. Define a name for the app. 5. Set **Supported account type** to: * *Accounts in any organizational directory (Any Entra ID directory - Multitenant)*. 6. Under the **Redirect URI** section: * Select **Web platform**. * Enter: `https:///connect/authorize` * Example: `https://dev.hideez.com/connect/authorize` 7. Click **Register**.

{% hint style="info" %} After registering, keep the **Application ID** from the **Essentials** section. You'll need it later to configure your EAM in **Hideez Enterprise Server**. {% endhint %}

## **Step 2: Configure Integration in** Hideez Enterprise Server 1. Go to **Hideez Enterprise Server**. 2. Go to **Integrations → OIDC**. 3. Click **Create App Integration** and set the following parameters: * **App Type**: Entra ID External Authentication Method (EAM).

4. Fill in the following: * **Tenant ID** * **Application ID**

5. Click **Create**. {% hint style="info" %} Keep the tab **Add openid connect client** with values **Client ID**, **Discovery Endpoint**, and **Entra Application ID** ready for the next step. {% endhint %}

## **Step 3: Add External Method in Entra ID** 1. Go back to **Microsoft Entra Admin Center**. 2. Navigate to **Protection → Authentication Methods → Policies**. 3. Click **+ Add external method (Preview)**. 4. Set the following parameters: * **Name**: The name users will see during Entra ID login when choosing their authentication method. * **Client ID**: Paste from the app integration in Hideez Enterprise Server. * **Discovery Endpoint**: Paste from the app integration in the Hideez Enterprise Server. * **App ID**: Paste from the app integration in Hideez Enterprise Server.

5. Click **Request permission** to grant admin consent for the app to read user information. 6. Click **Enable**.

7. Review the **Included and Excluded Targets** (all users are included by default). 8. Click **Save**. ## Step 4: Configure Conditional Access Policy in Entra ID (Optional) {% hint style="info" %} During migration, administrators are advised to create parallel **Conditional Access Policies** to test new configurations with a subset of users. This ensures minimal disruption and allows admins to verify the functionality of the custom controls. {% endhint %} 1. Login to [**Microsoft Entra admin center.**](https://entra.microsoft.com/) 2. Navigate to **Protection → Conditional Access → Policies**. 3. Click **+ New Policy** (or edit an existing policy).

4. Configure the policy: * **Specify Users**: Define the users who will be affected by this policy. * **Target Applications**: Specify the applications covered by this policy. * **Access Requirements**: * Choose **Require multifactor authentication** so that the EAM (Hideez Enterprise Server) is used as the MFA step.

5. Click on **Save**. {% hint style="success" %} More information from Microsoft can be found here [Using Custom Control and EAM in parallel](https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-external-method-manage#using-eam-and-conditional-access-custom-controls-in-parallel). {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://enterprise.hideez.com/hideez-server-integration/open-id-connect-integration/hideez-server-as-an-external-authentication-method-for-microsoft-entra-id-via-oidc.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.