Join an Entra ID Tenant

You can set up AD Bridge to authenticate to Active Directory or Entra ID.

Requirements

These are the required components to use for Entra ID authentication:

  • Entra ID
  • Azure Application Service: To join a tenant, an application client ID and secret are required. The application also defines the access permissions for the endpoint. For configuration information, see Application Registration and IDs.

Application Registration and IDs

To set up app registration and IDs:

  1. Create an app registration, and gather the Client ID and Directory (tenant) ID from it.

App Registrations

  1. Go to Certificates & secrets > Client secrets.
  2. Generate a secret for the app registration. The value is available to copy after you generate it. Copy the secret value and save in a file. It is required to join a tenant. After a period of time, the value is hidden.

Certificates & secrets

  1. Set up the app registration rights. The app requires the rights for the endpoint to look up the required information.

Application registration rights

Advanced Settings options

  1. Go to Authentication > Advanced Settings and enable Allow public client flows.

Authentication Requirements

Here are a few things to understand regarding authentication:

  • For an Entra ID user login, the user must belong to an Entra ID group.
  • For an Entra ID user login, the user must have a valid tenant license.
  • The user that initiates the SSH session must be the same user that authenticates with the device code.

Endpoint Setup

AD Bridge only supports being joined to Entra ID or Active Directory.

To join AD Bridge to Entra ID:

  1. Create a local file with the app registration secret value.
    vi secret-file
  2. Join Azure tenant with tenantjoin-cli.
    /opt/pbis/bin/tenantjoin-cli join --tenant-id ########-####-####-####-############ --app-id ########-####-####-####-############ --app-secret-file secret-file
  3. pbis status displays the tenant, and the provider that the agent is joined to.
    pbis status
  4. tenantjoin-cli query displays the following information.
    /opt/pbis/bin/tenantjoin-cli query
    Tenant Query Info:
Display Name: ADBridge Tenant
Primary Domain: ADB.Azure
Tenant Id: ################################
Application Name: ADBridge
Application Id: ################################
Access Token Issued At: Mon Apr 17 11:33:23 2023
Access Token Not Before: Mon Apr 17 11:33:23 2023
Access Token Expiration: Mon Apr 17 12:38:23 2023
Tenant query was successful
  5. Before logging in as an Entra ID user, you must apply a tenant license through /opt/pbis/bin/setkey-cli –key XXXXX-XXXXX-XXXXX-XXXXX-XXXXX.
    6. [bc-admin@bc-hrm4 ~] /opt/pbis/bin/setkey-cli --key XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
            
Key: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Type:
  Azure tenant license
  Server (allows unlimited concurrent user logons)
  Term (limited time restriction)
  Site (unlimited usage for domain)

Entitlements:
  Smart Card
  Group Policy
  Audit/Reporting
  AD Management Tools

Expires: 2023-06-24
[bc-admin@bc-hrm4 ~]$
  6. Log in to the endpoint with the Entra ID user. This displays a device code and a URL.
  7. In a browser, navigate to the URL and follow the prompts. You must enter the device code.
    8. ssh USER@TENANT@HOSTNAME

    The authorization polling interval is every 5 secs with 12 tries (60 seconds total).

Query for Entra ID Users or Groups

Users who are joined to an Azure tenant can use the ad-cache command to query for Entra ID users. You can use the --tenant flag to display users or groups that are included with the tenant.

Users
/opt/pbis/bin/ad-cache --enum-users --tenant
Azure user object [1] (cdc32650-cbe0-43d9-8cc8-b0f2875a6441)
============
Enabled: yes
UID: 1193502009
UPN: freshuzer@adbridge.dev
Given name: <null>
Surname: <null>
Display Name: freshuzer
Last Password Change: 2023-06-09T12:39:12Z
Primary GID: 4244230445
Primary Group ObjectId: 04ea9c38-4913-4d02-9265-174d589daeb1
Shell: /bin/sh
Home Dir: /home/local/adbridge.dev/freshuzer

Total Azure users found: 1
Total users found across all authentication providers: 1
Groups
/opt/pbis/bin/ad-cache --enum-groups --tenant
Azure group object [1] (04ea9c38-4913-4d02-9265-174d589daeb1)
============
GID: 4244230445
Display Name: Pure Uzers Group
Description: <null>
Security Identifier: S-1-12-1-82484280-1291995411-1293378962-2981010776

Total Azure groups found: 1
Total groups found across all authentication providers: 1