/
How to Enable Entra Authentication and Authorization for Open-AudIT

How to Enable Entra Authentication and Authorization for Open-AudIT

Overview

This guide will walk you through registering an application in the Microsoft Entra Admin Center, creating the necessary credentials in Open-AudIT, and associating Entra groups with organizations and roles to manage authorization.

Application Registration

Registering an App in Entra (Azure AD) for authenticating with Open-AudIT involves creating a new application registration in the Entra portal. This process grants your Open-AudIT instance the necessary permissions to authenticate users via Azure AD. You'll need to specify redirect URIs, assign appropriate API permissions (like Microsoft Graph), and generate client secrets. Once registered, you can configure Open-AudIT to use this app registration's details for seamless Azure AD authentication and authorization.

Create the Entra ID application by logging in to the Entra portal, and select the App registrations blade.

 

Click the New registration button, name the application, for example OpenAudIT Auth, select a suitable account type, then select Web from the Redirect URI dropdown and enter the value: http://localhost:8088/index.php/logon/entra/auth

After providing the required information, click Register to create the application.

image-20260312-014618.png

Select the Certificates & secrets sub-blade and select New client secret. Complete the requested details, after clicking Add take note of the generated client secret value.

image-20260312-020113.png

 

Select the Overview sub-blade and take note of the Application (client) ID and Directory (tenant) ID.

image-20260312-020446.png

 

Additional Claims

Adding additional claims like email and preferred_username is necessary to ensure Open-AudIT can accurately identify and authenticate users. These claims provide essential user identity information, enabling proper access control and user management within the system. Without these claims, user identification is not achievable.

Click the Token configuration sub-blade and click the Add optional claim button.

Select the Access radio button. A list of available claims becomes visible, select the email and preferred_username claim check-boxes.

Finally click the Add button to include additional claims.

If prompted, turn on the Microsoft Graph email permission (required for claims to appear in token).

image-20260312-021421.png
image-20260312-021908.png

 

Group Claims

Requiring the groups claim when using Entra for authorization allows Open-AudIT to determine user group memberships, enabling role-based access control. This claim provides information about the groups a user belongs to, which is essential for assigning permissions and managing access levels within the system. Without the groups claim, it would be difficult to implement granular authorization based on user groups.

From the Token configuration sub-blade, click Add groups claim.

To configure group claims for the application, select Security groups, leave the token property type as Group ID.

Finally click the Add button to include group claims.

image-20260312-022554.png
image-20260312-022850.png

 

Entra Authentication

An Entra Auth Method within Open-AudIT is needed to authenticate users via Entra. Once configured, a new option Login with entra will be available from the login page.

Create an authentication method by logging in to the Open-AudIT application, then via the top navigation select:

Admin > Auth > Create Auth Methods.

 

Name the method, for example Entra Authentication.

Select Entra as the method type.

Provide the Client ID, Client Secret and Tenant which you will have made note of, when registering an App in Entra.

In most cases the Redirect URI value will be http://localhost/index.php/logon/entra/auth, however adjust as necessary.

After providing the required information, click Submit to create the authentication method.

image-20260312-030922.png

 

Entra Authorization

Updating an Entra Auth Method within Open-AudIT is needed to have Entra dictate authorization policies.

To enable authorization using Entra, edit an existing Auth Method within Open-AudIT, by navigating via the top navigation select:

Admin > Auth > List Auth Methods.

Click the edit icon to being configuring its options.

image-20260312-032646.png

 

From the dropdown labeled Use Authorization, select Yes

image-20260312-032850.png

 

When using Entra for authorization, you will need to associate Organizations and Roles in Open-AudIT, with groups in Entra.

Whilst logged into the Entra portal, select the Groups blade.

Select the All groups sub-blade and search for the groups applicable to Open-AudIT.

image-20260312-034135.png

 

Now within Open-AudIT, edit the Orgs and Roles as needed, assigning a Entra Group.

image-20260312-034724.png