Skip to main content

Configure Arculix as a Microsoft Entra ID external authentication method (EAM)

External Authentication Method (EAM) is a feature in Microsoft Entra ID that lets users use different multi-factor authentication (MFA) providers for signing in. This means that instead of using Microsoft's MFA options, your organization can choose and integrate Arculix as an MFA provider to meet your security needs.

To set up Arculix as an EAM provider, the following is an outline of tasks to complete.

Task A: Configure Arculix application in Microsoft Entra

Create an Enterprise application for Arculix integration in Microsoft Entra.

You will need the Application ID generated by Microsoft Entra for Arculix configuration.

Task B: Configure Microsoft Entra OIDC application in Arculix

Create an OIDC application for Microsoft Entra integration in Arculix.

You will need the UID and OIDC Provider Configuration generated by Arculix for further Microsoft Entra configuration.

Task C: Configure Conditional Access policy in Microsoft Entra

Create a new Conditional Access policy to enable MFA for users and applications.

Task D: Add external MFA method in Microsoft Entra

Register Arculix as your external authentication provider in Microsoft Entra.

Task A: Configure Arculix application in Microsoft Entra

In this task, you will create an application for Arculix in Microsoft Entra. Save its identifying information to complete integration between Arculix and Microsoft Entra.

Note

This task is completed in the Microsoft Entra admin center. For up-to-date, detailed instructions, refer to Microsoft's documentation for the Microsoft Entra application gallery and reach out to their support.

  1. Log in to your Microsoft Entra admin account and create a new Enterprise application for Arculix.

    Select the option to Integrate any other application you don't find in the gallery (Non-gallery).

    eam_create_app.png

  2. Copy the Application ID for Arculix configuration.

Task B: Configure Microsoft Entra OIDC application in Arculix

In this task, you will create an OIDC application for Microsoft Entra in Arculix. To learn more about integrating an OIDC application with Arculix, see OAuth / OIDC configuration.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application

  3. In the New Application form, on the General tab, set the following configurations:

    Name 

    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, EntraID EAM.

    Type 

    Set to OpenID Connect Relying Party Application [oidc_client].

    Out of Band Methods 

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests 

    Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

    eam_new_oidc_app.png

  4. Select the OIDC Configuration tab, and set the following configurations:

    Login 

    Redirect URLs 

    Enter the redirect URL (Redirect_uri) that Arculix will use to send back the authorization code.

    For Microsoft Entra, it is usually: https://login.microsoftonline.com/common/federation/externalauthprovider

    See Microsoft's documentation for Microsoft Entra multifactor authentication external method provider reference for a full list of possible redirect URLs.

    Client Settings 

    Application Type 

    Set to Web application.

    Grant Type 

    Set to Implicit.

    Microsoft Entra ID requires and only supports the Implicit grant type. Upon login, the application redirects to Arculix for authentication. Entra ID asks Arculix for a user identity token and expects the response to be sent back in a secure form. The user completes MFA through Arculix and it sends the identity token back to Entra ID to complete the login.

    Authentication Method 

    Set to None.

    Access Token Type 

    Set to JWT.

    Scopes and Claims 

    Scopes 

    Select the following scopes:

    • openid – Set by default. Allow access to the user's identity information like the username and email address.

    Session 

    Access Token Timeout 

    Set how long the access token is valid for before it times out. By default this set to 1 minute.

    Refresh Token Timeout 

    Set how long the refresh token is valid for before it times out and requires the user to reauthenticate. By default this is set to 1 day.

    eam_odic_config.png

  5. Slide the Enable Upstream IdP toggle to On and set the following configurations:

    OIDC Discovery/well-known URL 

    Enter the OIDC Discovery URL for your Microsoft Entra instance.

    For global EntraID customers, this is usually: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

    Reach out to Microsoft support for questions about your specific setup.

    Client ID 

    Enter the Application ID provided by Microsoft Entra.

    Username Claim 

    Enter the claim that identifies the user's username in "id_token_hint" JWT tokens issued by the Upstream IdP.

    The claim should match to a unique user’s username in Arculix.

    eam_oidc_upstream.png

  6. Save your changes.

  7. Edit the configured OIDC application and select the Advanced tab.

  8. Copy the UID value.

    You will need this for further Microsoft Entra configuration.

    arculix_new_oidc_application_003.png

  9. Select the OIDC Configuration tab.

  10. Copy the OIDC Provider Configuration value.

    You will need this for further Microsoft Entra configuration.

Task C: Configure Conditional Access policy in Microsoft Entra

In this task, you will return to your Microsoft Entra admin center to create a new Conditional Access policy. This will allow you to redirect users to Arculix for authentication as an EAM for applications.

Note

This task is completed in the Microsoft Entra admin center. For up-to-date, detailed instructions, refer to Microsoft's documentation for Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication and reach out to their support.

  1. In the Microsoft Entra admin center, create a new policy for Conditional Access.

    eam_conditional_access001.png

  2. Select which users, groups, and applications to apply the policy to.

    eam_conditional_access002.png

  3. In the Grant section, select Grant access and the Require multifactor authentication check box.

    eam_conditional_access003.png

  4. Set the Enable policy value to On.

    Result: When you log in to Microsoft Azure, you see Approve with Arculix as an MFA option.

    eam_arculixmfa_options.png

Task D: Add external MFA method in Microsoft Entra

In this task, you will configure Arculix as your external authentication provider.

Note

This task is completed in the Microsoft Entra admin center. For up-to-date, detailed instructions, refer to Microsoft's documentation for Manage an external authentication method in Microsoft Entra ID and reach out to their support.

  1. In the Microsoft Entra admin center, add an external method with the following values:

    Client ID 

    Enter the UID of the OIDC application you created in Arculix.

    Discovery Endpoint 

    Enter the OIDC Provider Configuration for the OIDC application you created in Arculix.

    App ID 

    Enter the Application ID for the Enterprise application you created in Microsoft Entra for Task A.

    eam_add_external_method.png

  2. Click Request permission. You will need Microsoft Entra admin access to grant the necessary permissions.

    eam_permissions.png

  3. Configure Enable and target to set who to enable this external authentication method for.

    Slide the toggle to On and select which users or groups of users to include or exclude.

    eam_enable_and_target.png

  4. Save your changes.

  5. Go to App Registrations and find the Enterprise application you created for Task A. Edit the application's details with the following values:

    Redirect URIs 

    Enter the auth URL for your tenant Arculix OIDC provider.

    For example, https://{{ARCULIX_OIDC_SERVER}}/{{YOUR_ARCULIX_TENANT_SLUG}}/oauth2/v1/auth

    NOTE: You can also find this value in the Arculix OIDC application you configured by clicking the OIDC Provider Configuration link and finding the value for authorization_endpoint

    eam_oidc_provider_config001.png
    eam_oidc_provider_config002.png
    eam_redirect_uri.png

  6. Save your changes.

  7. Optional. Under Token Configuration, you can customize the claims that Microsoft Entra will send to Arculix. This can be helpful for matching the Microsoft Entra username with the Arculix username.

    For example, if you set Microsoft Entra's upn as the username in Arculix, you can add a custom claim for it.

    eam_add_token001.png
    eam_add_token002.png
In this section: