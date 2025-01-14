Version: 17.x

Analyze Entra ID policies with Teleport Identity Security

The Microsoft Entra ID integration in Teleport Identity Governance synchronizes your Entra ID directory into your Teleport cluster, and offers insights into relationships in your Entra ID directory. Additionally, when Entra ID is used as an SSO identity provider, Identity Security visualizes SSO grants across your services.

note SSO grant analysis is currently only supported in situations where Entra ID acts as the identity provider, and AWS accounts are set up as relying parties using AWS IAM role federation. Support for additional relying parties will be added in the future.

Teleport continuously scans the connected Entra ID directory. At intervals of 5 minutes, it retrieves the following resources from your Entra ID directory:

Users

Groups

Users' memberships in groups

Enterprise applications

Entra ID users and groups are imported into Teleport as users and Access Lists respectively. Once all the necessary resources are fetched, Teleport pushes them to the Access Graph, ensuring that it remains updated with the latest information. These resources are then visualized using the graph representation detailed in the Identity Security usage page.

A running Teleport Enterprise cluster v15.4.2/v16.0.0 or later.

Teleport Identity Governance and Identity Security enabled for your account.

For self-hosted clusters: Ensure that an up-to-date license.pem is used in the Auth Service configuration. A running Access Graph node v1.21.3 or later. Check the Identity Security page for details on how to set up Access Graph. The node running the Access Graph service must be reachable from the Teleport Auth Service.

Your user must have privileged administrator permissions in the Azure account

For OIDC setup, the Teleport cluster must be publicly accessible from the internet.

For air gapped clusters, tctl must be v16.4.7 or later.

Access Graph is a feature of the Teleport Identity Security product available to Teleport Enterprise edition customers.

To verify that Access Graph is set up correctly for your cluster, sign in to the Teleport Web UI, click the Policy sidebar button, and then the Browse menu item. Identities, resources, etc. should be listed.

To begin onboarding, select your preferred setup method. Teleport offers various methods based on your cluster configuration and user requirements.

tip This method is recommended and is required if you are a Teleport Enterprise (Cloud) customer.

This method is suitable for Teleport clusters that are publicly accessible and lack Azure credentials on Auth Service nodes or pods.

In this setup, Teleport is configured as an OpenID Connect (OIDC) identity provider, establishing a trusted connection with an Entra ID application created during setup. This trust allows Teleport to authenticate using the Entra ID application, accessing permissions tied to it without requiring additional credentials or managed identities.

Requirements:

Direct bidirectional connectivity between Teleport and Azure is necessary for Azure to validate the OIDC tokens issued by Teleport.

Designed for air-gapped Teleport clusters that are not publicly accessible, this setup accommodates environments where Azure cannot validate OIDC tokens issued by Teleport.

Instead, Teleport relies on Azure credentials available on the VMs where Teleport Auth Service is running. These credentials must have the following Entra ID permissions:

Application.Read.All

Directory.Read.All

Policy.Read.All

Requirements:

Unidirectional connectivity from Teleport to Azure infrastructure.

This setup describes how to manually configure Entra ID integration without relying on automated scripts to setup Entra ID Application.

This guide covers the Automatic Setup with Teleport as OIDC Provider for Entra ID and Automatic Setup with System Credentials setup but has a limitation of not being possible to enable the Identity Security integration.

Teleport as OIDC provider

Automatic setup with system credentials

Manual setup To start the onboarding process, access the Teleport Web UI, navigate to the "Access Management" tab, and choose "Enroll New Integration", then pick "Microsoft Entra ID". In the onboarding wizard, choose a Teleport user that will be assigned as the default owner of Access Lists that are created for your Entra groups, and click "Next". The wizard will now provide you with a script that will set up the necessary permissions in Azure. Open Azure Cloud Shell by navigating to shell.azure.com, or by clicking the Cloud Shell icon in the Azure Portal. Make sure to use the Bash version of Cloud Shell. Once a Cloud Shell instance opens, paste the generated command. The command sets up your Teleport cluster as an enterprise application in the Entra ID directory, and grants Teleport read-only permissions to read your directory's data (such as users and groups in the directory). Once the script is done setting up the necessary permissions, it prints out the data required to finish the integration onboarding. Back in the Teleport Web UI, fill out the required data and click "Finish". To set up the Azure Identity with the necessary permissions: Application.Read.All

Directory.Read.All

Policy.Read.All Go to your Azure Dashboard, find the identities linked to your Teleport Auth Service VMs, and copy the Object (principal) ID . Paste this value into Principal ID . After obtaining the Principal ID, open the Azure Cloud Shell in PowerShell mode and run the following script to assign the required permissions to Principal ID . Assign required permissions to Azure Identity Connect-MgGraph -Scopes 'Directory.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All' $managedIdentity = Get-MgServicePrincipal -ServicePrincipalId ' Principal ID ' $graphSPN = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" $permissions = @( "Application.Read.All" "Directory.Read.All" "Policy.Read.All" ) $appRoles = $graphSPN.AppRoles | Where-Object Value -in $permissions | Where-Object AllowedMemberTypes -contains "Application" foreach ($appRole in $appRoles) { $bodyParam = @{ PrincipalId = $managedIdentity.Id ResourceId = $graphSPN.Id AppRoleId = $appRole.Id } New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentity.Id -BodyParameter $bodyParam } Your identity principal Principal ID now has the necessary permissions to list Applications, Directories, and Policies. The Teleport tctl command provides an interactive guide to set up and configure Entra ID integration for air-gapped clusters. To use it, ensure you have tctl version v16.4.7 or later and select a default list of Access List owners. These specified Teleport users will become the owners of Access Lists imported by the Entra ID integration. Access List Owner must be an existing Teleport user. If you prefer multiple Access List owners, repeat the flag with each user, e.g., --default-owner=owner1 --default-owner=owner2 . You'll also need to provide the Teleport Auth Service address as example.teleport.sh:443 . For clusters running in multiplex mode, this address will be the same as your proxy address. If your Teleport license does not include Identity Security, include the --no-access-graph flag. tctl plugins install entraid \ --default-owner= Access List Owner \ [email protected] \ --use-system-credentials \ --auth-server example.teleport.sh:443 Follow the detailed instructions provided by the tctl plugins install entraid guide to install and configure the Entra ID plugin. This guide will walk you through each step required to enable Entra ID integration within your Teleport environment. Be sure to follow each step in the tctl plugins install entraid guide closely to complete the installation and configuration. This step configures the Azure Identity on your Auth Service machine with the required Entra ID permissions. warning Follow this step only if you want to use system-available credentials to authenticate Teleport with Entra ID. If you intend to use Teleport as an OIDC provider for Entra ID, you can skip this step. Application.Read.All

Directory.Read.All

Policy.Read.All Go to your Azure Dashboard, find the identities linked to your Teleport Auth Service VMs, and copy the Object (principal) ID . Paste this value into Principal ID . After obtaining the Principal ID, open the Azure Cloud Shell in PowerShell mode and run the following script to assign the required permissions to Principal ID . Assign required permissions to Azure Identity Connect-MgGraph -Scopes 'Directory.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All' $managedIdentity = Get-MgServicePrincipal -ServicePrincipalId ' Principal ID ' $graphSPN = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" $permissions = @( "Application.Read.All" "Directory.Read.All" "Policy.Read.All" ) $appRoles = $graphSPN.AppRoles | Where-Object Value -in $permissions | Where-Object AllowedMemberTypes -contains "Application" foreach ($appRole in $appRoles) { $bodyParam = @{ PrincipalId = $managedIdentity.Id ResourceId = $graphSPN.Id AppRoleId = $appRole.Id } New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentity.Id -BodyParameter $bodyParam } Your identity principal Principal ID now has the necessary permissions to list Applications, Directories, and Policies. In this step, you will manually configure an Entra ID Enterprise Application to be used by the Teleport Auth Connector. We provide a PowerShell script that creates the specified application, assigns the token signing request, and sets up the necessary SAML parameters. To proceed, you need to define the following parameters: Application name : The Entra ID Application name, typically set to Teleport your.cluster.address .

: The Entra ID Application name, typically set to . example.teleport.sh:443 : Your Teleport Proxy address.

: Your Teleport Proxy address. Auth Connector Name : The Teleport Auth Connector name, usually set to entra-id . Once these parameters are defined, open the Azure Cloud Shell in PowerShell mode, or use the session created in the previous step. Create the Entra ID application Connect-MgGraph -Scopes "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All" Import-Module Microsoft.Graph.Applications $params = @{ displayName = ' Application name ' } $applicationTemplateId = "8adf8e6e-67b2-4cf2-a259-e3dc5476c621" $app = Invoke-MgInstantiateApplicationTemplate -ApplicationTemplateId $applicationTemplateId -BodyParameter $params $appId = $app.Application.AppId $objectId = $app.Application.Id $servicePrincipal = $app.ServicePrincipal.Id $principalTokenSigningCertificateParams = @{ displayName = "CN=azure-sso" } $cert = Add-MgServicePrincipalTokenSigningCertificate -ServicePrincipalId $servicePrincipal -BodyParameter $principalTokenSigningCertificateParams $thumbprint = $cert.Thumbprint $updateServicePrincipalParams = @{ preferredSingleSignOnMode = "saml" preferredTokenSigningKeyThumbprint = $thumbprint appRoleAssignmentRequired = $false } Update-MgServicePrincipal -ServicePrincipalId $servicePrincipal -BodyParameter $updateServicePrincipalParams $proxyURL = 'https:// example.teleport.sh:443 '.TrimEnd("/").TrimEnd(":443") $acsURL = $proxyURL+'/v1/webapi/saml/acs/ Auth Connector Name ' $web = @{ redirectUris = @($acsURL) } Update-MgApplication -ApplicationId $objectId -Web $web -IdentifierUris @($acsURL) $optionalClaims = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphOptionalClaims]::DeserializeFromDictionary(@{ AccessToken = @( @{ Name = 'groups' } ) IdToken = @( @{ Name = 'groups' } ) Saml2Token = @( @{ Name = 'groups' } ) }) Update-MgApplication -ApplicationId $objectId -GroupMembershipClaims "SecurityGroup" -OptionalClaims $optionalClaims $tenant = Get-AzTenant Write-Output "-------------------------------------------------------" "Copy and paste the following details:" "Application ID (Client ID): $appId" "Tenant ID: $tenant" "-------------------------------------------------------" If your cluster is publicly accessible from the internet and you prefer or need to use OIDC rather than Auth Service system credentials, you can configure Teleport as an OIDC provider for the Entra ID application. If you have already assigned the necessary permissions to your Auth Service's Azure Identity, you may skip the following section. To configure Federated credentials for your application, run the following script in the same Azure Cloud Shell terminal used previously. Create Federated Credentials for Entra ID Application" $subject = "teleport-azure" $audiences = @("api://AzureADTokenExchange") $issuer = $proxyURL $name = "teleport-oidc" $credential = New-MgApplicationFederatedIdentityCredential -ApplicationId $objectId -Subject $subject -Audiences $audiences -Issuer $issuer -Name $name $managedIdentity = Get-MgServicePrincipal -ServicePrincipalId $servicePrincipal $graphSPN = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" $permissions = @( "Application.Read.All" "Directory.Read.All" "Policy.Read.All" ) $appRoles = $graphSPN.AppRoles | Where-Object Value -in $permissions | Where-Object AllowedMemberTypes -contains "Application" foreach ($appRole in $appRoles) { $bodyParam = @{ PrincipalId = $managedIdentity.Id ResourceId = $graphSPN.Id AppRoleId = $appRole.Id } New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentity.Id -BodyParameter $bodyParam } The Teleport tctl command provides an interactive guide to set up and configure Entra ID integration for air-gapped clusters. To use it, ensure you have tctl version v16.4.7 or later and select a default list of Access List owners. These specified Teleport users will become the owners of Access Lists imported by the Entra ID integration. Access List Owner must be an existing Teleport user. If you prefer multiple Access List owners, repeat the flag with each user, e.g., --default-owner=owner1 --default-owner=owner2 . You'll also need to provide the Teleport Auth Service address as example.teleport.sh:443 . For clusters running in multiplex mode, this address will be the same as your proxy address. If you chose to use Teleport as the OIDC provider for Entra ID in the previous step, remove the --use-system-credentials flag from the command below. note Currently, when using manual mode, it is not possible to operate without the --no-access-graph flag. tctl plugins install entraid \ --default-owner= Access List Owner \ [email protected] \ --auth-connector-name=" Auth Connector Name " \ --use-system-credentials \ --no-access-graph \ --manual-setup \ --auth-server example.teleport.sh:443

Follow the detailed instructions provided by the tctl plugins install entraid guide to install and configure the Entra ID plugin.

Shortly after the integration onboarding is finished, your Entra ID directory will be imported into your Teleport cluster and Access Graph.

You can find Entra ID users and groups in the Access Graph UI. If you have Entra ID SSO set up for your AWS accounts, and the AWS accounts have been connected to Teleport, Access Graph will also show access to AWS resources granted to Entra ID identities.