Skip to main content
Version: 18.x

Entra ID Integration

Report an issue with this page

The Entra ID integration enables the following features in Teleport:

  1. Single Sign-On (SSO): Configures Teleport authentication with Entra ID as an identity provider.
  2. User sync: Periodic import of Entra ID users as Teleport users.
  3. Group sync: Periodic import of Entra ID groups as Teleport Access Lists.
  4. Integration with Teleport Identity Security (Optional): Lets you analyze user access paths and policies from the Teleport Identity Security product. If enabled, Teleport imports enterprise applications as well.

How it works

To configure SSO, Teleport uses an Entra ID enterprise application where Teleport must be set up as an SAML service provider.

To import users and groups from Entra ID, Teleport must be configured with a credential to authenticate with the Microsoft Graph API.

Choosing the Microsoft Graph API authentication method

Teleport supports two types of authentication mechanisms to authenticate with the Microsoft Graph API: OIDC IdP and system credentials.

Teleport as an OIDC Provider for Entra ID

In this setup, Teleport is configured as an OpenID Connect (OIDC) identity provider for the Entra ID enterprise application. Teleport OIDC IdP then generates a short-lived credential for the Microsoft Graph API client configured for Entra ID. Authorization is limited to the API permission configured in the Entra ID enterprise application.

Direct bidirectional connectivity between Teleport and Entra ID is necessary for Entra ID to validate the OIDC tokens issued by Teleport.

For a Teleport cloud cluster, OIDC IdP based authentication is the only supported authentication method.

System credentials

In this setup, Teleport relies on the Microsoft Graph API credentials available where the Teleport Auth Service is running. The setup typically involves configuring a managed identity for Teleport Auth Service and assigning that managed identity with the Microsoft Graph API permissions required by the Teleport Entra ID integration.

This method is best suited for an air-gapped Teleport clusters where the Teleport Proxy Service is not publicly accessible.

Choosing guided or manual Entra ID configuration method

In the guided Entra ID configuration process, Teleport generates a configuration script, which configures your Entra ID tenant with the properties that are required for the Teleport Entra ID integration.

If you want to have more control over the Entra ID configuration, a manual Entra ID configuration may be suitable for you. In this case, you update the Entra ID tenant with the properties that are required for Teleport Entra ID integration.

The Web UI only supports guided Entra ID configuration with Teleport as OIDC IdP authentication method. tctl supports both the guided and manual Entra ID configuration methods, for both Teleport as OIDC IdP and system credential based setup.

Guides