Overview

Entra External Authentication Method (EAM) lets users choose an external provider to meet multifactor authentication (MFA) requirements when they sign in to Microsoft Entra ID. An EAM can satisfy MFA requirements from Conditional Access policies, Microsoft Entra ID Protection risk-based Conditional Access policies, Privileged Identity Management (PIM) activation, and when the application itself requires MFA.

Adding YumiPass as an External Authentication Method (EAM) therefore allows Conditional Access policies, for example, to control when and for who Passport is required as MFA.

The advantage of Passport as MFA is that unlike all other phishing resistant MFA alternatives, Passport needs not to be enrolled in advance, but any existing user in possession of Passport can choose to use if and when needed, given that Entra policies are set to allow it.

Installation

Overview

Two-way configuration is required:

  1. Entra --oidc--> YumiPass: YumiPass is added as generic oidc provider to Entra.
  2. Entra <–-api–- YumiPass: YumiPass is allowed to call /users/{id} endpoint to match claims gathered from Passport to the attributes on the logging in user account .

The second is step for authentication. Without it, any authentic Passport in the world would suffice for login. Alternatively, to avoid the the second step:

a) Configure Entra with a custom claims a matching logic.

b) Configure Entra to submit the matching attributes within id_token_hint of authorize request, in which case YumiPass will match Passport claim and account attribute values.

Steps

For the two-way integration:

  1. Sign in to your yumipass integration account.
  2. Create new Workforce app registration:
    1. Choose Entra
    2. Choose Automated setup. Entra admin grant is prompted to setup the configurations.
  3. In Entra, make sure:
    1. In Protect > External Authentication Methods: YumiPass EAM object is Enabled.
    2. In Enterprise Applications > locate and select the new YumiPass app > API: admin granted read permissions.

To go live

Follow Microsoft instructions to create necessary policies to require Passport verification. For example in Conditional Access policy make sure to set:

  • Grant access: Require multifactor authentication

Security considerations

Go to your newly created Workforce app registration in ymp and adjust the authentication claims as needed.