Overview

Securing when and how users register for Microsoft Entra multifactor authentication and self-service password reset is possible with user actions in a Conditional Access policy. 

Adding YumiPass as an External Authentication Method (EAM) to Entra allows Conditional Access to control when and for who Passport is required to access Entra Secure Enrolment app.

Installation

Overview

Two-way configuration is required:

  1. Entra --oidc--> YumiPass: YumiPass is added as generic oidc provider to Entra.
  2. Entra <–-api–- YumiPass: YumiPass is allowed to call /users/{id} endpoint to match claims gathered from Passport to the attributes on the logging in user account .

The second is step for authentication. Without it, any authentic Passport in the world would suffice for login. Alternatively, to avoid the the second step:

a) Configure Entra with a custom claims a matching logic.

b) Configure Entra to submit the matching attributes within id_token_hint of authorize request, in which case YumiPass will match Passport claim and account attribute values.

Steps

For the two-way integration:

  1. Sign in to your yumipass integration account.
  2. Create new Workforce app registration:
    1. Choose Entra
    2. Choose Automated setup. Entra admin grant is prompted to setup the configurations.
  3. In Entra, make sure:
    1. In Protect > External Authentication Methods: YumiPass EAM object is Enabled.
    2. In Enterprise Applications > locate and select the new YumiPass app > API: admin granted read permissions.

To go live

Follow the Microsoft instructions to create the Conditional Access policies to require Passport verification. Make sure to set:

  • Grant access: Require multifactor authentication

Security considerations

Go to your newly created Workforce app registration in ymp and adjust the authentication claims as needed.