Appendix D: Configuring Microsoft Entra ID for Use with Security Group-Based Filters

These steps outline the process required to enable the ability to use Microsoft Entra ID-based security groups as filter conditions for rules defined in your ProfileUnity configurations. The Entra ID user group membership filter condition can be useful for environments with the need to filter based on group memberships utilizing Entra ID-only (not domain-joined) desktops and users authenticating against Entra ID, rather than against an on-prem Active Directory domain.

It is recommended for the ProfileUnity Console server to be domain-joined so that Administrators logging into the ProfileUnity Console using their Active Directory domain accounts can use auto-completion/searching for on-prem Active Directory User Group Membership filter conditions as well.

Utilizing Entra ID user group membership-based filters may not negate the need to also use on-prem AD user group membership-based filters if you also have on-prem AD users logging into on-prem AD domain-joined desktops. This is because the set of groups available from Azure vs AD are rarely the same, i.e., not all AD domain-based groups exist in Entra ID and vice-versa.

These steps do not enable Entra ID-based authentication to the ProfileUnity Console, itself. For that feature, refer to the Configuring SAML Authentication for the ProfileUnity Console which uses Entra ID as the example SAML Identity Provider.

Configure Entra ID for Security Group Lookups in the Azure Portal

Note: These steps require enough access to be able to create a new App registration in your Microsoft Entra ID tenant.

  1. Log in to the Azure Portal > Microsoft Entra ID blade > App Registration screen with the appropriate Azure Administrator-level credentials.
  2. https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade
  3. **If you’re not already in your correct Tenant, Directory, and Subscription then use the Switch directory link after clicking on your login name at the top-right.
  4. On the App registrations screen, click New registration at the top, provide the requested information and click Register. This will create a new App registration that will, once configured, allow the ProfileUnity Console and Client to use for Azure security group lookups.
    1. Name = Give this application a name, (e.g., ProfileUnity Group Lookups).
    2. Supported account types = Set to Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant).
    3. Redirect URI = c. Select Web from the dropdown and enter your ProfileUnity Console URL.
      https://<f.q.d.n>:8000/
    4. Where <f.q.d.n> is the fully qualified domain name of your ProfileUnity console server and is resolvable by your web browser.
  5. On the Overview page of your new App registration, copy/save the Application (client) ID and Directory (tenant) ID. You will need these later.
  6. Navigate to the Authentication page on the left, find and enable the ID tokens (used for implicit and hybrid flows) option and click the Save button.
  7. Navigate to the Certificates & secrets page on the left, click New client secret under the Client secrets tab, fill in the information, and click the Add button.
    1. Description
    2. Expires
  8. Copy/save the Value and Secret ID. You will need these later.

  9. Important: Azure will not show you the value again. If you lose the value, you must create a new one and reconfigure ProfileUnity.

  10. Navigate to the API permissions page on the left, click the Add a permission button and then do the following:
    1. Find/select Microsoft Graph (usually at the top).
    2. Select Application permissions.
    3. Search for and select Group.Read.All. Check the box.
    4. Search for and select User.Read.All. Check the box.
    5. Click the Add permissions button.
  11. Click Grant admin consent for <tenant name> and answer Yes to Grant admin consent confirmation.

Configure the ProfileUnity Console

Note: These steps require the account logging into the ProfileUnity Console to have the Administrator role assigned in the Administration > Access and Authentication tab.

  1. Login to the ProfileUnity Console web UI as an Administrator-level account and navigate to the Administration > Access and Authentication tab in the upper-right.
  2. In the Directory Services section, click the Add Microsoft Entra ID Tenant button, enter the information previously saved from Step 3 and Step 6 in Configure Entra ID for Security Group Lookups in the Azure Portal.
  3. Log back into the ProfileUnity Console web UI and navigate to the Filter Management section in the left bar. To begin creating filters with Entra ID User Group conditions, click the Create button at the top-right, and in the Condition dropdown select Entra ID User Group Membership.
  4. Microsoft Entra ID Security Group Memberships can then be used as Filters for any policy rule in your ProfileUnity Configuration.

    Note: Entra ID User Group Membership filter validation will still be attempted for full Domain account logons and will match just the same as if the user had logged on to an Entra ID-only machine as long as their UPN and samAccountName/Pre-Windows 2000 name match in Active Directory.