# Example: Azure Entra Setup

1. [Home](https://www.agilicus.com/)
2. [authentication](https://www.agilicus.com/anyx-guide-topic/authentication/)
3. Example: Azure Entra Setup

![azure-entra-app-registration](https://www.agilicus.com/www/c6127b65-azure-entra-app-registration.avif)Setup your own Microsoft Entra application registration, user auto provisioning with group mapping.

This allows zero-touch provisioning of users.

[CONTACT](/contact-us/)

Table of Contents

- [How To Steps](#how-to-steps)
    - [Step 1/2/3: Application Registration Creation](#step-1-2-3-application-registration-creation)
    - [Step 4: Enable Auto-Create](#step-4-enable-auto-create)
    - [Step 5: Enable Group Mapping](#step-5-enable-group-mapping)
    - [Step 6: Add Icon to theme](#step-6-add-icon-to-theme)
    - [Step 7: Sign-in as Test User](#step-6-add-icon-to-theme-1)
    - [Step 8: Assign Administrative Rights](#step-8-assign-administrative-rights)
    - [Step 9: Re-Sign-in as Test User](#step-8-assign-administrative-rights-2)
    - [Step 10: Reset Previous User](#step-8-assign-administrative-rights-3)

This is a worked through, opinionated setup, of [Microsoft Entra](https://www.microsoft.com/en-ca/security/business/identity-access/microsoft-entra-id) with Agilicus AnyX to have custom user and group syncing. It allows a zero-touch ongoing user management.

For more information on the specific features, see the following product-guide pages:

- [Azure Active Directory](/anyx-guide/azure-active-directory/)
- [Sign in With Microsoft](/anyx-guide/sign-in-with-microsoft/)
- [Azure Application Consent](/white-papers/azure-application-consent/)
- [Sign-In Theming](/anyx-guide/sign-in-theming/)
- [Groups](/anyx-guide/groups/)
- [Reset User Upstream Identity](/faq/reset-user-upstream-identity/)
- [Administrative Users](/anyx-guide/administraive-users/)

## How To Steps

The high level steps we will perform:

1. Create new Agilicus AnyX Custom Identity Provider (Identity Issuer)
2. Create new Microsoft Application Registration
3. Link the Microsoft Application Registration to the Agilicus AnyX Identity Issuer
4. Enable Auto-Create
5. Enable Group Mapping
6. Add icon to theme
7. Sign in as test user to profile.\_\_MYDOMAIN\_\_
8. Assign [administrative](https://www.agilicus.com/anyx-guide/administraive-users/) rights ([system groups](https://www.agilicus.com/anyx-guide/groups/#system-groups)) to test user
9. Sign in as test user to observe administrative permission
10. Reset previous user

### Step 1/2/3: Application Registration Creation

In the below video we create a custom Entra application registration and configure it as an Identity provider in Agilicus AnyX. This will allow your users to sign in.

A Custom Entra Application Registration (versus the pre-configured Agilicus Multi-Tenant Application Registration allows:

1. Custom Icon on sign-in screen
2. Custom label on sign-in screen
3. Azure Entra Group Mapping

It is #3, the Group Mapping, that is the primary reason for taking this extra step.

At this stage, enable the optional claims as per "[Azure Claims](https://www.agilicus.com/anyx-guide/azure-active-directory/#h-azure-claims)" (optional), and enable [Azure Groups](https://www.agilicus.com/anyx-guide/azure-active-directory/#h-optional-azure-groups)

![Azure Entra ID Setup Example: Agilicus AnyX Zero Trust Access. Diagram illustrates configuring Azure Entra ID (formerly Azure AD) with Agilicus AnyX for secure, zero trust access to applications. Shows user authentication flow, conditional access policies, and integration points for enhanced security.](https://www.agilicus.com/www/a3ed4875-image-1024x631.png)    ![Azure Entra ID Setup Example: Agilicus AnyX Conditional Access Configuration. Diagram illustrating the steps to configure Conditional Access policies in Azure Entra ID for secure access using Agilicus AnyX.](https://www.agilicus.com/www/a0a5823e-image-1024x402.png)    **NOTE:** A user can only be associated with one Identity provider. If you have signed in using the shared Microsoft provider, you cannot use this user to test with. We recommend using a different user to test with, then make that user an administrator, then log in with that new user, reset your existing user. See "[Reset User Upstream Identity](/faq/reset-user-upstream-identity/)". We cover this [later](#swap-administrator) in this Example.

### Step 4: Enable Auto-Create

Since we will be entirely managing users in the Microsoft platform, we desire to create them automatically in Agilicus AnyX.

![Azure Entra Setup Example: Diagram illustrating the AnyX integration with Azure Entra ID, showcasing secure access and identity management for cloud applications. Learn how to configure AnyX with Azure Entra for streamlined user authentication and authorization.](https://www.agilicus.com/www/60789c1c-image-1024x534.png)    ### Step 5: Enable Group Mapping

In your Microsoft Entra system, you have a set of groups (e.g. 'All Users', 'HMI Admins', etc). These can be auto-provisioned into Agilicus AnyX by configuring the Group Mappings. For this example we will do a 1:1 map, select the action button, configure group mappings, and then the "MAP ALL GROUPS" button.

![Azure Entra ID Setup Example: Diagram illustrating the configuration steps for integrating Agilicus AnyX with Azure Entra ID, showcasing user authentication and authorization flow for secure access management.](https://www.agilicus.com/www/38d90795-image-1024x475.png)    ![Azure Entra ID setup example in AnyX. The diagram illustrates the configuration steps for integrating Azure Entra ID with AnyX, focusing on secure access and identity management. It highlights the flow of authentication and authorization, ensuring seamless connectivity and enhanced security. This setup enables centralized user management and streamlined access control for AnyX resources.](https://www.agilicus.com/www/b7b181fb-image-1024x902.png)    ### Step 6: Add Icon to theme

On the sign-in screen, the label will be "Sign in with" and the name you give this in the Agilicus Admin.

Follow the instructions at [Theming](/anyx-guide/sign-in-theming/). Create an svg or png file that is square (e.g. 64x64, 256x256), place it in the theme directory.

![Azure Entra ID setup example using AnyX. The image shows the AnyX user interface with Azure Entra ID configured as an identity provider. Users can log in to AnyX using their existing Azure Entra ID credentials, simplifying access management and enhancing security.](https://www.agilicus.com/www/494520b4-image-1024x213.png)    Add an entry to the styles.css in the theme directory as below, where the name (in this example --egov) is replaced with the name you gave on the config screen in the icon column (e.g. --my-icon). Make the 'url' field be the name of the icon file you placed in that directory.

```
.dex-btn-icon--egov {
  background-image: url(egov.png);
  background-size: contain;
}
```

The result will be somewhat like below.

![Azure Entra ID Setup Example: Diagram illustrating the configuration of Agilicus AnyX with Azure Entra ID, showcasing the connection and data flow between the two systems for secure access management. Shows users, Azure Entra ID, and Agilicus AnyX components.](https://www.agilicus.com/www/efd2340e-image-1024x752.webp)    ### Step 7: Sign-in as Test User

You should now be able to sign in as a test user you have available to you in that Microsoft Entra directory. Do not use the same one you are already signed in via the existing multi-tenant application registration (we will resolve that below).

On the first sign in, you may, depending on your directory setup, see a consent form as below. Grant consent on behalf of your organisation. You can see the permissions granted (this is explained in more detail in [Azure Application Consent](https://www.agilicus.com/white-papers/azure-application-consent/)). This does not grant Agilicus AnyX any permission other than the read the user name and groups.

![Azure Entra ID setup example in AnyX. The diagram illustrates the steps for configuring Azure Entra ID to work with AnyX, focusing on app registrations, API permissions, and user assignments to enable secure and seamless authentication and authorization.](https://www.agilicus.com/www/23883f0d-image.png)    ### Step 8: Assign Administrative Rights

At this stage, the test user can sign in, let us now assign administrative permissions to the test user so we can reset the original.

![Azure Entra setup example in AnyX. The image shows the AnyX console displaying an example setup using Azure Entra ID for authentication and authorization. It illustrates how to configure AnyX to integrate with Azure Entra, including defining roles and permissions for users and groups managed in Azure Entra, enabling secure access to resources within AnyX.](https://www.agilicus.com/www/434ee5d4-image-1024x579.png)    ### Step 9: Re-Sign-in as Test User

Sign in again as the test user. Observe that they can now see ungrey menu in admin.

Observe the Access/Groups menu has the names of your Microsoft Entra groups. You may later assign permissions to these.

### Step 10: Reset Previous User

While signed in as the test user, after granting admin, we will now reset the original user. See "[Reset User Upstream Identity](/faq/reset-user-upstream-identity/)".

![Azure Entra ID Setup Example in AnyX. This diagram illustrates the configuration steps for integrating Azure Entra ID (formerly Azure Active Directory) with AnyX. It highlights the process of setting up application registrations, API permissions, and user assignments within Azure to enable secure authentication and authorization for AnyX users. Ideal for DevOps engineers and cloud administrators implementing AnyX with Azure AD.](https://www.agilicus.com/www/9a384c3b-image-1024x416.png)    At this stage you are complete. Feel free to try logging in as the original user.

From here, you will assign permissions based on your Microsoft Entra groups, and, there will be 0 ongoing management required for users or permission assignments.