Skip to main content

Azure AD/Entra ID: How to setup different connection flows

  • Updated

This help center article is supposed to give our customers guidance on the selection of available authentication flows for Kombo's Azure AD/Entra ID integration. Please note that the configuration for both Azure AD and Entra ID are configured separately on the tools page, so if you have both enabled remember to change your settings for both.

Option 1: User-Delegated access

To make this flow available to your customers you need to include the delegated_flow in the Allowed Connection Flows on Settings tab of the tools page.

The main benefit of this connection flow is very good connection experience as no manual setup is involved. However one of the drawbacks is that the app will act on behalf of the admin who connected. If the Entra ID Admin user gets deactivated, loose their admin privilege or change their password the integration gets broken and requires re-authentication. Typical enterprise security policies might also prevent some of your customers from connecting as it is recommended to not allow the user-delegated access with an admin user.

Additionally, you can replace the Kombo App that will show up in your customers Entra ID by providing us with your own Partner Credentials (note: these will only be used for the User-Delegated access flow):

 

Option 2: App-only access (default)

2.1 Client Secret authentication (default)

To make this flow available to your customers you need to include the app_only_flow in the Allowed Connection Flows on Settings tab of the tools page (this is the default configuration).

During this connection flow each of your customers set's up the Entra ID App manually and provides authentication credentials. Please note that the client secret will automatically expire, requiring re-authentication (your customer can generate a new secret and skip most of the inital setup steps in this flow). Entra ID allows secrets to be valid for up to 24 Months. The Entra ID UI recommends 6 months.

The benefits of this connection flow are a higher predictability of required re-authentication and a clear separation between user and application actions within Entra ID.

2.1 Certificate authentication (recommended)

To make this flow available to your customers you need to include the app_only_flow_certificate in the Allowed Connection Flows on Settings tab of the tools page.

You may also change the certificates properties on this tab:

This connection flow works similar as before: each of your customers set's up the Entra ID App manually. For authentication purposes your customer imports our certificate. Entra ID recommends this authentication method:

Credentials enable confidential applications to identify themselves to the authentication service when receiving tokens at a web addressable location (using an HTTPS scheme). For a higher level of assurance, we recommend using a certificate (instead of a client secret) as a credential.
The Certificate properties are not validated, but show in the Entra ID UI after importing the certificate. The expiration property allows you to configure how long the certificate should be valid for (in years) from the time your customer sets up the connection.
Was this article helpful?
0 out of 0 found this helpful
Return to top
Powered by Zendesk