Entra ID FAQs
Can I use the Connector with the Entra ID API integration simultaneously?
The integration will fail if your platform tenant includes Active Directory (AD) users who share the same usernames or email addresses as Entra ID users or if AD and Entra ID manage the same domains. This setup creates identity collisions, since AD and Entra ID users with the same UPN will have different Object IDs (GUIDs). This applies to implementations of Privilege Control for Servers (PCS) and Server Suite, which both depend on Active Directory.
Can I use Entra ID Federation and Entra ID API integration simultaneously?
No. If your platform already has an Entra ID federation configuration, adding a new native Entra ID-registered app on the same Entra ID tenant will not succeed.
How is adding Entra ID users different from adding federated users?
While a federated user must log on to the platform once before their account appears on the platform, an Entra ID user can be added to the platform by an administrator and fully set up (with roles, permissions, groups, identity policies, secrets and folder sharing, etc.) before the Entra ID user first logs on to the platform. And unlike a federated group, an Entra ID group does not need to be mapped to a local group.
How is Entra ID Federation user mapping different from standard federation?
Standard federation supports user mapping to an Active Directory:
-
The user object originates from AD
-
Authentication occurs through federation
-
Permissions can be assigned through AD users or groups, and MFA can also be set up for the user.
Entra ID federation configuration is system-generated and does not support user mapping to an Active Directory. This is a known, current limitation for Privilege Control for Servers, and we are actively working to address this limitation in future releases.
What if users can’t log in after the integration is set up?
-
Ensure that the Registered App is “Enabled”.
-
Verify that the API Permission, Log-in to Entra ID is selected for the registered app.
-
On the platform, navigate to Settings > Federation providers and select the Entra ID federation configuration.
-
Open the Federation console tab to run the debugging process.
What happens if I disable a registered app?
The registered app facilitates the connection between the Delinea Platform and Microsoft Entra ID. Disabling the registered app prevents Entra ID users from logging in to the Delinea Platform, and blocks administrators from querying the Entra ID directory.
Can I Create a Registered App for Each API Permission?
Yes, you may create a customer-managed registered app for each API permission as required.
What validations and errors might arise when creating a registered app?
Scenario: Attempting to create a registered app with the same "Log in to Entra ID" permission for an existing Entra ID application client ID.
-
Outcome: A registered app cannot be created with duplicate permissions for the same application ID.
-
Message: "An app '%appname' with 'Log in to Entra ID' permission already exists for client ID '%appclientid'."
Scenario: Attempting to register a platform app with "Read" permission for the same Entra ID tenant.
-
Outcome: "Read" permission can only be granted once per Entra ID tenant, as it is tenant-wide.
-
Message: "'Entra ID - Read' permission is already assigned to '%appname' for tenant '%tenantid'."
What customer-managed registered app configurations create different outcomes?
| Entra ID - Read | Log-in to Entra ID | Provision Directory Services | Outcome |
|---|---|---|---|
| ✘ | ✔ | ✔ |
- Registration app created - Federation provider created - Entra ID users can log in to the platform. |
| ✔ | ✔ | ✔ |
- Registration app created - Federation provider created - Directory service created - Entra ID users can log on to the platform - Platform Admins can manage Entra ID users and groups in the platform. |
| ✔ | ✘ | ✔ |
- Registration app created - Federation provider not created - Directory service created - Entra ID users cannot log on to the platform - Platform Admins can manage Entra ID users and groups in the platform. |
What is the scope of the API permission “Entra ID – Read"?
Granting this permission provides READ access to users and groups across the associated Azure tenant.
Will we eventually have the same browsing experience for AD and Entra ID?
When browsing Entra ID groups and selecting an Entra ID directory, paginated results are automatically displayed making it easier to navigate and find information. However, Active Directory (AD) results are returned only after entering a search term.
How long does the Platform take to detect and reflect changes from Entra ID?
You can expect changes in Microsoft Entra ID directory objects, such as users and groups, to be updated on the Delinea platform within 10 minutes. This includes the deletion of Entra ID users and groups.
How do user attributes (e.g. mobile number) propagate from Entra ID to Platform?
User attributes supported by the Delinea Platform are automatically propagated from Entra ID, eliminating the need to configure user attribute mapping within the federation provider on the platform.
What are the advantages of configuring the Entra ID integration using the Delinea-managed registered app?
Eliminates the need to manually configure the Azure app registration and the Delinea registered app on the Delinea Platform. The Delinea Platform automatically creates the required Azure enterprise application and app registrations and manages its certificates, secrets, token settings, and API permissions.
Where is the registered app I created as part of the private preview?
The Public Preview introduced the concept of Delinea-managed apps. If a registered app was created during the Private Preview, it is now located in the Registered apps > Customer managed tab.
How are secrets managed using the Delinea-managed app?
Secrets are managed by the Delinea platform and are automatically rotated every 180 days.
How can I resolve Delinea-managed app consent errors?
If there is a consent error, check that the Microsoft account has either the Global Administrator or Privileged Role Administrator role and try to grant consent again.
Can I delete a Delinea-managed app?
Yes. Select the Delinea-managed app, right-click, and select Delete. This action will remove the app from the Delinea platform and delete the associated Azure app registrations, effectively removing the integration. The Azure enterprise application, Delinea Platform Azure Registered Apps will remain, but may be manually deleted by:
-
Navigating to Enterprise Applications in Azure
-
Selecting Delinea Platform Azure Registered Apps
-
Viewing its properties and selecting Delete
