Setting Up Entra ID

These are instructions specifically for Entra ID setup in Secret Server as a SAML provider, not Entra ID setup in Secret Server as a Directory Source.

Creating an Entra ID Application Registration

Task 1: Create the Application Registration in Entra

Additional Microsoft Documentation for this step can be found at Register an application in Microsoft Entra ID.
  1. Navigate to the Microsoft Entra Admin Center.
  2. Log in. At a minimum, you must be logged in as an Application Developer.
  3. If you have access to multiple tenants, click the settings icon (a cog) in the top menu to switch to the tenant where you want to register the application.
  4. On the left side of the page, click App Registrations.
  5. Click New Registration.
  6. Name the application "Delinea Secret Server."
  7. Under Supported account types, specify who can use the application. We recommend you select Accounts in this organizational directory only for most applications. Refer to the table on Register an application in Microsoft Entra ID for more information on each option.
  8. Under Redirect URI choose web from the dropdown and set the URL to https://<Your Secret Server URL>/signin-oidc
  9. Click Register.

Task 2: Adding a Client Secret to the Entra Application Registration

Additional Microsoft Documentation for this step can be found in the Add a client secret tab of Add and manage application credentials in Microsoft Entra ID page.
  1. Navigate to the Microsoft Entra Admin Center.
  2. Log in. At a minimum, you must be logged in as an Application Developer.
  3. If you have access to multiple tenants, click the settings icon (a cog) in the top menu to switch to the tenant where you want to add the client secret.
  4. On the left side of the page, click App Registrations.
  5. Select the All applications tab on the page to see the application that was created in the section above.
  6. Select the application that was created in the section above.
  7. In the Manage section of the application, click Certificates & secrets.
  8. Click New client secret.
  9. Add a description for the secret and set its expiration time.
  10. Click Add.
  11. Once the client secret is added, copy the Value for the client secret.
You must copy this value at this time. This secret value is never displayed again after you leave this page.

Task 3: Adding API Permissions to the Entra Application Registration

Additional Microsoft Documentation for this step can be found at Configure an application to expose a web API.
This requires a local Secret Server account with at least one of these roles: Administer Active Directory, Unlimited Vault Access, or Administer Configuration Unlimited Admin.

  1. Navigate to the Microsoft Entra Admin Center.

  2. Log in. At a minimum, you must be logged in as an Application Developer.

  3. If you have access to multiple tenants, click the settings icon (a cog) in the top menu to switch to the tenant where you want to add the permissions.

  4. On the left side of the page, click App Registrations.

  5. Select the All applications tab on the page to see the application that was created in the section above.

  6. Select the application that was created in the section above.

  7. In the Manage section of the application, click API Permissions.

  8. There will be a single permission listed on this page, click on the three dots to the right of that listed permission, click Remove Permission.

  9. Click Yes, remove.

  10. Click Add a permission.

  11. Select Microsoft Graph.

  12. Click Delegated permissions.

  13. Search for and select Group.Read.All, which appears in the Group section.

  14. Click Application permissions.

  15. Search for and select the following:

    • Group.Read.All in the Group section
    • GroupMember.Read.All in the GroupMember section
    • Member.Read.Hidden in the Member section
    • User.Read.All in the User section

  16. Click Add permissions.

  17. Click Grant admin consent for Delinea.

  18. Click Yes.

Creating an Application Registration Secret in Secret Server

Secret Server will throw an error if you attempt to use the Secret ID of the Entra ID application secret instead of the value of the Entra ID application secret. For example:
- tenantld: Failed to validate Azure domain credentials. A configuration issue is preventing authentication) - check the error message from the server for details. You can modify the configuration in the application registration portal. See https: /aka. ms/msal-net-inva I id-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '98fec3da-la 12-429f-8ecf-0e803b5c39d9'. Trace ID: d7d2e5e6-c817-4d7d-8cd5-fddd2a985100 Correlation ID: 7cb5fl8e-7401-4af8-be39-4512169ea99b Timestamp: 2026-01-15 21:20:00ZH

This procedure syncs Entra ID to Secret Server via Directory Services.

  1. If you don't have one already, create a folder where the Secret will be stored in Secret Server.

  2. Click on the + button at the top right of Secret Server.

  3. Select New Secret.

  4. Click Change next to the folder name to choose the folder that you have created and select the proper folder.

  5. Choose the Azure Application Registration Secret Template.

  6. Provide the secret name.

  7. Provide the client ID:

    1. Navigate to the Microsoft Entra Admin Center.
    2. If you have access to multiple tenants, use the settings icon (a cog) in the top menu to switch to the correct tenant.
    3. On the left side of the page, click App Registrations.
    4. Select the All applications tab on the page to see the application that was created in the section above.
    5. Select that application.
    6. On the Overview page, in the Essentials section, look for and copy the Application (client) ID.

  8. Provide the client secret. This should have been copied during the Add Client Secret to the Application Registration in Entra section of this topic. If it wasn't, you need to delete the client secret and recreate a new one as that value will never be exposed after it is initially created.

  9. Provide the tenant ID:

    1. Navigate to the Microsoft Entra Admin Center.
    2. The tenant ID should be visible on the home page in the first tile. It can also be found by clicking on the Overview page.

  10. Add notes as needed.

  11. Select a site if needed.

Configuring an Entra ID Directory Source in Secret Server

  1. Navigate to the Directory Services page.

  2. Click the Domains tab.

  3. Click Add domain.

  4. Select Microsoft Entra domain.

  5. Provide the following information:

    • Domain Name: This can be whatever you would like, this name in particular has no impact on synchronization.
    • Check the Active checkbox if you want to use the Entra ID directory source immediately after creation.
    • Synchronization Secret: Click No Secret Selected and choose the secret created in the "Create an Application Registration Secret in Secret Server" section above.
    • Multifactor Authentication: If you want to force your users to perform multifactor authentication when logging into Secret Server, select the proper option here.
This is not the same as the multifactor for the Entra ID accounts themselves. This is specific to Secret Server. So, if this is enabled, and you also have multifactor enabled for your user in Entra ID, their sign in process will be: Sign into Entra > Enter Multifactor for Entra > Redirect to Secret Server > Enter additional Multifactor for Secret Server.
  1. Click Validate & Save. A popup appears that shows the groups within Entra ID that are available to sync to Secret Server.
  2. Select the groups you would like to sync.
  3. Click Save.
  4. If you want to sync those users right now, click Sync now.
  5. If you navigate to the Log tab, you should see the users from the groups you chose listed as being added. For instance: Domain.onmicrosoft.com: There are 3001 licensed users and user "[euser0001@Domain.onmicrosoft.com](mailto:euser0001@Domain.onmicrosoft.com)" will be user #2375.