-
Notifications
You must be signed in to change notification settings - Fork 1
Preparations
If you have not yet used the "Authentication Administrator" role it must be activated. Sadly there is a reported bug in the Terraform Entra ID provider that prevents the role to get enabled by the provider itself. For the time being you must enable the role manually using Microsoft Graph.
Connect-MgGraph -Identity -NoWelcome
New-MgDirectoryRole -RoleTemplateId c4e39bd9-1100-46d3-8c65-fb160da0071fIf you want to allow your users to create a Temporary Access Pass you must enable this authentication method in Entra ID.
- Open the Entra portal, select Protection, Authentication methods
- Select Temporary Access Pass and make sure it's enabled
MyWorkID uses Entra Conditional Access authentication context to protect the high privileged actions users can execute. This allows you to enforce additional security measures like phishing resistant authentication methods or a compliant network location before such an action is executed
- Open the Entra portal and select Authentication contexts
- Create a new Authentication Context or decide which one you want to enforce when a users is accessing the MyWorkID website. You can even go so far and require different authentication context per action. But we recommend to start with a single authentication context for all three privileged actions.
Example name: RequirePhishingResistantAuthentication
- Reset password
- Create TAP
- Dismiss user risk
Note
This step is optional and only necessary if you don't want to create the groups automatically
To map the created app roles to users it is required to use security groups in Entra ID. This way you can define which users can execute which action in MyWorkID.
The following groups are required:
- sec - MyWorkID - Password Reset
- sec - MyWorkID - Create TAP
- sec - MyWorkID - Dismiss User Risk
- sec - MyWorkID - Validate Identity
Next step: Installation