Skip to content

Add an Entra tenant to a Connect OrganisationΒΆ

Once you have registered Connect as an application in the Microsoft tenant, and you have set the correct API permissions in Entra, your next step is to add the tenant to your CyberHive Connect Organisation.

  1. In the Connect Control Service, browse to the Organisation that will use the Entra tenant.
  2. Open the Identity Providers tab.


    This tab is only accessible if you have sufficient permissions within the Organisation.

  3. Select the "Add Identity Provider" button.

    New Identity Provider

  4. Enter:

    • A name (used for referencing the tenant in the Organisation's IAM Policy)
    • "Application (client) ID" from the app registration you created in Entra previously
    • "Directory (tenant) ID" from the app registration you created in Entra previously

    New Identity Provider Form

  5. Select "Create" - the tenant will be added and a client certificate generated with an expiry date of one year from the present time. You may wish to make a note of this.

  6. Select "Download Certificate" to retrieve the certificate - this will download with a filename of [organisation-code]-[tenant-name]-idp-cert.pem.


    You will not be able to download the certificate again after this step.

    Client Certificate Download

  7. You will be prompted to upload the certificate to your Microsoft Entra ID tenant.


    Do not press "Continue" or close the modal dialog until you have activated the certificate in Entra.

    In your app registration in the Microsoft Entra admin center, go to Certificates & Secrets -> Certificates.


    If you have closed the page from the previous steps, go to Applications -> App registrations -> All applications -> (Registration Name) to find your app registration.

    Then select "Upload certificate".

    Azure Certificates

  8. Upload the certificate. You may wish to add a label for display in Azure at this point. Select "Add" and the certificate will be ready for use soon after.

    Upload Certificate

  9. Go back to the Connect Control Service and select "Continue". Client Certificate Continue

  10. Activate the certificate in Connect by selecting "Activate Certificate".

    Activate Certificate

  11. Select "OK" to dismiss the acknowledgement.

    Certificate Activated

  12. The Identity Providers list will show the new tenant as "Verifying tenant details" while Connect validates its details.

    Tenant Verifying

    This should then change to "The tenant exists in Entra. None of its Groups are referenced in this Organisation's IAM Policy". The expiry date of the client certificate is also displayed.


    There may be a delay before the certificate is used by Microsoft. This will be reflected in the tenant's status information, and should resolve itself within a few minutes.

    Tenant Exists

You are now ready to start adding groups to the IAM Policy in the next step.

Previous Next