Add an Entra tenant to a Connect OrganisationΒΆ
Once you have registered Connect as an application in the Microsoft tenant, and you have set the correct API permissions in Entra, your next step is to add the tenant to your CyberHive Connect Organisation.
- In the Connect Control Service, browse to the Organisation that will use the Entra tenant.
-
Open the Identity Providers tab.
Permissions
This tab is only accessible if you have sufficient permissions within the Organisation.
-
Select the "Add Identity Provider" button.
-
Enter:
- A name (used for referencing the tenant in the Organisation's IAM Policy)
- "Application (client) ID" from the app registration you created in Entra previously
- "Directory (tenant) ID" from the app registration you created in Entra previously
-
Select "Create" - the tenant will be added and a client certificate generated with an expiry date of one year from the present time. You may wish to make a note of this.
-
Select "Download Certificate" to retrieve the certificate - this will download with a filename of
[organisation-code]-[tenant-name]-idp-cert.pem
.Warning
You will not be able to download the certificate again after this step.
-
You will be prompted to upload the certificate to your Microsoft Entra ID tenant.
Warning
Do not press "Continue" or close the modal dialog until you have activated the certificate in Entra.
In your app registration in the Microsoft Entra admin center, go to
Certificates & Secrets -> Certificates
.Tip
If you have closed the page from the previous steps, go to
Applications -> App registrations -> All applications -> (Registration Name)
to find your app registration.Then select "Upload certificate".
-
Upload the certificate. You may wish to add a label for display in Azure at this point. Select "Add" and the certificate will be ready for use soon after.
-
Go back to the Connect Control Service and select "Continue".
-
Activate the certificate in Connect by selecting "Activate Certificate".
-
Select "OK" to dismiss the acknowledgement.
-
The Identity Providers list will show the new tenant's name (in this case
"Demo Tenant"
) followed by the type of provider (in this caseMicrosoft Entra ID
).Underneath, a status of "Verifying tenant details" will be shown while Connect validates the tenant details.
This should then change to "The tenant exists in Entra. None of its Groups are referenced in this Organisation's IAM Policy". The expiry date of the client certificate is also displayed.
Note
There may be a delay before the certificate is used by Microsoft. This will be reflected in the tenant's status information, and should resolve itself within a few minutes.
You are now ready to start adding groups to the IAM Policy in the next step.