Add an Microsoft Entra ID IDMS

Follow

Add an Microsoft Entra ID IDMS

The Microsoft Entra ID IDMS does not store any user passwords. For every authentication request, it forwards a request via LDAP to Microsoft Entra ID for verification. If the verification is successful, the user is logged in.

Users and group memberships from Microsoft Entra ID sync every 60 minutes.

Filter Examples

  • User LDAP Filter. (memberOf=cn=cloudtamer-users,ou=groups,ou=cloudtamer,dc=example,dc=com). Only users that are a member of the cloudtamer-users LDAP group will be imported into Kion.
  • Group LDAP Filter.(memberOf=cn=cloudtamer-groups,ou=groups,ou=cloudtamer,dc=example,dc=com). Only groups that are a member of the cloudtamer-groups LDAP group will be imported into Kion.
  • DN. dc=example,dc=com. This is the base DN for all LDAP requests.

Adding an Microsoft Entra ID IDMS

  1. Navigate to Users > Identity Management Systems
  2. Click Add New.
  3. Select Active Directory as the IDMS type.
  4. Enter a name to describe the IDMS. Users see this name when selecting the IDMS on the Kion login page.
  5. For the Username, enter the distinguished name of a user that can bind to LDAP to verify passwords.
  6. For the Password, enter the password for the username above.
  7. For the Hostname, enter the hostname or the IP address of your LDAP server. You can enter more than one hostname or IP by separating the entries with a comma.
  8. For the Port, enter the port on which to communicate with your LDAP server. This is typically 389 for LDAP and 636 for LDAPS.
  9. Enable the SSL option to use LDAPS
  10. For the User LDAP Filter, enter an LDAP filter to use to determine if the user should be imported to Kion.
  11. For the Group LDAP Filter, enter an LDAP filter to use to determine if a group should be imported to Kion.
  12. For the DN, enter the base DN for all LDAP requests. This should be included in the LDAP filters above.
  13. (Optional) Enter a custom attribute for the username filter.
  14. (Optional) Enter a custom attribute for the email filter.
  15. Test the connection with the Test Active Directory Connection button.
  16. Click Create IDMS.

For information about enabling single sign-on with your Microsoft Entra ID account, see Microsoft Entra ID SSO Integration.

It is considered best practice to automatically assign permissions to users using group assertions. This helps ensure that appropriate permissions are always applied. For more information, see Microsoft Entra Group Assertions.