Sign up for FreeKnowledge Base

Microsoft Entra ID (v2)

P0 is excited to announce the latest version of our Entra Integration, featuring two essential enhancements:

  • Just-in-Time Access: Enables users to request just-in-time access to Entra Directory Roles.

  • Security Perimeter: A dedicated compute resource running in your environment, acting as a secure buffer. Only the Security Perimeter is authorized to write to Entra role and group assignments, increasing resilience. This ensures that, even if P0 is compromised, malicious assignments cannot be written to your environment.

Note: The Security Perimeter requires a cloud computing environment. This guide provides instructions for deploying with Microsoft Azure. For GCP or AWS integration, please contact [email protected].

Setting up Entra ID

  1. Navigate to Integrations on p0.app, then select Entra ID.

  2. Click IAM Management.

  3. Click Add tenant.

  4. Enter your Entra tenant ID and select either AzureCloud or AzureUSGovernment.

  5. Click Next.

Configuring through the Azure Console

You can configure through either Azure Console or through Shell. Below are the steps to configure through Azure Console.

Azure App Registration & API Configuration

1. Create a New App Registration

  1. Navigate to Azure PortalApp registrations.

  2. Click New registration.

  3. Enter a name: p0-security-azure-integration-dev.

  4. Select Accounts in this organizational directory only.

2. Expose an API

  1. In your App Registration, go to Expose an API.

  2. Click Set next to Application ID URI and accept the default: api://<your-app-id>.

  3. Click Add a scope:

    • Scope name: user_impersonation

    • Admin consent display name: User Impersonation

    • Admin consent description: Allow the application to access the API on behalf of the signed-in user.

    • Enable the scope for both Admins and users.

3. Add Microsoft Graph API Permissions

  1. Navigate to API permissions in your App Registration.

  2. Add the following Microsoft Graph Application permissions:

    • Group.Read.All

    • GroupMember.Read.All

    • User.Read.All

    • RoleManagement.Read.All

    • Reports.Read.All

    • AuditLog.Read.All

4. Grant Admin Consent

  1. In the API permissions section, click Grant admin consent for your tenant.

5. Create a Federated Credential

  1. Go to Certificates & secretsFederated credentials.

  2. Click Add credential.

  3. Choose Other issuer.

  4. Set the following fields:

    • Issuer: https://accounts.google.com

    • Subject identifier: 105871669516568908280

    • Name: [email protected]

    • Description: P0 Security service account credential

Create Function App Infrastructure

1. Create a Resource Group

  1. Navigate to Resource groups.

  2. Click Create.

    • Name: p0-security-perimeter-rg

    • Region: West US 2 (or your preferred region)

2. Create a Storage Account

  1. Go to Storage accounts and click Create.

    • Resource group: p0-security-perimeter-rg

    • Storage account name: p0securitystorage

    • Region: Same as resource group

    • Performance: Standard

    • Redundancy: Locally-redundant storage (LRS)

3. Create an App Service Plan

  1. Navigate to App Service plans and click Create.

    • Resource group: p0-security-perimeter-rg

    • Name: p0-security-perimeter-plan

    • Operating System: Linux

    • Region: Same as resource group

    • Pricing Tier: EP1 (Elastic Premium—recommended to reduce cold starts)

4. Create a Function App

  1. Go to Function App and click Create.

    • Resource group: p0-security-perimeter-rg

    • Function App name: p0-security-perimeter-<tenant-id> (Contact P0 support if you need to use a different name.)

    • Publish: Container Image

    • Operating System: Linux

    • Plan: Select the App Service plan created above

    • Image and tag: docker.io/p0security/p0-security-perimeter-entra

    • Enable System assigned managed identity under the Monitoring tab

5. Configure Function App Settings

  1. In your Function App, go to SettingsEnvironment Variables.

  2. Add the following application settings:

    • MANAGED_IDENTITY_ID: Go to SettingsIdentity and copy the Object (principal) ID from the System assigned managed identity section.

    • CALLER_APP_ID: Copy the Application (client) ID from your App Registration.

6. Grant Microsoft Graph Permissions to the Function App's Managed Identity

Note: This step requires the Azure CLI. Update any name arguments if you used custom values above.

Set environment variables (replace placeholders as needed):

MANAGED_IDENTITY_ID=$(az functionapp show \
  --name p0-security-perimeter-<tenant-id> \
  --resource-group p0-security-perimeter-rg \
  --query identity.principalId \
  -o tsv)

CALLER_APP_ID=$(az ad app list \
  --display-name "p0-security-azure-integration" \
  --query "[0].appId" \
  -o tsv)

Grant the required Microsoft Graph permissions:

GRAPH_SERVICE_PRINCIPAL_ID=$(az ad sp list --filter "displayName eq 'Microsoft Graph'" --query "[0].id" --output tsv)
ACCESS_TOKEN=$(az account get-access-token --resource https://graph.microsoft.com --query accessToken --output tsv)
permissions=("User.Read.All" "RoleManagement.ReadWrite.Directory" "GroupMember.Read.All" "GroupMember.ReadWrite.All" "Group.Read.All")
for permission in "${permissions[@]}"; do
  echo "Granting permission: $permission"
  APP_ROLE_ID=$(az ad sp show \
    --id "00000003-0000-0000-c000-000000000000" \
    --query "appRoles[?value=='$permission' && allowedMemberTypes[0]=='Application'].id" \
    --output tsv)
  BODY=$(cat <<EOF
{
  "principalId": "$MANAGED_IDENTITY_ID",
  "resourceId": "$GRAPH_SERVICE_PRINCIPAL_ID",
  "appRoleId": "$APP_ROLE_ID"
}
EOF
)
  curl --fail -X POST \
    -H "Authorization: Bearer $ACCESS_TOKEN" \
    -H "Content-Type: application/json" \
    -d "$BODY" \
    "https://graph.microsoft.com/v1.0/servicePrincipals/$GRAPH_SERVICE_PRINCIPAL_ID/appRoleAssignments"
  echo
done

7. Enable App Service Authentication

  1. In your Function App, go to SettingsAuthentication.

  2. Click Add identity provider.

  3. Select Microsoft.

  4. App registration type: Provide details of an existing app registration.

  5. Application (client) ID: Enter your App Registration's client ID.

  6. Client secret: Leave blank (uses federated credentials).

  7. Issuer URL: https://login.microsoftonline.com/<tenant-id>/v2.0

  8. Allowed token audiences: api://<your-caller-app-id>

  9. Restrict access: Require authentication

  10. Unauthenticated requests: HTTP 401 Unauthorized

  11. Token store: Enabled

  12. Client application requirement: Allow requests only from this application

  13. Tenant requirement: Allow requests only from the issuer tenant

  14. Click Save to apply these settings.

8. Save Application (client) ID

Copy the Application (client) ID from your App Registration. You will need this to complete the P0 integration setup.

✅ Completion

After completing the steps above, your P0 Security Perimeter for Entra ID is ready to handle privileged access requests via the containerized Function App.

If you have further questions or require support for AWS or GCP integration, please contact [email protected].

PreviousDirectory integrationsNextRequesting Access

Last updated