Beyond Identity + Microsoft Entra ID: Step-by-Step to Passwordless Authentication

Beyond Identity Microsoft Entra ID Integration

Introduction

 Organizations in energy, finance, and government handle critical information that demands the strongest security. Traditional passwords are vulnerable to phishing attacks, putting this data at constant risk. Beyond Identity delivers unphishable, passwordless authentication solutions, significantly reducing the attack surface and safeguarding your most sensitive assets.

In this Blog, we will walk through the steps required to integrate Beyond Identity(IdP) as a passwordless authentication solution for an Entra ID Environment. This includes configuring Entra ID to use Beyond Identity as an Identity Provider, setting up the Beyond Identity Admin Console and User Console applications in Entra ID, and configuring SCIM-based provisioning from Entra ID to Beyond Identity Cloud.

Prerequisites

Before you begin, ensure you have the following:

         1. Admin Account: A Global Administrator account in Entra ID to set up the Beyond Identity applications and enable SCIM-based provisioning.

        2. Domain Name: A domain name at the highest level (e.g., abc.com) that you will use for testing. You will need to access the Public DNS settings to confirm the domain in Entra ID.

        3. Windows Machine: A machine that has Administrator rights and PowerShell\Graph modules for configuring federated authentication, Setting immutableId for Entra ID users, and creating users after federation.

Important: Once the Primary domain is federated, PowerShell is the only way to create users in that domain

        4.Intune License (if applicable):Needed for Entra ID Join-only, which allows modern authentication for desktops until Beyond Identity Web Device Login (WDL) is set up.

Setting Up Beyond Identity in Entra ID

Domain Configuration

An alternative domain is advised for testing by Beyond Identity.

You need to select a domain to use. You can use a domain that you have already, or buy a new one from any Domain Registrar.

Use the instructions on this page to set up this domain as a Custom Domain in M365.


 https://learn.microsoft.com/en-us/microsoft-365/admin/setup/add-domain?view=o365-worldwide 

 Entra ID User Configuration

To set up users in Entra ID ,Sign in to M365 Admin Portal with a Global Administrator account.

Go to admin.microsoft.com> Users >Active Users> Select Add user.

Enter the user information and create the user.
M365 Active UsersUse PowerShell commands to assign the immutableId for the user.
Install-Module MSOnline
(Install MSOnline Powershell Module, if it is not already installed)
Connect-MsolService
$upn = “user@abc.com”
$user = Get-MsolUser -UserPrincipalName $upn
$uuid = [system.convert]::ToBase64String(([GUID]$user.objectID.Guid).ToByteArray())
Set-Msoluser -UserPrincipalName $upn -ImmutableID $uuid
Update Immutable ID for Entra ID User

Entra ID Group Configuration (Optional)

Create groups for managing Beyond Identity service assignments: 

Create Groups

 Navigate to entra.microsoft.com > Groups >All groups> New Group.

Create Group Named BI_Admins , BI_Users, and BI_Push_Groups with appropriate settings.

Add members to these groups.

BI_Admins group can be used for Admin users

Create BI_Admins group

BI_Users group can be used for User Provisioning in Beyond Identity

Create BI_Users Group

BI_Push_Groups can be used for pushing Policies

Create BI_Push_Group

Setup Beyond Identity Admin Console Application in Entra ID

Setting Up an Enterprise Application

Sign in to Entra Portal, go to Enterprise Applications > New Application.

Create new Enterprise ApplicationFind and choose “Beyond Identity Admin Console” from the App Gallery and click Create.

Registering Beyond Identity Admin Console App
Create Beyond Identity Admin Console App

After creating the application, go to the application page and choose Users and Groups. Then, assign the BI_Admins group that we made before.

You can also choose an Application Owner if needed

Assigning BI-Admin Group
Login to Beyond Identity Admin Console by visiting https://admin-eu.byndid.com and click on “Log in with Beyond Identity”. (Currently we are using Europe Datacenter, Login URL May changed based on your Beyond Identity Datacenter)

Once Log in to Admin Console  go to Settings.On the Settings page, choose the Console Login tab.

Configure Beyond Identity Admin Console Settings
In the “Admin Console SSO Integrations” section, select “Edit SSO” for the Custom SAML SSO and record SAML Connection ID from Beyond Identity Admin Console

Copy Beyond Identity Admin Console settings ID

and return to Entra ID Portal perform following steps.In Entra ID Portal>Enterprise Applications>Select >Beyond Identity Admin Console>
Select “Single Sign-on” from the left side menu and then choose “SAML” as a single sign-on method.
On the “Set up Single Sign-on with SAML” page, click “Edit” on “Basic SAML Configuration” and update the following settings
Configure Beyond Identity SSO settings

Identifier (Entity ID): https://admin-eu.byndid.com/auth/saml/<connection-id>/sso/metadata.xml
Reply URL (ACS URL): https://admin-eu.byndid.com/auth/saml/<connection-id>/sso
Mark newly added “Entity ID” and “Reply URL” as default.
Delete “Sample Entity ID”.
Basic SAML Configuration

Click on the “Save” button. 
Exit the configuration dialog box. 
(The Europe Datacenter is our current location, but the Configuration URL might vary by your Beyond Identity Datacenter) 
 Return to the “Set up Single Sign-on with SAML” page in the “SAML Signing Certificate” section, and click on Federation Metadata XML Download & Certificate (Base64) Download.
Download SAML Federation Metadata

Setup Beyond identity Admin Console SSO in Beyon Identity Portal

To access Beyond Identity Admin Console, go to https://admin-eu.byndid.com and select “Log in with Beyond Identity”. (We are using Europe Datacenter right now, so the Login URL might be different depending on your Beyond Identity Datacenter)

After logging in to Admin Console, go to Settings.

On the Settings page, select the Console Login tab.


Configure Beyond Identity Admin Console settings
In the “Admin Console SSO Integrations” section, select “Edit SSO” for the Custom SAML SSO section and Upload the Federation Metadata XML file that you obtained from the Entra ID portal.

Import IDP Metadata File to Beyond Identity console
Name the Configuration in the Name Section and check that the URLs below are correct,

IDP Url: https://login.microsoftonline.com/<azure-tenant-id>/saml2

IDP Entity ID: https://sts.windows.net/<azure-tenant-id>/

You can find these Values in the Beyond Identity Admin Console session configuration of your enterprise applications in Entra ID portal

Remaining settings you can keep as below.· Name ID Format: emailAddress

· Subject User Attribute: UserName

· Request Binding: http redirect

The Federation Metadata XML will update the X509 Signing Certificate, or you can upload the certificate that you download from the Entra ID portal instead.

Once these values are set up, use SSO to access the Beyond Identity Admin Console and verify that the admin (user from the BI_Admins group) can enter the Beyond Identity Admin Console.
Beyond Identity SSO Testing

 Setup Beyond Identity User Console Application in Entra ID

Go to entra.microsoft.com
In Enterprise Applications, make a new non-gallery application called “Beyond Identity User Console”.
Beyond Identity User Console Application registration

Choose> Beyond Identity User Console -> Properties page and add the Beyond Identity logo. (Optional: This makes it easier to recognize BI Apps).

You can also assign the Application owner in the same Application Owner Tab
Configure Application owner
From the left menu, choose “Single Sign-on” and then “Linked”. 
Configure SSO for Beyond Identity User Console App
In the “Sign-On URL” field, enter:

Linked Sign-on URL Configuration
Enterprise Applications -> Beyond Identity User Console -> Provisioning page:
Beyond Identity User Console Provisioning
Provisioning Mode: Select “Automatic”
Beyond Identity User Console Provisioning Mode
On the “Admin Credentials” Tab:

Tenant URL: https://api-eu.byndid.com/scim/v2/

(The Europe Datacenter is our current location, but the Configuration URL might vary by your Beyond Identity Datacenter)

To get the token, go to Beyond Identity Admin Portal and select the Settings Tab and then API Access
Create Client Credentials from Beyond Identity Portal
On the API Access Page, choose Create Client Credentials. On the page for creating client credentials, enter a name and select the appropriate scope for SCIM as shown in the screenshot below
Create Client Credentials

Leave the Expires tab with the default settings and select Create Client Credentials
Beyond Identity API Permissions

To create a SCIM token, click on the name of the Client credentials you created, then go to the Tokens Tab and click on create Token. 

Beyond Identity SCIM Token Creation

Give it a name and copy the generated token. 

Beyond Identity SCIM Token Name

Copy Beyond Identity SCIM Token

You can paste this token in your Entra ID Application for user provisioning. Once Token and Tenant URL is pasted Click on “Test Connection”. After successful SCIM connection test, click on “Save”.
Updating Beyond Identity SCIM Token in Entra ID App

On the "Mappings" Tab
Make sure "Provisioning Azure Active Directory Groups" is turned on.
Make sure "Provisioning Azure Active Directory Users" is turned on.
Entra ID App Mapping settings
On the "Settings" Tab
Choose "Send an email notification when a failure occurs" and enter a valid email address for IT admin.
Choose Accidental deletion threshold and you can set the desired Value, we chose 10 in our case
Scope: "Sync only assigned users and groups"
Click on "Save".
Entra ID Provisioning settings configuration
Provisioning Status: On

Turn On Entra ID Provisioning
To change the Attribute Mappings, do this:
Click on Mappings
Click on “Entra ID Users”
Entra ID Attribute Mapping configuration
Enable “Create”, “Update” and “Delete” for “Target Object Actions”
Entra ID App Attribute Mapping Configuration
Select “Show Advanced Options” and click on “Edit Attribute list for customappsso”
Make sure these settings are correct:

Entra ID Provisioning Advanced Options
id: Primary key, Required Set
active: Required
displayName: Required
emails (work): Required, Multi-Value
username: Required
name.givenName: Required
name.familyName: Required
externalId: Required
Attribute list configuration

Attribute list configuration, Continued
Click on “Save”


Only keep these 7 attributes in the “Attribute Mappings” list, and remove the others. Also, if any of these attributes are not there, add them manually       
username,active,displayName,emails (work),name.givenName,name.familyName,externalIdValidate Entra ID Attribute Mappings
Go to the "Attribute Mappings" list and select Edit for the externalId. Change the following settings:Adding externalId Mapping
Mapping Type: Expression
Expression: Switch(IsPresent([immutableId]),[userPrincipalName], "True", [immutableId])

Keep the rest of the fields as default and click on "OK".Mapping Expression Configuration
On the "Provisioning" page, click on "Save".
Saving Provisioning settings
Return to the application and select “Users and groups” from the left menu. Then select “Add user/group” and choose the “BI_Users” and “BI_Push_Groups” group. Select “Assign”. If group creation is not allowed by the Entra ID license, then assign users to this application one by one.
Assigning BI_Users and BI_Push_Groups
In the search bar at the top, look for “App registrations”, then select “All Applications”, then pick “Beyond Identity User Console”.
On the “Overview” page, write down “Application (client) ID”. You will need it in future steps.
On the “Overview” page, write down “Directory (tenant) ID”. You will need it in future steps.
Beyond Identity User Console Client ID
On the “Authentication” page under Platform Configuration -> Add a platform and Choose “Web” and enter:

Redirect URI: https://user-eu.byndid.com/auth-user/callback
Configure Authentication settings
(We use the Europe Datacenter right now, but the Configuration URL may change depending on your Beyond Identity Datacenter)
Configuring web redirect URI
Implicit grant and hybrid flows: Select “ID Tokens”
Support Account Type: “Accounts in this organizational directory only (Single Tenant)”

Configure Authentication settings
Under “Advanced Settings” for “Allow public client flows” select “No”.
Click on “Save”.
Configure Advanced Settings
 select the “Beyond Identity User Console” App.
Click on “Certificates and Secrets” and choose “New client secret”.
Configure Application client secret
Enter “Beyond Identity User Console” in the “Description” field and choose “24 Months” for the “Expires” field.
Adding client secret
Copy the Client Secret from the “Value” column. You will need it later.
Copy Client Secret
No need to modify the “Token Configuration” page.
Go to the “Beyond Identity user Console” App page under App Registrations and click on “API permissions”.
Configure API Permissions
Click on “Add a Permission”.
Choose “Microsoft Graph APIs”.
Add Microsoft Graph APIs Permissions

Choose “Delegated Permissions”.
Select Delegated Permissions

Choose OpendID permissions and then choose “email”, “offline_access”, “openid”, and “profile”.
Click on “Add Permissions”
Choose OpendID permissions
Click on “Grant admin Consent for <Tenant Name>” and then click on “Yes” to give consent.Grant admin Consent for TenantNo need to change the “Expose an API” page.
No need to change the “App Roles” page.

Setup Beyond Identity User Console in Beyond Identity Portal

Go to Beyond Identity Admin UI and select Settings Tab. Select Console Login
Under User Console SSO Integrations" and "Edit SSO" for OIDC SSO.
Enter the SSO details like this and in the picture:
Beyond Identity User Console in Beyond Identity Portal
Name: <SSO name> e.g. Entra ID SSO
Client ID: <Value from previous step>
Client Secret: <Value from previous step>
Issuer: https://sts.windows.net/<Azure-AD-Tenant-ID>/ (Keep the slash)

Token Field: upn
Token Field Lookup: user name

Scope: All
Beyond Identity Console SSO Integrations
Note: 1. After SCIM User Provisioning, the user receives a Welcome email from Beyond Identity with instructions to Download the Application and set up the Credentials. We will demonstrate this at the end of this session.
            2. SCIM Provisioning runs every 40 minutes. You can also provision on-demand by going to the Beyond Identity user console application as needed.

Setup Beyond Identity Console for User Authentication (WS-FED federation)

Log in to Beyond Identity Admin Console UI and go to the “Integrations” tab. Click on “WS-FED” and then “Add WS-FED Connection”.
Setup Beyond Identity Console for User Authentication (WS-FED federation)
Fill in the fields as follows:
Name: Entra WS-FED(Any name you can choose)
SP Single Sign on URL: https://login.microsoftonline.com/login.srf
SP Audience URI: https://login.microsoftonline.com/<Azure-AD-Tenant-ID>/
Name ID Format: Unspecified
Subject User Attribute: ExternalID
Authentication Context Class: X509
Entra WS-FED configuration on Beyond Identity Portal
Attribute Claims: Name: ImmutableID, Name format: unspecified, Value: {{ExternalID}}, Name space: http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID
Attribute Claims: Name: emailaddress, Name format: unspecified, Value: {{Email}}, Name space: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Attribute Claims: Name: UPN, Name format: unspecified, Value: {{UserName}}, Name space: http://schemas.xmlsoap.org/claims
Attribute Claims: Name: authnmethodsreferences, Name format: unspecified,
Value (custom string): http://schemas.microsoft.com/claims/multipleauthn
Namespace: http://schemas.microsoft.com/claims
Configure Attribute Claims in Beyond Identity WS-FED
Click on “Save Changes”.
Record the following fields from the WSFED Connection you just created. You will need them in the next step.
IdP Id: (Beyond Identity Connection ID)
IdP Passive Logon URL: https://auth-eu.byndid.com/wsfed/v1/<BI-Connection-ID>/sso
IdP Issuer: https://auth-eu.byndid.com/wsfed/v1/<BI-Connection-ID>
IdP Metadata URL: https://auth-eu.byndid.com/wsfed/v1/<BI-Connection-ID>/sso/metadata.xml


Download IdP Signature Certificate.
Download IdP Signature Certificate

Configure Beyond Identity as the Identity Provider (WS-FED Federation)

Use the commands below to configure Beyond Identity as the Identity Provider
Login to any Windows machine and start a power shell as an administrator.
Issue following PowerShell commands.

Connect-MsolService (Login as Entra ID Global Administrator, you may be required to Install MSOnline PowerShell module using “install-module MSOnline” command)
$domain=”abc.com” (Replace with your actual domain )
$BrandName = "Beyond Identity WS-FED"
$Issuer = “https://auth.byndid.com/wsfed/v1/<BI-Connection-ID>
$LogOnUrl = “https://auth.byndid.com/wsfed/v1/<BI-Connection-ID/sso
$mex = “”
$LogOffUrl = “https://portal.azure.com” (or Company website)
$SigningCert = "[BI WSFED X.509 certificate in string format]”
$Protocol = "WSFED"
Set-MsolDomainAuthentication -DomainName $domain -Authentication “managed”
Set-MsolDomainAuthentication -DomainName $domain -Authentication federated -FederationBrandName $BrandName -IssuerUri $Issuer -PassiveLogOnUri $LogOnUrl -MetadataExchangeUri $mex -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol -SigningCertificate $SigningCert -SupportsMfa $True

Entra ID Domain Federation using PowerShellTo get Domain federation setting
Get-MsolDomainFederationSettings -domainname $domain | fl *


Note: After the Primary domain is federated, users in that domain can only be created via PowerShell

To revert domain back to Managed Mode.(Remove Domain Federation)

Set-MsolDomainAuthentication -DomainName $domain -Authentication “managed”

Setting up the User

We can use the Test User that we created earlier for testing.
To make a user part of the Beyond Identity experience, add the user to the “BI_Users” Group in Entra ID. (Optional: You need to do this step if you can create the “BI_Users” group in the Entra ID)
Open Entra ID Portal> Enterprise Applications -> Beyond Identity User Console -> Users and groups page:
Click on the “Add user/group”.
Click on “None Selected” under Users and Groups. 
On the search page, pick the user and click on “Select”. Click Assign.
Add users to BI_users Group
Users who are enrolled will get an email from Beyond Identity that welcomes them to the new Identity Provider.Beyond Identity End user Onboarding
To enroll, users should follow these two steps:
Step 1: Get the Beyond Identity Authenticator app on their device.
When the user clicks “View Download Options”, they should choose and install the app for their platform from the browser page that opens. If they already have the app, they can skip this step.
Downloading Beyond Identity Authenticator Application on WindowsStep 2: Create and register their Credential in the Beyond Identity IdP.
When the user clicks “Register New Credential”, their credential will be created and registered with the Beyond Identity service. The user will also see the credential creation and registration process in the app. When it is done, the user will see the credentials in the app.
See example image below:
Beyond Identity User Passkey Registration
If the User didn't get the Registration email, Admin can provide the the 9-Character code for the Passkey Registration.

To register a user for a Passkey, navigate to the Users section on the Beyond Identity Admin Page and select the desired user.

Beyond Identity Console User Status
Once User Profile section is opened, Click on Passkeys and then select Enroll a Passkey
Beyond Identity Passkey Registration using TokenIn the Enroll a Passkey menu under the Template section, choose the option to Generate a 9-character code and then click the generate 9-charcater code button
Create Passkey Registration Code
Once Code is Generated you can copy the code, the Code will expire with in 60 seconds.
Copy Registration Code

Now go to the Beyond Identity Application on your desktop and Add the Code to register your Passkey
Adding Registration code to Beyond Identity desktop app

Add Beyond Identity Registration code
Now you have Successfully registered your Passkey, Lets Login and test User Access.

User Authentication (Signing in)

To sign into their work apps, enrolled users can go to their myapps.microsoft.com (or myapps.company.com or portal.azure.com) site or any app that works with Entra ID SSO. They need to enter their username in the Microsoft app or SSO app.
Microsoft Entra Portal Sign-in
They will see a prompt to use or open the Beyond Identity app to sign in. They should click yes on the prompt and sign in without a password. The Beyond Identity app and a success message will show up.
Entra Portal Federated Sign-in
Note: For iOS devices, some apps may ask the user to go back to their app after signing in with Beyond Identity Authenticator.
Beyond Identity Authenticator verification
Beyond Identity Authenticator verification Process
Now you are successfully sign-in with Beyond Identity Passwordless Authentication Method
User Successfully Sign-in to M365 Portal Using Beyond Identity Passwordless option

Create Users in Entra ID with the help of PowerShell once Domain is Federated

To create Entra ID Users after the Primary domain is federated, use the following PowerShell Commands:

Connect-AzureAD

$domain = “contoso.com”

$First_name = "First"

$Last_name = "Last"

$Display_name = $First_name + " " + $Last_name

$UPN = $First_name + "." + $Last_name + "@" + $domain 

$Mail_nickname = $First_name + "." + $Last_name

$guid = [guid]::NewGuid() 

$immutableid = [system.convert]::ToBase64String(($guid).ToByteArray())

$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile

$countryCode = "US"

New-AzureADUser -DisplayName $Display_name -PasswordProfile $PasswordProfile -UserPrincipalName $UPN -AccountEnabled $true -ImmutableId $immutableid -GivenName $First_name -SurName $Last_name -mailnickname $Mail_nickname -usageLocation $countryCode

Create Entra ID Users after the Primary domain is federated

Note: To Revert Back the Domain to Managed Mode you can use the Below PowerShell command. 

Connect-MsolService
Set-MsolDomainAuthentication -DomainName "Federated Domain Name" -Authentication “managed”

 User Deprovisioning

To deprovision a user from the Beyond Identity experience, remove user from the “BI_Users” Group in Entra ID.
Right Click on the “BI_Users” group and click on the “Members” tab.
Select User and click on Remove.
In the confirmation dialog click “Yes”.
Click OK.

Conclusion.

Integrating Beyond Identity with Microsoft Entra ID strengthens your security posture even further. This powerful combination provides a comprehensive identity protection solution, ideal for organizations with high-security needs.Stay tuned for more updates on identity solutions.











Post a Comment

1 Comments

  1. Great guide. One thing I did not understand why you need BI for passwordless. This can be reached on native EntraID or did I miss a thing?

    ReplyDelete