# MS Entra ID Integration Cloudbrink's Personal SASE has granular role-based access controls, enabling administrators to assign different users and groups to needed public and private resources. Rather than requiring customers to manually define these users and groups, Cloudbrink instead integrates with the customer’s existing identity provider. This enables organizations and their end-users to utilize existing single sign-on methods, simplifying onboarding and management. This document covers configuring Cloudbrink with Entra ID. #### **Overview:** Microsoft Entra Identity, commonly known as Entra ID, is a comprehensive identity and access management solution designed to enhance security and streamline user access across various platforms. Its key benefits include robust authentication mechanisms, centralized identity management, and simplified access controls. Entra ID facilitates secure and efficient user access, reducing the risk of unauthorized access and data breaches. By offering features like multi-factor authentication and single sign-on, it greatly improves the user experience while maintaining high security standards. This makes Entra ID an ideal choice for organizations looking to strengthen their cyber- security infrastructure and optimize user access management with Cloudbrink. **Prerequisites** Administrative access into the Cloudbrink Administrators portal Administrative access into the Microsoft Entra ID portal Cloudbrink Entra ID signing certificate provided from
**Configure Authentication Policy** 1. Navigate to the Cloudbrink Admin portal admin.cloudbrink.com 2. Navigate to **Configure > Policies > Authentication > Add New**

3. Under SAML SSO, Input a unique Auth Policy Name, Email Domain, Login URL, Metadata URL NOTE: Ensure that Metadata URL and Login URL values contain “microsoftonline.com” in the path
4. Save the SAML auth policy 5. Open the newly created authentication policy by clicking on “Update” from the menu on right-side 6. Copy the ACS URL to a notepad 7. Download the IDP certificate. This certificate needs to be uploaded to the Entra ID app that would be created for the Cloudbrink login service. Download operation will prompt admin to set the password for the PFX certificate.

8. Navigate to the Entra ID portal.

9. Navigate to Enterprise Applications on the left hand panel

10. Click ![](/files/t5BaU1ft0INRMBsBveDd) to create a new Enterprise Application for Cloudbrink 11. Click ![](/files/ECBwS2jyB02N6oz8QWGJ) and fill out the name of the app, as well as ensuring that "In- regrate any other application you dont find in the gallery (Non-gallery) is selected. Hit save.

12. On the next screen, select 1. Assign users and groups

Select ![](/files/4zVZqOc0xHBcJD5pDAcc) and select the group(s) you'd like to have access via Cloudbrink. Note: While here, you should copy the group "Object ID" value(s) and put them in your notepad from earlier. These will be used to map groups to access levels in the Cloudbrink admin portal later.

13. After you've added the groups required, from you Enterprise App menu, Select "Single sign-on" and then "SAML" from the left hand panel under manage.

\ 14\. Copy the "Login URL" lower on the page under number 4 to your notepad.

15. Click "Edit" on the Basic SAML Configuration

16. Under the right hand window, fill in the following fields: I a) Identifier (Entity ID): /svc/auth/\ This is copied from step 4 above b) Reply URL: /svc/auth/\ Same as above c) Sign on URL: / Copied from step 12.
17. Once all above fields are filled appropriately, hit save on the top left.

18. Click edit on the Attributes & Claims section

19. Click on Add new claim and fill out the following fields (non-specified fields can be left as de- fault), and then click Save: a) Name: Email b) Source attribute: user.mail

20. Click Add a Group claim and in the pane that appears to the right, enter in the following fields and click Save: a) Which groups associated: Security groups b) Source attribute: Group ID c) Advanced options: i) Customize the name of the group claim: Checkbox selected Groups ii) Name (required): Groups \

21. Back within the Single sign-on section of the application, under the 3 SAML Signing Certificate section, copy the App Fedearation Metadata URL to your notepad. 22. Click the three little dots on the top right corner under the SAML Certficates window and click Edit.

\ 23\. In the pane that appears to the right: a) Click Import Certificate, and select the .PFX certificate downloaded from the admin portal b) While importing the file, enter in the password specified while downloading the IDP cert c) Ensure the certificate is set as Active d) Change the Signing Option to Sign SAML response and assertion e) Optionally, input a Notification Email Address to be notified of cert expiry reminders

24. Navigate back to the Cloudbrink Admin Portal and to your Authentication Policy 25. Paste in the Metadata URL, and Login URL as copied to your notepad in steps 12 and 19. Then click the checkmark in the top right corner to save

26. Navigate to Device User Groups 27. For every group you desire to use with Cloudbrink for login, create a corresponding device user group the Device User Group value being the Entra-ID Group Object ID

28. Create a new Device User Group Policy, and select the desired Resource Template. Optionally, select your desired DSPA Policy, Device Session Policy, and Mobile Access Policy

29. Users logging in to the BrinAgent with the configured group will then have the desired policies applied --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cloudbrink.com/configuration/ms-entra-id-integration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.