Entra Authentication settings

Entra Authentication settings#

List of the Entra Authentication settings:

Configuration option

Description

Entra Authentication Enabled

Controls whether Entra ID (Azure Active Directory) authentication is enabled.

When set to True, all remaining fields in this section become required. When set to False, authentication is disabled and all other fields are ignored.

Default: False

Tenant ID

The unique identifier of your Microsoft Entra ID tenant (directory).

Example: 02990467-5131-4a63-9a88-b578f38d89ab

Client ID

The Application (client) ID of the app registration used to authenticate with Microsoft Graph and validate incoming tokens.

Example: 75ff0832-1cbe-4bf2-87b0-9b99cacbec68

Audience

The resource URI that incoming JWT tokens must be issued for. Tokens whose aud claim does not match this value will be rejected.

Typically matches the Application ID URI configured in the app registration manifest.

Default: https://database.windows.net/

Issuer

The expected issuer of incoming JWT tokens. Tokens whose iss claim does not match this value will be rejected.

Supports the {TenantId} placeholder, which is automatically replaced with the configured Tenant ID.

Recommended values:

  • v1 tokens (sts.windows.net endpoint): https://sts.windows.net/{TenantId}/

  • v2 tokens (login.microsoftonline.com endpoint): https://login.microsoftonline.com/{TenantId}/v2.0

Default: https://sts.windows.net/{TenantId}/

Authority

The full URL of the Microsoft identity platform authorization endpoint. Supports the {TenantId} placeholder.

Default: https://login.microsoftonline.com/{TenantId}/

Metadata Address

The URL of the OpenID Connect discovery document (openid-configuration endpoint). Used to retrieve the JWKS signing keys for token signature validation.

Supports the {TenantId} placeholder.

Default: https://login.microsoftonline.com/{TenantId}/v2.0/.well-known/openid-configuration

Required Claims

An optional semicolon-separated list of JWT claims that must be present in every incoming token. Tokens that do not satisfy all listed claims will be rejected.

Two validation modes are supported per entry:

  • Presence-only — the claim must exist in the token with any non-empty value.

    Format: <claimType>

    Example: roles

  • Value match — the claim must exist and its value must exactly match the expected value (case-sensitive).

    Format: <claimType>=<expectedValue>

    Example: tid=02990467-5131-4a63-9a88-b578f38d89ab

Supports the {TenantId} placeholder in expected values.

Example combining both modes: roles;tid={TenantId}

Default: tid={TenantId};

Clock Skew

The maximum allowed time difference between the token-issuing server and this server when validating the exp (expiration) and nbf (not before) claims.

Compensates for minor clock drift between hosts. A value of 00:00:00 disables tolerance entirely.

Expressed in hh:mm:ss format.

Default: 00:05:00

JWKS Keys Cache Duration

How long the signing keys fetched from the JWKS endpoint are cached before a fresh fetch is performed.

A longer value reduces network traffic to the Microsoft identity platform but may delay detection of key rotation. On token signature validation failure, a forced refresh is triggered automatically regardless of this setting.

A value of 00:00:00 disables cache entirely. Expressed in hh:mm:ss format.

Default: 01:00:00

Certificate Thumbprint

The SHA-1 or SHA-256 thumbprint of the certificate installed in the Local Machine certificate store, used to authenticate the application against Microsoft Entra ID via the client credentials flow.

Remediation steps if authentication fails:

  1. Verify the certificate exists in the Local Machine store (certlm.msc).

  2. If missing, import the .pfx file provided by your administrator.

  3. Grant the service account read access to the certificate’s private key (Manage private keys in certlm.msc).

  4. Ensure the thumbprint is copied without leading/trailing whitespace or invisible Unicode characters (common when copying from the Windows Certificate Manager UI).

Example (SHA-1): A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2

Entra Group Cache Duration

How long the list of Entra ID groups fetched from Microsoft Graph is cached before a fresh fetch is performed.

A longer value reduces calls to Microsoft Graph but may delay visibility of group membership changes.

A value of 00:00:00 disables cache entirely. Expressed in hh:mm:ss format.

Default: 00:30:00

Note

The {TenantId} placeholder in Issuer, Authority, Metadata Address, and Required Claims values is automatically replaced with the configured Tenant ID.

Note

Required claim values are compared using case-sensitive, ordinal string comparison in accordance with RFC 7519 (JSON Web Token), which defines all registered claim values as case-sensitive strings.

When configuring a value-match entry (<claimType>=<expectedValue>), ensure the expected value is provided exactly as it appears in the token. For example, Entra ID issues oid and tid claims as lowercase GUIDs — the configured value must match that casing exactly.

Warning

The certificate’s private key must be accessible to the service account running the application. If the certificate was imported from a .cer file (public key only), re-import using a .pfx file that contains the private key.