Entra Authentication settings#
List of the Entra Authentication settings:
Configuration option |
Description |
|---|---|
Entra Authentication Enabled |
Controls whether Entra ID (Azure Active Directory) authentication is enabled. When set to Default: |
Tenant ID |
The unique identifier of your Microsoft Entra ID tenant (directory). Example: |
Client ID |
The Application (client) ID of the app registration used to authenticate with Microsoft Graph and validate incoming tokens. Example: |
Audience |
The resource URI that incoming JWT tokens must be issued for. Tokens whose Typically matches the Application ID URI configured in the app registration manifest. Default: |
Issuer |
The expected issuer of incoming JWT tokens. Tokens whose Supports the Recommended values:
Default: |
Authority |
The full URL of the Microsoft identity platform authorization endpoint. Supports the Default: |
Metadata Address |
The URL of the OpenID Connect discovery document ( Supports the Default: |
Required Claims |
An optional semicolon-separated list of JWT claims that must be present in every incoming token. Tokens that do not satisfy all listed claims will be rejected. Two validation modes are supported per entry:
Supports the Example combining both modes: Default: |
Clock Skew |
The maximum allowed time difference between the token-issuing server and this server when validating
the Compensates for minor clock drift between hosts. A value of Expressed in Default: |
JWKS Keys Cache Duration |
How long the signing keys fetched from the JWKS endpoint are cached before a fresh fetch is performed. A longer value reduces network traffic to the Microsoft identity platform but may delay detection of key rotation. On token signature validation failure, a forced refresh is triggered automatically regardless of this setting. A value of Default: |
Certificate Thumbprint |
The SHA-1 or SHA-256 thumbprint of the certificate installed in the Local Machine certificate store, used to authenticate the application against Microsoft Entra ID via the client credentials flow. Remediation steps if authentication fails:
Example (SHA-1): |
Entra Group Cache Duration |
How long the list of Entra ID groups fetched from Microsoft Graph is cached before a fresh fetch is performed. A longer value reduces calls to Microsoft Graph but may delay visibility of group membership changes. A value of Default: |
Note
The {TenantId} placeholder in Issuer, Authority, Metadata Address, and Required Claims values
is automatically replaced with the configured Tenant ID.
Note
Required claim values are compared using case-sensitive, ordinal string comparison in accordance with RFC 7519 (JSON Web Token), which defines all registered claim values as case-sensitive strings.
When configuring a value-match entry (<claimType>=<expectedValue>), ensure the expected value is provided
exactly as it appears in the token. For example, Entra ID issues oid and tid claims as lowercase GUIDs —
the configured value must match that casing exactly.
Warning
The certificate’s private key must be accessible to the service account running the application.
If the certificate was imported from a .cer file (public key only), re-import using a .pfx file
that contains the private key.