Microsoft EAM (External Authentication Method)

Created by Chris Canfield, Modified on Tue, 29 Oct at 10:18 AM by Chris Canfield

Overview


Microsoft EAM is one option to add TraitWare passwordless MFA to Microsoft logins to strengthen the security of those logins.  TraitWare MFA as an EAM provides a layer of security to guarantee your logins satisfy MFA requirements and security best practices.  It serves as an additional line of defense utilizing TraitWare's simple, low-friction, high-security login methods.


Use cases where the addition of TraitWare Passwordless MFA EAM is effective:

  • Web sign-ins
  • Windows Hello (PIN/Biometric)
  • OOBE
  • Desktop applications


This guide outlines the following steps to configure TraitWare EAM for your environments:

  1. Register an Application in Entra
  2. Create an EAM application in the TraitWare Console
  3. Add TraitWare as an EAM in Entra
  4. Create conditional access policies in Entra to use the TraitWare MFA EAM
  5. Test a TraitWare EAM login


Prerequisites

  • You must have the Graph API User Sync configured in the TraitWare console
  • Users must have a minimum of a Microsoft Entra ID P1 license



TABLE OF CONTENTS


Register an Application

The first step is to register an application in Entra ID and grant the needed permissions.

In your Entra ID console, navigate to Applications>App registrations. Select New registration.


  • Enter a name for your TraitWare EAM application.  This is something to help you identify this application in the future and will not be displayed anywhere else.
  • Select the first option for Supported account types (Single tenant)
  • In the Redirect URI section, select Web from the dropdown.  In the field beside it, enter: 
    https://api.traitware.com/oidc/authorization


  • Click Register.


  • Select Branding & properties and click Update domain.  Choose the domain you would like users to see on a consent screen (if applicable depending on policies).  Make sure this is a domain that is familiar to users.



  • In your registered application, navigate to the Authentication menu.
  • Select ID tokens from the token option and make sure it's checked.
  • Click Save.



  • Click the API permissions menu item.
  • Click Add a permission.




  • Select Microsoft Graph.




  • Select Delegated permissions.




  • In the OpenID permissions list select openid and profile.
  • Click Add permissions.




  • Click Grant admin consent for (your-domain).



  • You should now see a green check mark under the status for each permission.




  • Select Overview and note the Application (client) ID. You will need this value for the next step.




Create TraitWare EAM Application


In this step you will create an application in the TraitWare console to use with your EAM configuration.


  • Navigate to your TraitWare admin console and select Applications and click Add Application.



  • Select Microsoft Entra EAM.



  • Name your application.  This name will appear on the TraitWare login screen during the EAM login.


  • For Redirect URI enter:
    https://login.microsoftonline.com/common/federation/externalauthprovider


  • For the Service Provider Login Page URL enter:
    https://login.microsoftonline.com


  • For the Key Discovery URI enter: 

    https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration
  • For the App ID paste the Application (client) ID from your App Registration Overview screen (mentioned in the previous step).


  • Select Save changes.




  • In the EAM application you just saved, select the Provider Credentials tab.
  • Copy the Client ID.  We will be using this value when we add TraitWare as an EAM in Entra.




  • Add users to your EAM application either as a group or individually.  This is the same as adding users to any other web application protected by TraitWare.
  • Users must be added to the EAM Application to log in using TraitWare EAM.


Add users via a Group.  Add the EAM Application and users to a Group.


Add users individually by selecting Add/Remove Users for the EAM Application.




Add TraitWare as an EAM in Entra


  • In your Entra console, navigate to Protection>Authentication methods.
  • Select Add external method.




  • Create a Name for your TraitWare EAM.  This name will be displayed on the Microsoft login page when prompted for MFA.
  • Paste the Client ID from the previous step.  This is the Client ID from the application created in the TraitWare console.
  • For the Discovery Endpoint use: 
    https://api.traitware.com/.well-known/openid-configuration 
  • For the App ID paste the App ID from the application you registered in the first step (if a valid App ID is provided, a green check should appear indicating that Admin consent is granted).
  • Click the Enable switch to enable the EAM.
  • Click Add target to add the groups and users you would like to use the TraitWare EAM.
  • Click Save.




TraitWare is now added as an EAM Multifactor Authentication option for Microsoft logins.


Once you successfully test the TraitWare EAM login, we recommend you disable the other authentication methods to ensure users are using TraitWare Passwordless MFA to login.



In the next section you will learn how to configure Conditional Access Policies to require TraitWare Passwordless MFA EAM for various login cases.


Although TraitWare has been added as an EAM option, MFA requirements for Microsoft are handled through Conditional Access policies.



Configure Conditional Access Policies for EAM


You can create Conditional Access Policies to require TraitWare Passwordless EAM MFA for various login scenarios and users/groups.  This is done to satisfy security best practices of requiring MFA for all login endpoints in your environment.


This first example will walk through creating a policy to protect Cloud apps with TraitWare EAM.


Protecting Cloud Apps with TraitWare EAM


In your Entra console, navigate to Protection>Conditional Access>Policies.


You can choose to create a New policy or create a New policy from template.


We recommend creating a New policy to test TraitWare EAM on a subset of users before deploying it to large groups or your entire organization from the templates.




  • Select New policy and enter a Name for the policy.
  • Under Users click Specific users included and choose a group or individual users.  We recommend a test group or a subset of users to start.



  • Select the Target resources you want to protect.
  • Select Cloud apps from the dropdown.
  • Choose All cloud apps or Select apps.  With Select apps you can test on a subset of apps.
  • If you choose Select apps click on Select and choose the apps you would like to protect.




  • Select Grant.
  • In the right pane, check Require multifactor authentication.
  • Click Select at the bottom.




  • Toggle Enable policy at the bottom to On.
  • Click Create to create the policy.




  • The policy should now appear in the policy list.




Other EAM Policy Types

In addition to Cloud apps, EAM can be used to protect a number of different resources.


  • User actions
    • Register or join a device
    • Register security information
  • Global Secure Access
  • Authentication context


You can learn more about protecting other Target resources with conditional access EAM policies here: Microsoft Conditional Access: Target resources.



Other Conditional Access Settings

There are many other fine-grained conditional access policy settings that are beyond the scope of this documentation.  Please see Microsoft's official documentation (Microsoft Conditional Access Policies) for managing these settings. 




Test the TraitWare EAM


Now that you have configured TraitWare as an EAM it is recommended to test a login.


**Remember that users must be added to the EAM application in the TraitWare console via a group or individually to use EAM.**


Log in to Office 365 using Traitware EAM


Navigate to one of the web apps you chose to protect.  In this example we will show Office 365.


Enter your login name.



Enter your credential.



Select Approve with TraitWare Passwordless EAM



Authenticate to your TraitWare mobile app and scan the QR code.



You are logged into your Office 365 account using TraitWare Passwordess MFA.




Other Login Use Cases


The example above uses a legacy username and password login protected by TraitWare MFA.  TraitWare EAM supports other use cases where username and password are not the primary login methods and strong MFA is required.


Other login use cases where TraitWare EAM is needed for MFA security:

  • Windows Hello (PIN/Biometric)
  • FIDO Keys
  • OOBE (initial onboarding)










Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article