Configuring integration with Microsoft Entra ID
You have to configure integration with Microsoft Entra ID to allow the users in your organization to sign in to Kaspersky Security Center Cloud Console with their Microsoft Entra ID account credentials.
Integration with Microsoft Entra ID is available for the primary Administration Server only. You cannot configure the integration for secondary or virtual Administration Servers.
To configure integration with Microsoft Entra ID:
- In the main menu, click the settings icon () next to the name of the Administration Server.
The Administration Server properties window opens.
- On the General tab, select the Microsoft Entra ID section.
- Turn on the Microsoft Entra ID integration toggle button.
- Copy the links from the following fields:
- Callback URL
- Front-channel logout URL
You will need these URLs to register Kaspersky Security Center Cloud Console in the Microsoft Entra ID tenant.
- Login URL
You will need this URL to allow users to sign in to the Kaspersky Security Center Cloud Console workspace with their Microsoft Entra ID credentials after the integration with Microsoft Entra ID is complete.
- Sign in to the Microsoft Entra admin center, and then select the tenant of your organization.
You must have the Global administrator or the Application administrator role in the tenant.
- In the main menu, go to Identity → Applications → App registrations, and then click the New registration button.
- In the window that opens, do the following:
- Specify a name for the Kaspersky Security Center Cloud Console application.
- In the Supported account types section, select the Accounts in this organizational directory only (<tenant_name> only - Single tenant) option.
- In the Redirect URI section, select Web from the drop-down list, and then enter the callback URL that you copied from Kaspersky Security Center Cloud Console at step 4.
- Click the Register button.
The Kaspersky Security Center Cloud Console application is registered in Microsoft Entra ID, and the application overview page opens.
- If necessary, add Kaspersky Security Center Cloud Console to the list of applications.
The users will be able to open Kaspersky Security Center Cloud Console by clicking its name in the list of applications in My Apps and Office 365 Launcher, without using the login URL.
- Copy the Application (client) ID and the Directory (tenant) ID, and save them in any convenient way.
You will need these IDs when filling in the mandatory fields in Kaspersky Security Center Cloud Console at step 14.
- In the menu of the Kaspersky Security Center Cloud Console application, go to the Authentication section, and then enter the URLs that you copied from Kaspersky Security Center Cloud Console at step 4:
- In the Web section, click the Add URI button, and then enter the login URL.
- In the Front-channel logout URL section, enter the front-channel logout URL.
- In the menu of the Kaspersky Security Center Cloud Console application, go to the Certificates & secrets section, and then do the following:
- Go to the Client secrets tab, and then click the New client secret button.
- In the window that opens, specify any description for the client secret, and then select the period after which the secret expires.
We recommend that you copy the date after which the secret expires, in any convenient way, to rotate the secrets in a timely manner.
- Click the Add button.
The created secret is displayed on the Client secrets tab.
- Copy the information from the Value column.
We strongly recommend that you copy the information immediately after creating the client secret.
- In the menu of the Kaspersky Security Center Cloud Console application, go to the Token configuration section, and then do the following:
- Add the onprem_sid optional claim:
- Click the Add optional claim button.
- In the window that opens, select the ID token type, and then in the Claim column, select the check box next to the onprem_sid.
- Click the Add button.
The onprem_sid optional claim is displayed on the Optional claims page.
- Add the preferred_username optional claim:
- Click the Add optional claim button.
- In the window that opens, select the Access token type, and then in the Claim column, select the check box next to the preferred_username.
- Click the Add button.
The preferred_username optional claim is displayed on the Optional claims page.
- Add the onprem_sid optional claim:
- In the menu of the Kaspersky Security Center Cloud Console application, go to the API permissions section, and then add the permissions:
- User.Read.All
- User.Export.All
- GroupMember.Read.All
- Directory.Read.All
To add a permission, do the following:
- Click the Add a permission button, and then select the Microsoft APIs tab.
- Select Microsoft Graph → Application permissions, and then select the permission you want to add.
- Click the Add permission button.
The four permissions are added and displayed on the Configured permissions page.
- Click the Grant admin consent for <tenant_name> button, and then in the window that opens, click Yes to confirm the granting of consent for the permissions you added.
- Go back to Kaspersky Security Center Cloud Console, and on the General tab, fill in the following mandatory fields:
- Tenant ID. The Directory (tenant) ID that you copy at step 10.
- Client ID. The Application (client) ID that you copy at step 10.
- Client secret. The value that you copy at step 12.
- Click the Check connection button to check if the settings are correct, and then after the Connected status is displayed, click the Save button.
The integration settings are saved, and the integration with Microsoft Entra ID is configured.
After you configure the integration with Microsoft Entra ID, you have to do the following:
- In the Kaspersky Security Center Cloud Console main menu, go to Users & roles → Users & groups to make sure that the users and groups from Microsoft Entra ID are added to Kaspersky Security Center Cloud Console.
If the users and groups in your Microsoft Entra ID tenant are synchronized from the Active Directory of your organization, and Active Directory polling is configured, then the users and groups are already added to Kaspersky Security Center Cloud Console as a result of Active Directory polling.
Otherwise, you have to enable and run Microsoft Entra ID polling to add the users and groups from your Microsoft Entra ID tenant to Kaspersky Security Center Cloud Console.
- Assign necessary roles to the users and groups.
When assigning roles to a user on a virtual Administration Server, in the main menu, go to Users & roles → Users & groups, and then select the Users tab. If you select the Groups tab, and then assign roles to the group where the user is a member, the user will not be able to log in to Kaspersky Security Center Cloud Console.
- Send the login URL that you copied at step 4 to the users. They will enter this URL to sign in to the Kaspersky Security Center Cloud Console workspace by using their Microsoft Entra ID credentials.
To sign in to Kaspersky Security Center Cloud Console with Microsoft Entra ID account credentials, users must be able to sign in to their Microsoft Entra ID account.