Guides
Home

Entra IDP Integration

Step-by-step instructions for Entra ID Integration





IDP Integration

IDP Integration setup UI is available on the account page (#/profile) for all enterprise plan users.

Setting up the IDP integration has 2 parts:

  • Configuration of a new SCIM integration that synchronizes users and groups from your Entra to Ubiq
  • Configuration of a new Entra application that allows Ubiq to verify and work with your Entra tokens

Auto-provisioning

Identities are provisioned that correspond to each SCIM-sync'd user account and permissions for those Identities are associated to Datasets within Access Groups that have a matching SCIM-sync'd group.

When

Provisioning Logic

IDP user is created

Creates a new Identity for the IDP user

IDP user field change

Updates values on corresponding Identity

IDP user is deleted

Identity is deleted, and removed from any AccessGroups it belonged to.

IDP group created

Looks for AccessGroup w/ the same name and links the two together. Once linked, any IDP user added to the IDP group will result in their Identity being added to the corresponding AccessGroup.

IDP group members are changed

If the IDP group was linked to an AccessGroup, the corresponding Identities have their memberships to the AccessGroup changed to match.

IDP group deleted

For all IDP users in the IDP group, finds their corresponding Identities and removes them from the corresponding AccessGroup.

Access Group creation (in Ubiq UI)

Find any IDP group w/ the same name and auto-provision membership to the AccessGroup to its IDP users' Identities.

Note: The editing of auto-provisioned Identities will be limited in the UI

Ubiq IDP Integration Setup

When enabling IDP Integration the following settings will need to be populated from values in Microsoft Entra ID

Azure AD / Entra Integration

Create Enterprise Application

  1. Microsoft Entra ID Dashboard → “+ Add” → Enterprise Application
  2. Click “+ Create Your Own Application”
  3. Enter desired name of the Application
  4. Select “Integrate any other application you don’t find in the gallery (Non-gallery)
  5. Click Create

Users / Groups

  1. Users & Groups → “+ Add user/group”
  2. Select users or groups that should be allowed to access Ubiq
  3. Click Assign

Provisioning

  1. Provisioning → Provisioning
  2. Change Provisioning Mode to Automatic
  3. Set Admin Credentials Tenant URL = Ubiq SCIM URL from Ubiq IDP Integration screen
  4. Set Admin Credentials → Secret Token = Ubiq SCIM Secret Token from Ubiq IDP Integration screen
  5. Click Test Connection
  6. Click Save

Configure Application

  1. Microsoft Entra ID Dashboard → App registrations → All Applications → Your Application

Enable Access Tokens

  1. Authentication → Check “Access tokens (used for implicit flows)” → Save

Client Secret

  1. Certificates & secrets → Client Secrets → “+ New client secret”
  2. Enter description of client secret (e.g. Ubiq Secret) and desired expiration
  3. Click Add
  4. Copy new secret value and store somewhere safe, will be used later by client library

Token Claims

  1. Token configuration → “Add groups claim”
  2. Select desired group types, likely the “Groups assigned to the application” option
  3. Click Add

API Scopes

  1. Expose an API → “Add” Application ID URI
  2. Click Save
  3. Click “+ Add a scope”
    1. Scope name => Custom.Read
    2. Who can consent? => Admins Only
    3. Enter desired display names/descriptions
    4. Click Add scope

API Permissions

  1. API permissions → “+ Add a permission” → “APIs my organization uses”
    1. Select your application name
    2. Select Custom.Read permission
    3. Click “Add permissions”
  2. “+ Add a permission” → Microsoft Graph
    1. Click delegated permissions
    2. Select offline_access, openid, and profile permissions
    3. Click “Add permissions”
  3. Click “Grant admin consent for YourAzureADTenantName”
    1. Click Yes to confirm

OpenID Connect Discovery URL

Microsoft Entra ID Dashboard → App registrations → All Applications → Your Application → Endpoints → OpenID Connect metadata document

IDP Token Issuer

Value is https://sts.windows.net/TENANT_ID/ and your TENANT_ID can be found at Microsoft Entra ID Dashboard → App registrations → All Applications → Your Application → Directory (tenant) ID

IDP Token Audience

Microsoft Entra ID Dashboard → App registrations → All Applications → Your Application → Application ID URI

Updated 7 days ago

© 2026 Ubiq Security, Inc. All rights reserved.

© 2026 Ubiq Security, Inc. All rights reserved.