Before You Begin

• Install Microsoft Entra Connect and synchronize your on-premise AD. This is the same on-premise AD configured in RSA as an Identity source.
• Configure at least one Entra cloud application.

Important Note

Configure RSA Access Policies 

1. Sign in to RSA Cloud Administration Console. 
2. Navigate to Access >Policies.                                                                                                                                                                            
3. Click Add a policy.

Configure RSA Cloud Authentication Service

1. Sign in to RSA Cloud Administration Console. 
2. Click Authentication Clients > Relying Parties.                                                                            
3. On the My Relying Parties page, click Add a Relying Party.                                                                         
4. On the Relying Party Catalog page, click Add for Microsoft Entra ID.                                                                                         
5. On the Basic Information page, enter a name for the Microsoft Entra ID Relying Party instance in the Name field.
6. Click Next Step.
7. On the Authentication page, select the policy that you have configured, and click Next Step.                                                                 
8. On the Connection Profile page:
   1. The Authorization Server Issuer URL is a generated value that will be needed later to configure Entra ID.
   2. In the Relying Party Issuer URL, enter the value: https://sts.windows.net/<AZURE-TENANT-ID> replace the AZURE-TENANT-ID with the Entra Tenant ID. To locate your Tenant ID, log on to the Entra admin portal and navigate to Identity > Overview, and copy the Tenant ID.
   3. Enter the Client ID. This can be any value but it must match the ClientID configured in Entra.
   4. Azure Active Directory Application ID: bfda057e-d676-4c42-9742-6eea99bbedc1
9. Click Save and Finish.
10. Click Publish Changes.                                                                                                                                                                               

Configure Microsoft Entra ID

1. Log on to Entra Portal - entra.microsoft.com using your administrator credentials.                                                                                 
2. In the left pane, scroll down to Protection > Conditional access.                                                                                                            
3. On the Conditional access page, click Custom controls.                                                                                                                              
4. Click + New custom control. A window with a JSON script opens.
5. Replace the default script with the metadata file copied from the RSA Console. Navigate to Authentication Clients > Relying Parties. Click the Edit drop-down icon and click Metadata against the application created. Copy and paste the script into the JSON window.
   1. Name: Must be unique between all Custom controls.
   2. AppID: Enter bfda057e-d676-4c42-9742-6eea99bbedc1.
   3. ClientID: Enter the Client ID value from step 8c in the Configure RSA Cloud Authentication Service section.
   4. DiscoveryUrl: Enter the Authorization Server Issuer URL appended by /.well-known/openid-configuration.
   5. Id: Must be unique between all Custom controls.
   6. Name: Same as Id.
   7. Type: Enter mfa-policy.
   8. Value: A single space between quotes. Enter the JSON for customized controls given by your claim providers. See the following example.                                                  
6. Click Create.
7. On the Conditional access menu, click Policies > + New policy.                                                                                                             
8. Enter a name for the new policy; for example, Protect Sales Applications.
9. Under Assignments, select Users and groups.
10. Select the users who require additional authentication.
11. On the Users and groups window, click Done. 
    Note: To avoid the administrator account locking out, click the Exclude tab and exclude the administrator from this policy.                     
12. Under Assignments, select Target resources.
13. On the Cloud apps > Include window, select the apps this policy will apply to.                                                                                             
14. On the Cloud apps window, click Select.
15. Select Access controls.
16. Click Grant.
17. On the Grant window, select Grant access and select the Custom control that you created.                                                                 
18. Click Select.
19. Select On to enable the policy.                                                                                                                                                          
20. Click Create.

User Experience

1. Log on to the Microsoft Entra application portal.                                                                                                                                         
2. Select a protected application. This will redirect you to RSA for additional authentication.
3. Authenticate based on your method of authentication set in RSA.