This article describes how to add RSA as an external authenticator for Microsoft Entra ID.

Configure RSA Assurance Level

The access policy for an application or authentication client specifies an assurance level if the application requires additional authentication. To access the application or authentication client, users must successfully authenticate using an option from that assurance level or a higher assurance level.
A user can select another option at any time, as long as the assigned assurance level or a higher assurance level contains additional options that the user can complete.

  
Procedure

1. Sign into RSA Cloud Administration Console.
2. Navigate to Access > Assurance Levels.
3. Add the authenticators as per the requirement. Note that the authenticators selected for the selected assurance level or the higher assurance level must be part of the supported authenticators from the table in the Supported features section.
          

Configure RSA Access Policies 

Perform the following steps to configure access policies.

Procedure

1. Sign in to RSA Cloud Administration Console. 
2. Navigate to Access > Policies.

3. Click Add a policy.
4. On the Basic Information page, provide a name for your policy. 
                                                                                                                       

5. Click Next Step.
6. On the Identity Sources page, select the required identity sources and click Next Step.
7. Select the Primary Authentication as Disable and click Next Step.
8. In the Rule Sets tab perform the following actions:

1. 1. Select your Target Population. It can be a subset of users based on user attribute or All Users.
   2. In Access Details subsection ,if Access is selected as Allowed, skip this step.
      1. If Access is selected as conditional ,click on Add button to reach Authentication Condition form .
      2. Select any attribute with any value and set the Action as Authenticate and select the Assurance Level configured that conforms to the expectation as mentioned in the  Configure Assurance Level section.

Note: Selecting any attribute and setting up Action to Allow Access will fail the authentication from Microsoft. Authentication must happen with the Assurance Level configured that conforms to the expectation as mentioned in the  Configure Assurance Level section.

3. Select Additional Authentication as Required and select the Assurance Level configured that conforms to the expectation as mentioned in the  Configure Assurance Level section.

Note: Authentication must happen with the Assurance Level configured that conforms to the expectation as mentioned in the  Configure Assurance Level section.

9. Click Save and Finish.
10. Click Publish Changes.

Notes

• Customers need to make sure that the access policy assigned to the EAM connector makes the user authenticate with a method that satisfies the EAM MFA requirements. Customers cannot use the Allow Access action in their policy as this means users won't authenticate.
• Assurance Level used must have only those authenticators which conform to the expectation as mentioned in the  Configure Assurance Level section
• Some of the scenarios that will fail Microsoft authentication:
  • The below setup ,irrespective of the condition, will fail authentication from Microsoft as the user is not prompted to authenticate.

• • The below setup will fail authentication from Microsoft as the user is not prompted to authenticate.

• • The setup below will fail authentication from Microsoft as the Assurance Level does not conform to the  expectation as mentioned in the  Configure Assurance Level section. Emergency Access Code and Password are not supported  by Microsoft  and should not be added to the Assurance Level that will be used .

Configure RSA Cloud Authentication Service as Relying Party

Perform these steps to configure RSA Cloud Authentication Service as Relying Party to Microsoft Entra ID.

  
Procedure

1. Sign in to RSA Cloud Administration Console. 
2. Click Authentication Clients > Relying Parties. 
                                                                               
3. On the My Relying Parties page, click Add a Relying Party.
                                                                           
4. On the Relying Party Catalog page, click Add for Microsoft Entra ID.                                                                                         
5. On the Basic Information page, enter a name for the Microsoft Entra ID Relying Party instance in the Name field.
6. Click Next Step.
7. On the Authentication page, select the policy that you have configured, and click Next Step. Make sure the selected policy does not show Authentication Options of Password or Emergency Access Code.
   
8. On the Connection Profile page, provide the following details:
   1. For commercial customers:
      1. Client ID: Provide a name. The same name should be used while configuring Microsoft Entra ID. Copy and save this ID to be configured on the Entra ID side.
      2. Relying Party Issuer URL: https://login.microsoftonline.com/<ENTRA-TENANT-ID>/v2.0 
         Replace <ENTRA-TENANT-ID> with your Entra tenant ID
      3. Entra ID Application ID: c2da08c7-f3ba-4323-8b8f-3496a0e40c7e
                                                                                
   2. For GCC High customers:
      1. Client ID: Provide a name. The same name should be used while configuring Microsoft Entra ID. Copy and save this ID to be configured on the Entra ID side.
      2. Relying Party Issuer URL: https://login.microsoftonline.us  /<ENTRA-TENANT-ID>/v2.0 
         Replace <ENTRA-TENANT-ID> with your Entra tenant ID.
      3. Entra ID Application ID: b89e878f-b207-46aa-8973-ecbf60856dce
                                                                                                 
9. Note down the Authorization Server Issuer URL that will be used on the Entra side configurations.
10. Click Save and Finish. 
11. Click Publish Changes.

Notes

Make sure an identity source is added before creating an access policy. Any identity type can be added, but the users in RSA should have the same e-mail address as the users in Entra ID.
      

Configure Microsoft Entra ID   

Configure Authentication Method

1. Log in to Microsoft Entra Admin center.
   
2. Select Authentication methods.
   
3. Click Add external method.
   
4. Provide the following values.
   1. For commercial customers:
      1. Name: Provide a name.
      2. Client ID: Provide the same value used in the RSA configuration.
      3. Discovery endpoint URL: <Authorization Server Issuer URL> /. well-known/openid-configuration
      4. App ID: c2da08c7-f3ba-4323-8b8f-3496a0e40c7e
   2. For GCC High customers:
      1. Name: Provide a name.
      2. Client ID: Provide the same value used in the RSA configuration.
      3. Discovery endpoint URL: <Authorization Server Issuer URL> /. well-known/openid-configuration
      4. App ID: b89e878f-b207-46aa-8973-ecbf60856dce
5. Add the target, enable the External authentication method, and provide the consent.

Configure Conditional Access Policy 

Procedure 

1.  Log in to Microsoft Entra Admin center. 
   
2. Select Conditional Access.
   
3. Click Create new policy.
   
4.  On the resulting page, click Grant, choose Grant access, and select the Require multifactor authentication checkbox.
   
5. Verify the Target resources and create the policy

Notes

• Avoid multiple conditional policies with the same Target resource.
• Authorization Server Issuer URL can be obtained from the configuration done on the RSA side. Refer to the Configure RSA Cloud Authentication Service as Relying Party section.

The configuration is complete.

Return to Microsoft Entra ID External Authentication Methods (EAM) - RSA Ready Implementation Guide.