YubiEnroll with Microsoft Entra
The following describes how to set up YubiEnroll in the Microsoft Entra tenant and configure the required user permissions.
Configuration Steps
The configuration steps involve the following:
- Registering the YubiEnroll application in Microsoft Entra.
- Configuring the YubiEnroll permissions in Microsoft Entra.
- Adding the Microsoft Entra provider in YubiEnroll.
When you have successfully completed these steps, you are ready to enroll YubiKeys on behalf of end users in your organization.
Registering the YubiEnroll App
When configuring the Microsoft Entra provider in YubiEnroll, the following parameter values are needed:
client_idtenant_idredirect_uri
These parameter values are created when registering the YubiEnroll (OAuth) application in Microsoft Entra. To register the YubiEnroll app, open the Entra admin center, go to Application > App registrations and select New registration.
When registering the YubiEnroll app, ensure the following:
Select Public client/native (mobile & desktop) as the platform type.
The Redirect URI must start with “http://localhost”, for example “http://localhost/yubienroll-redirect”. You do not need to specify the port as Microsoft Entra supports ephemeral ports.
For more details on how to register the YubiEnroll app, see Register an application with the Microsoft identity platform (Microsoft documentation).
Configuring Permissions
The YubiEnroll app requires the following two permissions in Microsoft Entra to be added as Microsoft Graph Delegated permissions:
- User.ReadBasic.All
- UserAuthenticationMethod.ReadWrite.All
To add these, open the YubiEnroll app in Microsoft Entra, select API permissions in the left menu, and click Add a permission.
Note
When registering an app in Entra ID, two types of Microsoft Graph permissions can be assigned: Application and Delegated. For YubiEnroll it is crucial to only configure Delegated permissions to ensure that the app’s access is limited to the logged in user’s permissions.
When combined with the Entra ID feature “Administrative units”, this setup allows for fine-grained control of access based on groups, users, or specific properties such as location. An example where this can be leveraged is where an administrator could be allowed to manage YubiKey enrollments only for users in their administrative unit. To review permissions granted to a registered app, check the Type settings under API permissions for the app.
For more information on how to configure app permissions, see Overview of Microsoft Graph permission (Microsoft documentation).
For a user to be able to grant consent to these permissions when setting up the application in Entra ID, the user must be assigned the Global Administrator role.
For administrators running the YubiEnroll app, one of the following least privileged roles is required:
- Authentication Administrator, see Microsoft documentation
- Privileged Authentication Administrator, see Microsoft documentation
Adding the Microsoft Entra Provider
Before you can run YubiEnroll with Microsoft Entra, you must add the provider configuration in YubiEnroll.
When adding a provider configuration in YubiEnroll you will need the following values, created when the app was registered.
- Application (client) ID
- Directory (tenant) ID
- Redirect URI
To find these values in Microsoft Entra, locate the YubiEnroll app and select Overview. The values are displayed in the Essentials section for the app.
For information on how to add a provider configuration in YubiEnroll, see Adding Provider Configurations.