YubiEnroll with Microsoft Entra

The following describes how to set up YubiEnroll in the Microsoft Entra tenant and configure the required user permissions.

Registering the YubiEnroll App

When configuring the Microsoft Entra provider in YubiEnroll, the following parameter values are needed:

  • client_id
  • tenant_id
  • redirect_uri

These parameter values are created when registering the YubiEnroll (OAuth) application in Microsoft Entra. To register the YubiEnroll app, go to Application > App registrations and select New registration.

When registering the YubiEnroll app, ensure the following:

  • Select Public client/native (mobile & desktop) as the platform type.

  • The Redirect URI must start with “http://localhost”, for example “http://localhost/yubienroll-redirect”. You do not need to specify the port as Microsoft Entra supports ephemeral ports.

    _images/entra-register-app.png

For more details on how to register the YubiEnroll app, see Register an application with the Microsoft identity platform (Microsoft documentation).

Configuring Permissions

The permissions required by YubiEnroll in Microsoft Entra are Microsoft Graph Delegated permissions “User.ReadBasic.All” and “UserAuthenticationMethod.ReadWrite”. To add these, open the YubiEnroll app in Microsoft Entra, select API permissions in the left menu, and click Add a permission.

_images/entra-permissions.png

For more information on how to configure app permissions, see Overview of Microsoft Graph permission (Microsoft documentation).

For a user to be able to grant consent to these permissions, the user must be assigned a supported Microsoft Entra Role. One of the following least privileged roles are supported for this operation:

  • Authentication Administrator
  • Privileged Authentication Administrator

Adding the Microsoft Entra Provider

Before you can run YubiEnroll with Microsoft Entra, you must add the provider configuration in YubiEnroll.

When adding a provider configuration in YubiEnroll you will need the following values, created when the app was registered.

  • Application (client) ID
  • Directory (tenant) ID
  • Redirect URI

To find these values in Microsoft Entra, locate the YubiEnroll app and select Overview. The values are displayed in the Essentials section for the app.

For information on how to add a provider configuration in YubiEnroll, see Adding Provider Configurations.