Microsoft Entra ID Authentication

8 minute read Last updated on January 25, 2026

Guide to Logging in with Microsoft Entra ID

On the Home Page, when you click the Login button at the top left corner, the system will display two login methods. To use Microsoft Entra ID, please select the “Login with Microsoft Entra ID” option. A pop-up window will then appear in the center of the screen.

Here, please enter your Microsoft Entra ID email address. After entering your email, the system will verify the validity of your account. If your information is valid, you will be automatically redirected to the Microsoft login page.

Next, log in using your Microsoft account as usual.

Once you have successfully logged in, the system will automatically return you to the Shield Guard page, and you can continue using all features as a regular account.

Note:

  • If you do not have a Microsoft Entra ID account, please contact your administrator for assistance.
  • Make sure your login information is accurate to avoid any interruption in accessing the service.

Reset Vault

When a user in the tenant resets the master key due to forgetting it, all security key data associated with that user and the tenant will be deleted. For tenant users who are Marketplace users, other users in the tenant will need to re-invite the user who reset the master key.

However, for tenant users who are Microsoft Entra ID users, this re-invite flow is no longer applicable as per the specification. Therefore, we will modify the workflow so that instead of re-inviting, the system will immediately perform the add-new-from-Entra-ID function to grant tenant access to the user who reset the master key.

Note:

  • When you want to use the button [RE-ADD USER] user in the tenant need unlock Vault-Protected Pages first.
  • According to the current system functionality, if a tenant has only one user and that user performs a vault reset, the system will automatically grant tenant access when the user recreates the master key.
  • However, in the case where the tenant is configured with Entra ID authentication, if the user logs in with an Entra ID account and the user list contains only the tenant owner account that performs a vault key reset, the automatic access granting mechanism will no longer apply.
  • This is because the system still retains two tenant owner accounts with the same email address: one Marketplace account and one Entra ID account. Therefore, the user must log in with the Marketplace account to use the Re-Add feature to remove the vault block for the Entra ID login account. This feature also applies in the reverse scenario.

Microsoft Entra ID Authentication Method Setup Guide

Microsoft Entra ID Authentication Method configuration includes the following sections:

Configure the Enterprise Application on Microsoft Entra ID

Step 1: Go to Entra ID and select Enterprise applications.

Step 2: Click New application to create a new application.

Step 3: After creating the application, open the newly created application.

Step 4: Navigate to the Single sign-on section and click SAML single sign-on method

Step 5: Edit the Basic SAML Configuration and update it with the Shield Guard SSO configuration (Shield Guard Entity ID, Shield Guard ACS URL and Shield Guard Logout URL).

Step 6: Edit Attributes & Claims

  • Edit the Unique User Identifier (Name ID) claim by setting the Name identifier format to Default and the Source attribute to user.objectid.
  • Edit the name claim by setting the Name to userPrincipalName

Step 7: In the SAML Certificates section, download the Certificate (Base64) file and save it to your computer.

Step 8: In the Set up Enterprise Application name (Shield Guard) section, save the values of the Login URL and Microsoft Entra Identifier.

Step 9: Navigate to the Users and groups section in the Enterprise application menu.

  • Click Add user/group and choose none
  • Select the users to grant authentication access to the Shield Guard tenant, click Select, and then click Assign to add them to the list of assigned users in the Enterprise application.
  • After assignment, the authorized users will appear in the Shield Guard tenant user list.

Configure the Microsoft Entra Id Authentication Method Setting

After completing the Single Sign‑On configuration in the Microsoft Entra ID Enterprise application, return to the Shield Guard Settings Page to continue the configuration.

Step 1: Enter the required configuration values in the settings.

Step 2: Test the connection between the Shield Guard tenant and Microsoft Entra ID.

  • After all required setting fields are configured, the Test Connection button will be enabled, allowing the user to verify the connection.
  • When the user performs Test Connection, the system will redirect the user to the Microsoft sign-in page for authentication.

  • The user must sign in using an Entra ID account whose email address matches the configured Marketplace account. After successful Microsoft authentication, the system will display a notification.

  • If the user enters the correct configuration information and authenticates using an account whose email matches the configured account, the system will return a success message.

Conversely, if the user enters incorrect configuration information or authenticates using an account whose email does not match the configured account, the system will return a failure message.

Note: If the user attempts authentication but is not assigned to the Users group of the Enterprise Application created for Shield Guard authentication, Microsoft will display an error. In this case, please review and ensure that all configuration steps in the Configure the Enterprise Application on Microsoft Entra ID have been completed correctly.

Step 3: Save setting.

  • After a successful Test Connection, the Save button will be enabled, allowing the user to save the configuration and complete the setup of the Entra ID authentication method.

Sync Tenant With Microsoft Entra ID Setup Guide

Sync Tenant With Microsoft Entra ID configuration includes the following sections:

Configure the App Registration on Microsoft Entra ID

Step 1: In Entra ID, go to App registrations.

Step 2: Select the registered application that has the same name as the one you created in the previous steps.

Step 3: In the Certificates & secrets section, create a new client secret.

  • Click New client secret, enter a Description for the client secret, and select Expires (it is recommended to choose the longest expiration period).
  • After successfully creating the client secret, the user must save the information, including the Secret Value and Expires, for use in configuring the Tenant on Shield Guard.

Note: The client secret has an expiration period. When it is nearing expiration, the user must create a new client secret and update the new credentials. The Shield Guard Tenant system will notify the user one month before the client secret expires.

Step 4: Go to the API Permissions section and configure the API access permissions from Shield Guard to Microsoft Entra ID.

  • Since Shield Guard calls APIs to retrieve user and application information, Microsoft Entra ID must be configured with Microsoft Graph API permissions, including Application.Read.All and User.Read.All.

Note: Admin consent must be granted for all added permissions.

Step 5: In the Overview section, save the values of the Application (client) ID and Directory (tenant) ID.

These values is required for configuring the Sync Tenant With Microsoft Entra ID in Shield Guard.

Configure the Sync Tenant With Microsoft Entra ID Setting

After completing the API configurations in the Microsoft Entra ID App Registration, return to the Shield Guard Settings Page to continue the configuration.

Step 1: Enter the required configuration values in the settings.

  • Enter the Application (client) ID, Directory (tenant) ID, Client Secret values and expires of Client Secret obtained from Steps 3 and 5 of Configure the App Registration on Microsoft Entra ID into the corresponding input fields in the Sync Tenant With Microsoft Entra ID settings.
  • In addition, the user must configure the permissions and frequency for the periodic automatic Entra ID user provisioning flow via the Assign Roles and Frequency sections in Settings.

Step 2: Test the connection of APIs between the Shield Guard tenant and Microsoft Entra ID.

  • After all required setting fields are configured, the Test Connection button will be enabled, allowing the user to verify the connection.
  • If the user enters the correct application information from Entra ID, and the Entra ID account’s email matches the Tenant Owner, and the user performing the setup is assigned to the Users list of the Enterprise Application, the system will return a success message.
  • Conversely, if the user performs the configuration steps incorrectly, the system will display a connection error message.

Step 3: Save setting.

  • After a successful Test Connection, the Save button will be enabled, allowing the user to save the configuration and complete the setup of the Sync Tenant With Microsoft Entra ID.

  • After the user successfully saves the settings, the system will synchronize the Tenant’s user data with Microsoft Entra ID and disable access for Marketplace users who do not have a configured Entra ID account or are not assigned to the Users list of the Enterprise Application. (he list of users that fail to synchronize will be recorded in the Shield Guard Tenant logs and also displayed on the User Alert screen.)

  • The system will also synchronize Marketplace users whose email addresses match the users assigned in the Entra ID Enterprise Application. After synchronization is completed, all users (except the Tenant Owner) can log in to the Tenant only via Entra ID.

  • In addition, the system will store the configuration for the periodic automatic user provisioning flow from Entra ID to the Shield Guard Tenant.