Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

This guide applies to Mac computers
Note: Microsoft Entra ID is the new name for Azure AD (Azure Active Directory)

About Passport in Federated Microsoft Entra ID Environments

Passport in a federated Microsoft Entra ID environment applies when Entra ID is the service provider (SP) for an external identity provider. Both Mac Login and Web Login need extra configuration so authentication and password validation can complete against Entra ID correctly.

How It Works

Passport still uses Entra ID as the OIDC authority even when users federate through another IdP. For Mac Login and Web Login, create a Home Realm Discovery (HRD) policy in Entra ID with PowerShell so password validation can complete against Entra ID in a federated environment.

Prerequisites

Confirm everything below before you create the HRD policy. This article applies when you use Passport with Entra ID for Mac Login or Web Login in a federated tenant.

Azure and Microsoft Entra ID

  • An active Azure subscription (create a free account if needed).
  • A user who can manage directory apps and policies: Global Administrator, Cloud Application Administrator, Application Administrator, or service principal owner.

Windows and PowerShell

Identity sync for Passport

  • Users who sign in with Passport must be represented in Entra ID in a way that supports your sign-in path.
  • Hybrid Active Directory: use Microsoft Entra Connect with password hash sync where that applies.
  • Cloud federated IdP: confirm usernames and passwords from the federated IdP reach Entra ID as you expect for ROPC-style sign-in.

Passport already in place

Authentication Flow in a Federated Environment

The diagram below depicts the Passport authentication flow when Entra ID acts as a service provider (SP) federated with another identity provider (IdP).
Passport authentication flow when Entra ID is federated with another identity provider
When a user attempts to authenticate via Passport, the request looks like this:
1

Passport sends authentication request

Passport sends an authentication request to Azure AD.
2

Azure AD forwards request

Azure AD forwards the auth request to the federated IdP.
3

IdP validates request

The auth request is validated by the IdP and sent back to Azure AD.
4

Authentication fails

Azure AD receives the validation but has no reason to forward it to Passport, at which point the user’s authentication attempt fails, and an error is delivered to Passport.

Authentication Flow with HRD Configured

The diagram below depicts the Passport authentication flow with an Azure AD Home Realm Discovery policy. When a user attempts to authenticate via Passport, the request looks like this:
Passport authentication flow with Home Realm Discovery policy
1

Passport sends authentication request

Passport sends an authentication request to Azure AD.
2

Entra ID validates with HRD policy

Entra ID validates the authentication request using the HRD policy and responds to Passport with a successful user authentication response.

Create an HRD Policy

You need an HRD policy when you use Passport with Microsoft Entra ID and your tenant is federated with an external IdP. That requirement applies to both Mac Login and Web Login.
1

Access Windows computer

Go to the Windows computer.
2

Open PowerShell as administrator

Open PowerShell as an administrator.
3

Connect to Entra ID

Connect to your Entra ID tenant with the command Connect-AzureAD. A web view will open prompting you to enter your Entra ID credentials.
4

Create HRD policy

Create a new policy with the command below. This will allow users to authenticate to a specific application directly with Entra ID with their username and password in a federated environment. If you have existing HRD policies in your environment, you can set the DisplayName to something like IruHRDPolicy.
New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AllowCloudPasswordValidation`":true}}") -DisplayName IruHRDPolicy -Type HomeRealmDiscoveryPolicy
5

Get policy ObjectID

Run the command Get-AzureADPolicy to list the policy that you’ve just created and copy the ObjectID string listed under the ID column in the output.
6

Get Service Principal ObjectID

Run the command Get-AzureADServicePrincipal to get the Service Principal (Azure Enterprise Application) ObjectID.
If you know the name of the Enterprise Application, you can add the -SearchString your_app_name_here to the command above. Example: Get-AzureADServicePrincipal -SearchString “Iru Passport”
7

Add application to HRD policy

Run the following command to add the Iru Passport Enterprise Application to the HRD policy. Replace <ObjectID of the Service Principal> with the Iru Enterprise App ObjectID copied earlier. Replace <ObjectId of the Policy> with the HRD ObjectID copied earlier.
Add-AzureADServicePrincipalPolicy -Id <ObjectID of the Service Principal> -RefObjectId <ObjectId of the Policy>
If you do not create the right policy, you can use the command below to remove it and try again.
Remove-AzureADServicePrincipalPolicy -id <ObjectId of the Service Principal> -PolicyId <ObjectId of the policy>
8

Verify policy assignment

Check the apps assigned with Get-AzureADPolicyAppliedObject -id <ObjectId of the Policy>.
9

Disconnect from Azure

To disconnect the PowerShell session from Azure, run Disconnect-AzureAD.