Forum Discussion

ChernWei's avatar
ChernWei
Copper Contributor
Nov 10, 2024

Can I configure authentication to be application specific?

Hi Community,

I've been searching but could not get an answer. Here's my scenario which I hope someone can point me in the right direction or documentation.

The organisation's Microsoft Office 365 uses an external IdP (let's say Okta) for federated login. Now I have a separate application registered via Entra admin centre using App registration and the requirement is to have it use Microsoft passwordless authentication method for login.

After I done all the necessary OIDC config for this new app, testing the application login led me to the external IdP for authentication. I guess that's because the Microsoft tenant is configured to use the external IdP as default.

Is there any way I can configure application specific authentication?

e.g. O365 uses external IdP for authentication while my custom app uses Microsoft passwordless login, and other apps may use some other login mechanisms. Users for all apps are company's employees.

Any guidance is much appreciated. Thank you.

  • Alikoc's avatar
    Alikoc
    Iron Contributor

     

    Hello,

    In this scenario, you're looking to have different authentication methods for different applications within the same Microsoft tenant. 

    I may have some suggestions in this regard.

    Conditional Access Policies:

      • You can use Conditional Access policies in Entra ID (Azure AD) to specify different authentication methods for different applications. For your custom app, create a Conditional Access policy that targets the specific app registration and requires Microsoft passwordless authentication.
      • Ensure that this Conditional Access policy does not affect other applications, like Office 365, which should continue to use the external IdP for authentication.

    Custom Authentication Method Policy:

      • In some cases, you can configure Entra ID with custom authentication method policies to allow specific authentication methods per application. Check if the custom app allows you to enforce passwordless authentication as an option.

    Application Registration Redirects:

      • When registering the application, make sure the app's redirect URI and configuration are set to bypass the external IdP for authentication, directing it to Microsoft’s authentication directly. For example, configure the custom app’s OpenID Connect (OIDC) setup to prioritize Microsoft as the IdP.

    Enforce IdP-initiated Authentication for Office 365 Only:

      • By configuring Office 365 to rely on the external IdP exclusively (with SAML or OIDC), it may help in having Office 365 use the external IdP while allowing the custom application to use Microsoft passwordless.

    Scoped Authentication Contexts (if available in your setup):

      • Microsoft Entra ID supports scoped authentication contexts in some environments, where you can assign specific authentication requirements for each application. This would allow you to set the custom app to requir

    Separate Entra ID Tenants (as a Last Resort):

      • If none of the above methods work as required, creating a separate tenant specifically for applications that need Microsoft passwordless authentication might be necessary. However, this is more complex and would require cross-tenant access setup.

    Best Regards,

    Ali Koc

Resources