Forum Discussion

ChernWei's avatar
ChernWei
Copper Contributor
Nov 10, 2024

Can I configure authentication to be application specific?

Hi Community, I've been searching but could not get an answer. Here's my scenario which I hope someone can point me in the right direction or documentation. The organisation's Microsoft Office 365 ...
Access Management
Authentication
Alikoc's avatar
Alikoc
MCT
Nov 10, 2024

 

Hello,

In this scenario, you're looking to have different authentication methods for different applications within the same Microsoft tenant. 

I may have some suggestions in this regard.

Conditional Access Policies:

    • You can use Conditional Access policies in Entra ID (Azure AD) to specify different authentication methods for different applications. For your custom app, create a Conditional Access policy that targets the specific app registration and requires Microsoft passwordless authentication.
    • Ensure that this Conditional Access policy does not affect other applications, like Office 365, which should continue to use the external IdP for authentication.

Custom Authentication Method Policy:

    • In some cases, you can configure Entra ID with custom authentication method policies to allow specific authentication methods per application. Check if the custom app allows you to enforce passwordless authentication as an option.

Application Registration Redirects:

    • When registering the application, make sure the app's redirect URI and configuration are set to bypass the external IdP for authentication, directing it to Microsoft’s authentication directly. For example, configure the custom app’s OpenID Connect (OIDC) setup to prioritize Microsoft as the IdP.

Enforce IdP-initiated Authentication for Office 365 Only:

    • By configuring Office 365 to rely on the external IdP exclusively (with SAML or OIDC), it may help in having Office 365 use the external IdP while allowing the custom application to use Microsoft passwordless.

Scoped Authentication Contexts (if available in your setup):

    • Microsoft Entra ID supports scoped authentication contexts in some environments, where you can assign specific authentication requirements for each application. This would allow you to set the custom app to requir

Separate Entra ID Tenants (as a Last Resort):

    • If none of the above methods work as required, creating a separate tenant specifically for applications that need Microsoft passwordless authentication might be necessary. However, this is more complex and would require cross-tenant access setup.

Best Regards,

Ali Koc

Resources