Link Microsoft Entra ID with Relution

Introduction

By linking Microsoft Entra ID with Relution, you create the foundation for Microsoft-based integrations in your organization. This includes, for example, connecting Windows devices and using other Microsoft services together with Relution.

As a result, users and groups from Microsoft Entra ID can be synchronized with Relution. This allows user accounts to be managed centrally in Microsoft and automatically provisioned in Relution.

To allow synchronized users to sign in to Relution, OIDC authentication must also be configured. If access is to be secured using Conditional Access, both the link to Microsoft Entra ID and the configuration of OIDC are required.

The required settings are configured partly in Relution and partly in the Microsoft Entra admin center.

Requirements

To link Microsoft Entra ID with Relution, the following requirements must be met if you only want to synchronize users from Microsoft Entra ID to Relution:

  • an existing Microsoft Entra ID environment
  • sufficient permissions in Microsoft Entra, usually the Global Administrator role
  • an accessible Relution Server
  • an app registration in Microsoft Entra

If Windows Autopilot or Entra Join is also to be used, the following additional requirements must be met:

  • the server URL of the Relution Server, which will later be stored in Microsoft Entra
  • a created MDM application

In the Relution portal, you can find the setup area under Settings > User management > Entra ID.

There, a guide supports you in configuring and linking Microsoft Entra.

Open Entra ID link settings in Relution under User management

If you only want to synchronize users and groups from Microsoft Entra with Relution, a standard app registration is sufficient. You can create it using the following link:

Create new app registration in Entra

Configure the MDM application settings

After the new MDM application has been created, the local MDM application settings can be configured in Microsoft Entra. The following information from Microsoft Entra must be transferred to the Relution guide:

  1. Application (client) ID
  2. Directory (tenant) ID
  3. the value of the Client secret

Copy the application ID and directory ID of the Microsoft Entra MDM application for Relution

Then click Application ID URI in the local MDM application settings to edit it.

Edit the application ID URI of the Microsoft Entra MDM application

In the following view, enter the corresponding server URL as the Application ID URI.

Enter the server URL as the application ID URI in the Microsoft Entra MDM application

Next, add a Client secret under Certificates & secrets:

  1. In the Client secrets tab, click New client secret.
  2. In the Add a client secret dialog, enter a description and the validity period.
  3. Click Add.

If the validity period expires, the connection is no longer available and Relution can no longer communicate with Microsoft Entra. In this case, a new Client secret must be created for the application in Microsoft Entra and stored again in Relution.

Add a client secret under Certificates & secrets in Microsoft Entra

The new entry is then displayed in the overview under the Client secrets tab.

The corresponding Value is shown only once and must therefore be copied immediately and transferred to Relution.

Configure the API permissions

In the next step, the API permissions are configured:

Configure API permissions for the Microsoft Entra Autopilot MDM application in Relution

Depending on which Microsoft features are used in the future, additional permissions may need to be added later.

The following settings must be configured in Microsoft Entra:

  1. Under API permissions > Configured permissions, click Add a permission.
  2. In the Request API permissions dialog, select Microsoft Graph under Microsoft APIs.

Select Microsoft Graph under Microsoft APIs for API permissions in Microsoft Entra

  1. In the next step, select the Application permissions tile.

Select application permissions for Microsoft Graph in Microsoft Entra

  1. Select the User.Read.All permission for User.

Enable the User.Read.All permission for Microsoft Graph in Microsoft Entra

  1. Select the Group.Read.All permission for Group.

Enable the Group.Read.All permission for Microsoft Graph in Microsoft Entra

  1. Select the Device.ReadWrite.All permission for Device and confirm the selection with Add permissions.

Add the Device.ReadWrite.All permission for Microsoft Graph in Microsoft Entra

For newly added API permissions, an exclamation mark is initially displayed as the status. Administrators must grant consent once so that Microsoft Graph actually receives these permissions. The status is then shown as Granted with a green check mark.

Show API permissions in Microsoft Entra as granted after administrator consent

Define the redirect URI

In the Relution guide, the Redirect URI is then configured in Microsoft Entra:

Add the authentication platform for the redirect URI in Microsoft Entra

  1. Under Authentication, click Add a platform.
  2. In the Configure platforms dialog, select the Web tile.

Select Web as the platform type for the redirect URI in the Microsoft Entra app registration

  1. In the Web section, enter the server URL under Add a Redirect URI.
  2. Disable the ID tokens checkbox.
  3. Click Save.

Store the server URL as the redirect URI in Microsoft Entra and disable ID tokens

This completes the configuration in Microsoft Entra.

Select the Relution service options and complete the setup

In the Relution guide, you can optionally define whether Microsoft Entra ID users and Microsoft Entra ID groups should be synchronized with Relution.

Enable synchronization of Microsoft Entra ID users and groups with Relution

Click Save to complete the setup and linking of Microsoft Entra ID in Relution.

Summary

After completing these steps, Microsoft Entra ID is linked with Relution. This allows users and groups from Microsoft Entra ID to be synchronized with Relution and enables the use of additional Microsoft-related features.

To allow synchronized users to sign in to Relution, OIDC authentication must also be configured. This also applies when using Conditional Access.