Microsoft Entra ID Authentication

10 minute read Last updated on March 21, 2026

Guide to Logging in with Microsoft Entra ID

On the Home Page, when you click on the LOGIN button on the Title bar, a dropdown menu will appear showing two authentication methods (Marketplace and Microsoft Entra ID). Select Microsoft Entra ID to proceed with logging in using your Microsoft account.

The system will display a pop‑up asking you to enter the Microsoft Entra ID domain configured for your tenant.

Enter your Microsoft Entra ID domain (example: example.com)
Click LOGIN button

After the system verifies that the domain you entered is valid, the login process will follow the status of your Microsoft session in the browser. One of the following occurs:

If you are not signed in to Microsoft, you will be redirected to the Microsoft Sign‑In page.

If you are already signed in with one Microsoft account, the system automatically uses that account to log you into Shield Guard.

Once you have successfully logged in, the system will automatically return you to the Shield Guard page, and you can continue using all features as a regular account.

Notes:

If you have previously logged into Shield Guard using Microsoft Entra ID on the same browser, you will not need to enter the domain again on subsequent logins. The system will automatically proceed with the next login step based on the status of your current Microsoft session.

Automatically signs you in if there is one active Microsoft account.
Redirects to the Microsoft Sign‑In page if no account is signed in.
Users must sign in with only one Microsoft Entra ID account (authentication with multiple accounts is not supported).
Users must log in using their personal PC (shared PCs are not supported).

Microsoft Entra ID Authentication Settings Overview

The integration process between Microsoft Entra ID and Shield Guard consists of two sections and four main phases:

Section 1: Microsoft Entra ID Authentication Method Setup Guide

Section 2: Sync Tenant With Microsoft Entra ID Setup Guide

Microsoft Entra ID Authentication Method Setup Guide

Microsoft Entra ID Authentication Method configuration includes the following sections:

Configure the Enterprise Application on Microsoft Entra ID

Step 1: Go to Entra ID and select Enterprise applications.

Step 2: Click New application to create a new application.

Step 3: After creating the application, open the newly created application.

Step 4: Navigate to the Single sign-on section and click SAML single sign-on method

Step 5: Edit the Basic SAML Configuration and update it with the Shield Guard SSO configuration (Shield Guard Entity ID, Shield Guard ACS URL and Shield Guard Logout URL).

Click the Edit button in the Basic SAML Configuration section.

To complete the Microsoft Entra ID authentication method setting, please retrieve the Shield Guard SSO configuration from the Microsoft Entra ID Authentication Method page (Shield Guard Entity ID, Shield Guard ACS URL and Shield Guard Logout URL).

After obtaining the required information from the Shield Guard configuration screen, enter the Shield Guard Entity ID, Shield Guard ACS URL, and Shield Guard Logout URL into their corresponding fields: Identifier (Entity ID), Reply URL (Assertion Consumer Service URL), and Logout URL.

Step 6: Edit Attributes & Claims

Edit the Unique User Identifier (Name ID) claim by setting the Name identifier format to Default and the Source attribute to user.objectid.

Edit the name claim by setting the Name to userPrincipalName

Create a new SAML claim named country, set the namespace to http://schemas.xmlsoap.org/ws/2005/05/identity/claims and map it to the user.country attribute.

Step 7: In the SAML Certificates section, download the Certificate (Base64) file and save it to your computer.

This certificate is required for configuring the Microsoft Entra ID Authentication Method in Shield Guard.

These values is required for configuring the Microsoft Entra ID Authentication Method in Shield Guard.

Click Add user/group and choose none

Select the users to grant authentication access to the Shield Guard tenant, click Select, and then click Assign to add them to the list of assigned users in the Enterprise application.

After assignment, the authorized users will appear in the Shield Guard tenant user list.

Configure the Microsoft Entra Id Authentication Method Setting

After completing the Single Sign‑On configuration in the Microsoft Entra ID Enterprise application, return to the Shield Guard Settings Page to continue the configuration.

Step 1: Choose Authentication Method.

By default, the method is Marketplace. Please switch it to Microsoft Entra ID.

Step 2: Enter the required configuration values in the settings.

Enter the Login URL and Microsoft Entra Identifier values, and upload the Certificate file obtained from Steps 7 and 8 of Configure the Enterprise Application on Microsoft Entra ID into the corresponding input fields in the Microsoft Entra ID Authentication Method settings.
Download the certificate file (.cer file) and make sure to delete the file after completing the SG configuration.

Step 3: Test the connection between the Shield Guard tenant and Microsoft Entra ID.

After all required setting fields are configured, the Test Connection button will be enabled, allowing the user to verify the connection.

Verify Microsoft Entra ID Authentication Connection

When the user performs Test Connection, the system will redirect the user to the Microsoft sign-in page for authentication.

The user must sign in using an Entra ID account whose email address matches the configured Marketplace account. After successful Microsoft authentication, the system will display a notification.
If the user enters the correct configuration information and authenticates using an account whose email matches the configured account, the system will return a success message.

Verify Microsoft Entra ID Authentication Connection Success

Conversely, if the user enters incorrect configuration information or authenticates using an account whose email does not match the configured account, the system will return a failure message.

Verify Microsoft Entra ID Authentication Connection Fail

Note: If the user attempts authentication but is not assigned to the Users group of the Enterprise Application created for Shield Guard authentication, Microsoft will display an error. In this case, please review and ensure that all configuration steps in the Configure the Enterprise Application on Microsoft Entra ID have been completed correctly.

Step 4: Save setting.

After a successful Test Connection, the Save button will be enabled, allowing the user to save the configuration and complete the setup of the Entra ID authentication method.

Sync Tenant With Microsoft Entra ID Setup Guide

Sync Tenant With Microsoft Entra ID configuration includes the following sections:

Configure the App Registration on Microsoft Entra ID

Step 1: In Entra ID, go to App registrations.

Step 2: Select the registered application that has the same name as the one you created in the previous steps.

Step 3: In the Certificates & secrets section, create a new client secret.

Click New client secret, enter a Description for the client secret, and select Expires (it is recommended to choose the longest expiration period).

After successfully creating the client secret, the user must save the information, including the Secret Value and Expires, for use in configuring the Tenant on Shield Guard.

Note: The client secret has an expiration period. When it is nearing expiration, the user must create a new client secret and update the new credentials. The Shield Guard Tenant system will notify the user one month before the client secret expires.

Step 4: Go to the API Permissions section and configure the API access permissions from Shield Guard to Microsoft Entra ID.

Since Shield Guard calls APIs to retrieve user and application information, Microsoft Entra ID must be configured with Microsoft Graph API permissions, including Application.Read.All and User.Read.All.

Note: Admin consent must be granted for all added permissions.

Step 5: In the Overview section, save the values of the Application (client) ID and Directory (tenant) ID.

These values is required for configuring the Sync Tenant With Microsoft Entra ID in Shield Guard.

Configure the Sync Tenant With Microsoft Entra ID Setting

After completing the API configurations in the Microsoft Entra ID App Registration, return to the Shield Guard Settings Page to continue the configuration.

Step 1: Enter the required configuration values in the settings.

Enter the Application (client) ID, Directory (tenant) ID, Client Secret values and expires of Client Secret obtained from Steps 3 and 5 of Configure the App Registration on Microsoft Entra ID into the corresponding input fields in the Sync Tenant With Microsoft Entra ID settings.

In addition, the user must configure the permissions and frequency for the periodic automatic Entra ID user provisioning flow via the Assign Roles and Frequency sections in Settings.

Step 2: Test the connection of APIs between the Shield Guard tenant and Microsoft Entra ID.

After all required setting fields are configured, the Test Connection button will be enabled, allowing the user to verify the connection.

If the user enters the correct application information from Entra ID, and the Entra ID account’s email matches the Tenant Owner, and the user performing the setup is assigned to the Users list of the Enterprise Application, the system will return a success message.

Conversely, if the user performs the configuration steps incorrectly, the system will display a connection error message.

Step 3: Save setting.

After a successful Test Connection, the Save button will be enabled, allowing the user to save the configuration and complete the setup of the Sync Tenant With Microsoft Entra ID.

After the user successfully saves the settings, the system will synchronize the Tenant’s user data with Microsoft Entra ID and disable access for Marketplace users who do not have a configured Entra ID account or are not assigned to the Users list of the Enterprise Application. (he list of users that fail to synchronize will be recorded in the Shield Guard Tenant logs and also displayed on the User Alert screen.)
The system will also synchronize Marketplace users whose email addresses match the users assigned in the Entra ID Enterprise Application. After synchronization is completed, all users (except the Tenant Owner) can log in to the Tenant only via Entra ID.
In addition, the system will store the configuration for the periodic automatic user provisioning flow from Entra ID to the Shield Guard Tenant.

Reset Vault

When a user in the tenant resets the master key due to forgetting it, all security key data associated with that user and the tenant will be deleted. For tenant users who are Marketplace users, other users in the tenant will need to re-invite the user who reset the master key.

However, for tenant users who are Microsoft Entra ID users, this re-invite flow is no longer applicable as per the specification. Therefore, we will modify the workflow so that instead of re-inviting, the system will immediately perform the add-new-from-Entra-ID function to grant tenant access to the user who reset the master key.

Note:

When you want to use the button [RE-ADD USER] user in the tenant need unlock Vault-Protected Pages first.
According to the current system functionality, if a tenant has only one user and that user performs a vault reset, the system will automatically grant tenant access when the user recreates the master key.
However, in the case where the tenant is configured with Entra ID authentication, if the user logs in with an Entra ID account and the user list contains only the tenant owner account that performs a vault key reset, the automatic access granting mechanism will no longer apply.
This is because the system still retains two tenant owner accounts with the same email address: one Marketplace account and one Entra ID account. Therefore, the user must log in with the Marketplace account to use the Re-Add feature to remove the vault block for the Entra ID login account. This feature also applies in the reverse scenario.