Entra ID Authentication

Ivanti Neurons currently offer the option of selecting Entra ID as the external authentication provider for your tenant. This is a good choice if you want to centralize the end user log on experience, reduce the occurrence of password related calls to the help desk, and have granular controls over policies and audit trails.

To use Entra ID all members must accept the request for Ivanti to access their basic Azure profile data.

Configure & Enable External Authentication

  1. In Ivanti Neurons Platform navigate to Admin > Authentication.
    The Authentication page appears.
  2. In the External Authentication (SSO) section, click Configure & Enable.
    The Enable External Authentication (SSO) page appears.
  3. From the Provider drop-down select Entra ID.
    The Entra ID Configuration Settings appear.

Before you can continue with the Ivanti Neurons configuration you must first carry out some steps in Microsoft Azure Portal.

Before you can continue with the Ivanti Neurons configuration you must first carry out the following steps in Microsoft Azure Portal.

Step A - Create your Entra ID application

  1. Login to Entra ID Admin Center as Office 365 Administrator.
  1. In the sidebar menu click All Services > App Registrations.
    The App registrations dashboard appears.
  2. Click New registration.
  3. Enter an appropriate name for the application, and accept the default supported account types: Accounts in this organizational directory only.
    Microsoft Azure Register an Application screen
  4. Enter the Redirect URI, as displayed in the Neurons Platform Entra ID Configuration Settings.
  5. Click Register at the bottom of the dialog.
  6. An application (client) ID is generated and displayed.

You need to record the application (client) ID and Directory (tenant) ID as it is required for the next stage of the setup in Ivanti Neurons.

Step B - Configure Authentication Settings

  1. Select Authentication from the App Registration menu.
  2. Navigate to Advanced Settings.
  3. Enter the Logout URL, as displayed in the Neurons Platform Entra ID Configuration Settings.
  4. In the Implicit grant section, make sure the ID tokens check box is selected.
    Implicit grant and hybrid flows screen showing ID tokens selected
  5. Click Save.

Step C - Create a Secret

  1. From within the created App navigate to App Registration > Certificates & Secrets.
  2. Create New Client Secret.
  3. Add a description.
  4. Select the expiry duration in-line with your company standards.
  5. Click Add.
  6. A value is created, you must copy it somewhere safe because this is the only time it can be viewed.

Make sure you copy the Secret Value and not the Secret ID.

Entra ID setup is now complete and you can return to Ivanti Neurons Platform.

The Secret lifetime is finite, so your company should take measures to ensure this is replaced prior to expiry to avoid any outages to Ivanti Neurons. Learn how to Update Client Secret.

Step D - Token Configuration

Set up token configuration so you can use auto provisioning.

  1. Select Token Configuration from the App Registration menu.
  2. Select Add Optional Claim to open the side panel.
  3. For the Token type, select ID.
  4. From the Claims list, select email, family_name and given_name. This allows the email, last name, and first name, to be obtained for new Ivanti Neurons members, which is a requirement when using auto provisioning.
  5. Click Add.

Step E - Grant Permissions

If the user setting up SSO is not an Azure administrator, then the Azure administrator needs to log in to Azure and approve the Apps request for User-read/Signin permissions.

  1. Select Manage > API permissions for the EntraID application. You must be logged in as an Azure administrator.
  2. If User.Read is not listed as a delegated permission, you need to add the permission. To do this:
    • Select Add a permission.
    • Select Microsoft Graph > Delegated permissions.
    • Select the User.Read permission.
  3. Select Grant Admin Consent for <entraid_tenant>.

Once you have created the Entra ID application (client), directory (tenant), and secret, you can continue with the Ivanti Neurons Platform configuration.

  1. Return to the Entra ID Configuration Settings page (Ivanti Neurons Platform > Authentication > External Authentication (SSO) > Configure and Enable.

  2. Enter the Directory (Tenant) ID from Entra ID app registration.
  3. Enter the Application (Client) ID from Entra ID app registration.
  4. Enter the Client secret value that was generated and saved.
  5. Enter the Client secret expiry date, this should match the expiry date specified when creating the client secret. See Update Client Secret for further details.
  6. Click Continue to display the Validate Connection Settings page.

You need to connect with your Entra ID credentials to validate your connection settings.

  1. On the Validate Connection Settings page, click Validate Settings to access your organization's sign-in page via a new tab, enter your Entra ID credentials and proceed to sign-in. If you are already signed in credentials are not required and the validation takes place automatically, so make sure you are signed in to the account you want to authenticate.
    You will receive a confirmation screen if login is successful.

    2. The Azure username must exactly match your Ivanti Neurons username.

  2. Return to this tab (Validate Connection Settings).
  3. Select the check box I confirm I have successfully validated my connection settings to confirm you have logged in successfully.
  4. Click Continue to move on to convert Ivanti Neurons Platform accounts.
    The Enable Ivanti Neurons Platform accounts page appears.
  • E2018 Authentication failed: User failed to authenticate with Entra ID. Check the username and password are correct and that the user has permissions on the Entra ID Application Registration.
  • E2019 Missing optional claims: Validation step failed because the additional optional claims were not present in the token returned to Ivanti Neurons Platform from Entra ID.
  • E2020 Unable to link to Neurons Platform user account: The Entra ID user login, does not match with the Ivanti Neurons Platform user. The Ivanti Neurons Platform user account email address must match the email address used to login into Entra ID.

Entra ID is now configured, but it is not enabled.

To enable, you need to convert your Ivanti Neurons Platform accounts to use Entra ID instead.

  1. On the Enable Ivanti Neurons Platform accounts page, click Sign Out & Enable.
    The Ivanti Neurons Sign In page appears.
  2. Select to Sign In with Entra ID and enter your Entra ID credentials, the conversion will then be complete.

    3. The same user must configure Entra ID authentication and Sign in and validate the credentials in Ivanti Neurons, to avoid an Access Denied error.

All members will receive an email to confirm the account has been converted and that they must access the tenant with Entra ID credentials going forward. If the member does not have Entra ID credentials, they will not be able to access Ivanti Neurons.

External Authentication (SSO) will now display with an Enabled status.

Configure Auto Provisioning

Enabling auto provisioning will automatically grant access to Ivanti Neurons for all members within the Entra ID App Registration without having to go through the manual invite process. When a new member logs in for the first time, a new Ivanti Neurons Platform account will be provisioned in Ivanti Neurons > Members. All new auto provisioned members will be granted the access control roles defined in the set up.

  1. In Ivanti Neurons Platform navigate to Setup > Authentication.
    The Authentication Method page appears.
  2. In the External Authentication (SSO) section, click Actions and select Enable auto provisioning.
  3. From the Default roles drop-down, select the access control role that you want to be assigned to all new members.
    To setup Roles go to Ivanti Neurons > Admin> Roles.
  4. Click Enable Auto Provisioning to confirm the role selection and enable auto provisioning for all new members.

Once enabled, the options: Edit the default access control roles, and Disable auto provisioning, become available. Any roles edits, or disabling, of auto provisioning will not affect any existing auto provisioned members, it will only apply to those who are provisioned after the changes have been made.

You must configure the Optional Claims from Step D - Token Configuration for auto provisioning to work.

Important: Once auto-provisioning has been enabled, everyone who has access to the Entra ID App Registration will have access to Ivanti Neurons. You can restrict access to certain users or groups from within the Entra ID Portal. Refer to the Microsoft Azure documentation for further details.

Update Client Secret

If the Entra ID client secret is due to expire, you need to set a new one to continue using this authentication method.

  1. In Ivanti Neurons Platform navigate to Setup > Authentication.
  2. Click Actions and select Update client secret.
    The Update Client Secret page appears.
  3. Enter the new Client Secret from your Entra ID application.
  4. Enter the date to receive a reminder of when the client secret is due to expire. A reminder banner will display in the UI and an email reminder will be sent to users with the Admin role, 28 days before expiry. Further reminder emails will be sent 7 days before and a day before expiry.
    If the client secret is allowed to expire and a new one is not set, access to the service will be interrupted and you will need to contact Ivanti Support to regain access.
  5. Click Continue.
    The Validate Client Secret page appears.
  6. Click Validate Client Secret, this opens your Entra ID sign in page.
    Enter your username and password, this will be the same as the sign-in credentials for the Ivanti Neurons Platform. When you sign-in the new client secret is validated. If successful, return to this wizard and continue to update the client secret. If it is unsuccessful, go back and check if the new client secret you entered is accurate. For other failure reasons see Validation Troubleshooting
  7. Once you have successfully validated the new client secret, select the confirmation check box I confirm I have successfully validated my new client secret and click Continue.
  8. Click Save Changes to complete the process. This updates the client secret and the expiry reminder with immediate effect, you are not required to do anything further.