Skip to main contentSkip to search
Skip to main content

Microsoft Entra ID Integration

tip

Looking for WPA-Enterprise RADIUS authentication with Microsoft Entra ID? See Microsoft Entra ID Connector.

Connect IronWiFi to Microsoft Entra ID (formerly Azure Active Directory) to authenticate WiFi users with their corporate credentials, sync users and groups, and apply Conditional Access policies to your wireless network.

Features

  • SAML Authentication - Enterprise SSO for captive portals
  • OAuth Authentication - Simpler social login for captive portals
  • User Synchronization - Import users from Entra ID for RADIUS
  • Group Synchronization - Sync security groups
  • PEAP-MSCHAPv2 - WPA-Enterprise with Azure credentials
  • Conditional Access - Enforce MFA and compliance policies

Prerequisites

  • Microsoft Entra ID administrator account
  • IronWiFi account with Connector access
  • Azure subscription (free tier works)

SAML Single Sign-On

Use SAML for captive portal authentication, allowing users to sign in with their Microsoft Entra ID credentials.

Step 1: Create Azure Enterprise Application

  1. Log into Azure Portal
  2. Navigate to Microsoft Entra ID > Enterprise applications
  3. Click New application
  4. Select Create your own application
  5. Name: "IronWiFi Captive Portal"
  6. Select Integrate any other application you don't find in the gallery (Non-gallery)
  7. Click Create

Azure Active Directory Overview page showing Tenant Information

Step 2: Configure User Assignment

  1. In the application, go to Properties
  2. Set User assignment required? to No
  3. Click Save

This allows all users in your directory to authenticate without manual assignment.

Azure Enterprise Application Properties page

Azure Enterprise Application Properties with User assignment required set to No

Step 3: Configure SAML

  1. Click Single sign-on in the left menu
  2. Select SAML

Azure Single sign-on method selection showing SAML option highlighted

  1. Click Edit on Basic SAML Configuration
  2. Enter these values (get exact URLs from IronWiFi Console > Captive Portals > Authentication Providers):
FieldExample Value
Identifier (Entity ID)
https://us-west1.ironwifi.com/api/signin/saml2
Reply URL (ACS URL)
https://us-west1.ironwifi.com/api/signin/saml2?acs
Sign on URLYour splash page URL

Region-specific URLs:

  • US West: 
    us-west1.ironwifi.com
  • Europe West: 
    europe-west2.ironwifi.com
  • Global/Default: 
    splash.ironwifi.com
  1. Click Save

Step 4: Configure User Identifier (Critical)

  1. Click Edit on Attributes & Claims
  2. Click on the Unique User Identifier (Name ID) claim
  3. Change Source attribute to user.mail
  4. Click Save

This ensures Azure sends the user's email address as the identifier, which IronWiFi requires.

Step 5: Configure Additional Claims

Add or verify these attribute claims:

Claim NameSource Attribute
emailaddressuser.mail
givennameuser.givenname
surnameuser.surname

Step 6: Download SAML Configuration

From the SAML Signing Certificate section, collect these three values:

  1. Login URL - Copy the URL (e.g., 
    https://login.microsoftonline.com/.../saml2
    )
  2. Microsoft Entra Identifier - Copy the Entity ID
  3. Certificate (Base64) - Click Download and copy the certificate content

Azure SAML-based Sign-on page showing Login URL, Azure AD Identifier, and Certificate download

Step 7: Configure IronWiFi

  1. Log into IronWiFi Console
  2. Navigate to Networks > Captive Portals
  3. Select your captive portal or create a new one
  4. Expand Authentication Providers
  5. Click Add Provider > SAML2 Single Sign-on
  6. Enter the values from Azure:
IronWiFi FieldAzure Value
SSO URLLogin URL
IDP Entity IDMicrosoft Entra Identifier
CertificateCertificate (Base64) content
NameID Format
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  1. Click Save

IronWiFi SAML Authentication Provider configuration dialog with SSO URL, Entity ID, Certificate, and NameIDFormat fields

Step 8: Configure Walled Garden

Add these domains to your access point's walled garden:

Step 9: Test Authentication

  1. Connect to your WiFi network
  2. The captive portal should redirect to Microsoft login
  3. Sign in with Entra ID credentials
  4. Verify successful authentication and internet access

OAuth Authentication (Captive Portal)

Use OAuth for simpler captive portal authentication without SAML complexity.

Step 1: Register Azure Application

  1. Log into Azure Portal
  2. Navigate to Microsoft Entra ID > App registrations

Azure Active Directory Overview page

Azure App registrations page showing registered applications

  1. Click New registration
  2. Configure:
    • Name: IronWiFi OAuth
    • Supported account types: Accounts in this organizational directory only
    • Redirect URI: Select Web and enter your region URL:
      • US West: 
        https://us-west1.ironwifi.com/api/signin/azure
      • Europe West: 
        https://europe-west2.ironwifi.com/api/signin/azure
      • Global: 
        https://splash.ironwifi.com/api/signin/azure
  3. Click Register

Azure Register an application form with name, account type, and redirect URI fields

Step 2: Copy Application ID

After registration, copy the Application (client) ID from the Overview page.

Azure App registration Overview showing Application (client) ID

Step 3: Create Client Secret

  1. Go to Certificates & secrets
  2. Click New client secret
  3. Set description: "IronWiFi OAuth"
  4. Set expiration (recommended: 24 months)
  5. Click Add
  6. Immediately copy the secret value (it won't be shown again)

Azure Certificates and secrets page with Add a client secret dialog

Step 4: Configure API Permissions

  1. Go to API permissions
  2. Click Add a permission > Microsoft Graph > Delegated permissions
  3. Add these permissions: 
    • openid
    • profile
    • email
    • User.Read
  4. Click Add permissions
  5. Click Grant admin consent (if you have admin rights)

Step 5: Configure IronWiFi

  1. Log into IronWiFi Console
  2. Navigate to Networks > Captive Portals
  3. Select your captive portal

IronWiFi Captive Portals list page

  1. Expand Authentication Providers
  2. Click Add New

IronWiFi Captive Portal settings page showing Authentication Providers section with Add New button

  1. Click Add Provider > Social Login - OAuth 2.0
  2. Select Azure as the provider
  3. Enter:
    • Client ID: Application (client) ID from Azure
    • Client Secret: Secret value from Step 3
  4. Click Create

IronWiFi Authentication Providers dialog configured for Azure OAuth with Client ID and Client Secret fields

Step 6: Configure Walled Garden

Add the same domains as SAML to your walled garden:

Step 7: Test OAuth Login

  1. Connect to your WiFi network
  2. Click the Microsoft/Azure login button on the captive portal
  3. Sign in with Entra ID credentials
  4. Verify successful authentication

User Synchronization (Connector)

Import users from Microsoft Entra ID for RADIUS authentication (WPA-Enterprise).

Step 1: Get Tenant ID

  1. Log into Azure Portal
  2. Navigate to Microsoft Entra ID > Overview (or Properties)
  3. Copy the Tenant ID

Azure AD Properties page showing Tenant ID

Step 2: Register Application

  1. Go to Microsoft Entra ID > App registrations
  2. Click New registration
  3. Configure:
    • Name: IronWiFi RADIUS Connector
    • Supported account types: Accounts in this organizational directory only
    • Redirect URI: Select Web and enter: 
      • https://console.ironwifi.com/api/oauth2callback
      • (For EU region: 
        https://console-eu.ironwifi.com/api/oauth2callback
        )
  4. Click Register
  5. Copy the Application (client) ID

Azure App registration Authentication page with redirect URIs configured

Step 3: Configure API Permissions

  1. Go to API permissions
  2. Click Add a permission > Microsoft Graph > Application permissions

Azure API permissions page showing configured permissions

  1. Search for and select Directory.Read.All

Request API permissions - selecting Directory.Read.All under Application permissions

  1. Click Add permissions

Request API permissions with Directory.Read.All selected

  1. Click Grant admin consent for [your organization]

Step 4: Create Client Secret

  1. Go to Certificates & secrets
  2. Click New client secret
  3. Set description and expiration (recommended: 24 months or longer)
  4. Click Add
  5. Immediately copy the secret value

Azure Certificates and secrets page with client secret created

Step 5: Configure IronWiFi Connector

  1. Log into IronWiFi Console
  2. Navigate to Users > Connectors
  3. Click New Connector
  4. Select Microsoft Entra ID (Azure AD)
  5. Enter:
    • Name: Microsoft Entra ID (or your preferred name)
    • Tenant ID: From Step 1
    • Application ID: From Step 2
    • Client Secret: From Step 4

IronWiFi Create Connector dialog for Azure AD with Tenant ID, Application ID, and Client Secret fields

Step 6: Authorize Connection

  1. Click Authorize or Connect
  2. You'll be redirected to Microsoft login
  3. Sign in with an admin account
  4. Grant the requested permissions
  5. You'll be redirected back to IronWiFi

Step 7: Select Groups to Sync

  1. After authorization, select which groups to import
  2. Choose sync options:
    • All users or specific groups
    • Include disabled accounts (optional)
    • Sync frequency
  3. Click Save

Authentication Methods

After syncing users, configure how they authenticate:

MethodDescriptionRequirements
Generated PasswordsIronWiFi generates unique passwordsPEAP-MSCHAPv2
Client CertificatesCertificate-based authEAP-TLS, requires SCEP/Intune
Azure Credentials (TTLS-PAP)Users use their Entra ID passwordTTLS-PAP, IronWiFi AD Bridge
PEAP-MSCHAPv2 with AD BridgeNative Azure password authIronWiFi AD Bridge agent
AD Bridge

AD Bridge is an IronWiFi agent for real-time password verification against Entra ID. Contact IronWiFi support for setup.

Sync Settings

Configure what to synchronize:

  • All users or filtered by group
  • Include/exclude disabled accounts
  • Group membership mapping
  • Custom attribute mapping

WPA-Enterprise with Azure AD

PEAP-MSCHAPv2

For WPA-Enterprise authentication using Azure credentials:

warning

This requires Microsoft Entra ID P1/P2 or Microsoft 365 licensing that includes Microsoft Entra ID Premium features.

  1. Enable Password Hash Synchronization in Microsoft Entra Connect
  2. Configure IronWiFi connector for RADIUS authentication
  3. Set user authentication source to Microsoft Entra ID

Certificate-Based (EAP-TLS)

For certificate authentication:

  1. Deploy certificates via Intune or MDM
  2. Configure IronWiFi for EAP-TLS
  3. Map certificate attributes to users

Conditional Access and MFA

Integrate with Microsoft Entra Conditional Access to require MFA or enforce other policies.

Prerequisites

  • Complete SAML or OAuth setup first (see sections above)
  • Microsoft Entra ID P1 or P2 license (for Conditional Access)

Step 1: Access Conditional Access

  1. Log into Azure Portal
  2. Navigate to Microsoft Entra ID > Enterprise applications
  3. Select your IronWiFi application
  4. Click Conditional Access in the left menu

Azure Conditional Access page for the IronWiFi enterprise application

Step 2: Create New Policy

  1. Click New policy
  2. Name the policy: "IronWiFi MFA Policy"

Step 3: Configure Assignments

Users:

  1. Under Users, click All users (or select specific groups)

New Conditional Access policy - Users assignment set to All users

Cloud apps:

  1. Under Target resources > Cloud apps
  2. Select Select apps
  3. Search for and select your IronWiFi application

New Conditional Access policy - Cloud apps with IronWiFi selected

Step 4: Configure Access Controls

  1. Under Grant, click 0 controls selected
  2. Select Grant access
  3. Check Require multifactor authentication
  4. Click Select

New Conditional Access policy - Grant controls with Require multi-factor authentication checked

Step 5: Enable the Policy

  1. Under Enable policy, select On
  2. Click Create

New Conditional Access policy - Enable policy set to On with Create button

How It Works

  • User connects to WiFi and reaches captive portal
  • User clicks Microsoft login (SAML or OAuth)
  • Microsoft Entra ID checks Conditional Access policies
  • If MFA is required, user completes MFA challenge
  • Upon success, user is granted network access

Considerations

  • MFA prompts appear during captive portal login
  • Location-based policies apply (user's IP during auth)
  • Device compliance can be enforced (if device is Entra-joined)
  • Sign-in frequency policies may require re-authentication

Hybrid Environments

For organizations with on-premises AD:

Microsoft Entra Connect

Sync on-premises users to Microsoft Entra ID:

  1. Deploy Microsoft Entra Connect
  2. Configure sync options
  3. Enable password hash sync or pass-through auth
  4. IronWiFi authenticates via Microsoft Entra ID

Pass-Through Authentication

Use on-premises credentials:

  1. Enable Pass-Through Authentication
  2. Deploy authentication agents
  3. Users authenticate against on-premises AD via Azure

Troubleshooting

SAML Errors

Invalid Signature:

  • Re-download certificate from Azure
  • Verify certificate hasn't expired
  • Check for correct encoding (Base64)

User Not Found:

  • Verify User Identifier is set to 
    user.mail
    in Azure
  • Check NameID Format is 
    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • Confirm user exists in Microsoft Entra ID

SAML Response Error:

  • Verify Entity ID matches exactly between Azure and IronWiFi
  • Check Reply URL (ACS URL) is correct for your region
  • Ensure certificate hasn't been rotated in Azure

OAuth Errors

Redirect URI Mismatch:

  • Verify the redirect URI in Azure matches your IronWiFi region exactly
  • Common URIs: 
    https://us-west1.ironwifi.com/api/signin/azure

Invalid Client Secret:

  • Client secrets expire - check expiration date in Azure
  • Create a new secret and update IronWiFi configuration

Permission Denied:

  • Ensure 
    User.Read
    permission is granted
  • Click "Grant admin consent" in Azure if required

Connector/Sync Issues

Authorization Failed:

  • Verify redirect URI is set to 
    https://console.ironwifi.com/api/oauth2callback
  • Check you're signing in with an admin account
  • Try removing and re-adding the connector

Permission Denied:

  • Verify 
    Directory.Read.All
    permission is granted
  • Ensure admin consent was granted (green checkmark in Azure)
  • Re-consent by clicking "Grant admin consent"

No Users Syncing:

  • Verify group selection in connector settings
  • Check that selected groups have members
  • Review connector logs in IronWiFi Console

Client Secret Expired:

  • Create a new client secret in Azure
  • Update the secret in IronWiFi connector settings
  • Set a calendar reminder for future expiration

Best Practices

  1. Use groups - Manage access via Entra ID security groups
  2. Enable auto-sync - Keep users current with scheduled sync
  3. Monitor sign-ins - Review Entra ID sign-in logs regularly
  4. Test thoroughly - Verify with test users before rollout
  5. Track secret expiration - Set calendar reminders for client secret renewal
  6. Use OAuth for simplicity - SAML for enterprise features, OAuth for quick setup
  7. Enable Conditional Access - Add MFA for sensitive networks
  8. Document configuration - Record settings for compliance and disaster recovery

Was this page helpful?