Microsoft Entra ID Connector
tip
Looking for captive portal integration with Microsoft Entra ID? See Microsoft Entra ID Integration.
Authenticate WPA-Enterprise WiFi users against Microsoft Entra ID (formerly Azure Active Directory) using PEAP-MSCHAPv2 or EAP-TLS, with support for MFA, Conditional Access, and directory synchronization.
Overview
The Microsoft Entra ID Connector enables:
- Single Sign-On - Users authenticate with Entra ID credentials
- Directory Sync - Import users and groups from Entra ID
- Conditional Access - Apply Entra ID policies to WiFi
- MFA Integration - Multi-factor authentication support
Authentication Methods
PEAP-MSCHAPv2
Password-based authentication:
- Users enter Entra ID username/password
- Compatible with all devices
- Requires password hash sync or pass-through auth
EAP-TLS
Certificate-based authentication:
- Uses certificates provisioned via Intune
- Highest security
- No password required
Prerequisites
- Microsoft Entra ID tenant
- IronWiFi account
- Entra ID Premium for advanced features (optional)
Entra ID Configuration
Step 1: Get Tenant ID
- Sign in to Azure Portal
- Navigate to Microsoft Entra ID > Overview
- Copy the Tenant ID (also called Directory ID)
Step 2: Register Application
- Go to Microsoft Entra ID > App registrations
- Click New registration
- Configure:
- Name: IronWiFi RADIUS Connector
- Supported account types: Accounts in this organizational directory only (Single tenant)
- Redirect URI: Select Web and enter:
https://console.ironwifi.com/api/oauth2callback- (For EU region: )
https://console-eu.ironwifi.com/api/oauth2callback
- Click Register
- Copy the Application (client) ID from the Overview page
Step 3: API Permissions
- Go to API permissions
- Click Add a permission
- Select Microsoft Graph > Application permissions
- Add permission: Directory.Read.All
- Click Add permissions
- Click Grant admin consent for [your organization]
- Verify the status shows "Granted"
Step 4: Create Client Secret
- Go to Certificates & secrets
- Click New client secret
- Set description: "IronWiFi Connector"
- Set expiry: 24 months (recommended) or longer
- Click Add
- Immediately copy the secret value (it won't be shown again)
Step 5: Record Configuration Details
You should now have these three values:
- Tenant ID: From Step 1
- Application (client) ID: From Step 2
- Client Secret: From Step 4
IronWiFi Configuration
Step 1: Create Connector
- Log in to IronWiFi Console
- Navigate to Users > Connectors
- Click New Connector
- Select Microsoft Entra ID (Azure AD)
Step 2: Enter Configuration
Enter the values from Azure:
- Name: Microsoft Entra ID (or your preferred name)
- Tenant ID: Your Tenant ID
- Application ID: Your Application (client) ID
- Client Secret: Your secret value
Step 3: Authorize Connection
- Click Authorize or Connect
- You'll be redirected to Microsoft login
- Sign in with a Microsoft Entra ID admin account
- Review and accept the permission request
- You'll be redirected back to IronWiFi Console
- Verify the connector shows "Connected" status
Step 4: Select Groups to Sync
- After successful authorization, click Configure or Edit
- Select which groups to import users from
- Configure sync options:
- Sync all users or specific groups only
- Include/exclude disabled accounts
- Set sync frequency (hourly, daily, etc.)
- Click Save
Step 5: Configure Authentication Method
Select how synced users will authenticate:
| Method | Use Case | Requirements |
|---|---|---|
| Generated Passwords | IronWiFi creates unique passwords per user | PEAP-MSCHAPv2 on clients |
| Client Certificates | Certificate-based authentication | EAP-TLS, SCEP/Intune integration |
| Azure Credentials (TTLS-PAP) | Users enter their Entra ID password | TTLS-PAP support, IronWiFi AD Bridge |
| PEAP-MSCHAPv2 with AD Bridge | Native password authentication | IronWiFi AD Bridge agent deployed |
AD Bridge
AD Bridge is an IronWiFi agent that enables real-time password verification against Microsoft Entra ID without storing password hashes. Contact IronWiFi support for AD Bridge setup instructions.
Step 6: User Mapping
Configure how Microsoft Entra ID users map to IronWiFi:
- Username format: (UPN) or
user@domain.com(legacy)domain\user - Group mapping: Map Entra ID security groups to IronWiFi groups
- Attribute mapping: Map custom attributes for RADIUS responses
PEAP-MSCHAPv2 Setup
Prerequisites
- Password hash synchronization enabled in Microsoft Entra Connect
- Or pass-through authentication configured
Enable in IronWiFi
- In your Network settings, enable PEAP-MSCHAPv2
- Select Microsoft Entra ID Connector as identity source
- Configure RADIUS attributes
Client Configuration
Configure clients to use:
- EAP Method: PEAP
- Inner Method: MSCHAPv2
- Identity:
user@yourdomain.onmicrosoft.com
See Windows - EAP-PEAP for detailed setup.
EAP-TLS Setup
Prerequisites
- Microsoft Intune
- SCEP configured in IronWiFi
- Microsoft Entra ID P1/P2 (for Intune)
Certificate Deployment
- Configure SCEP with Intune
- Deploy certificates via Intune
- Clients authenticate using certificates
Conditional Access Integration
Configure Conditional Access
In Microsoft Entra ID:
- Go to Security > Conditional Access
- Create new policy
- Assign to users/groups
- Configure conditions (location, device, risk)
- Set grant controls (MFA, compliant device)
IronWiFi Integration
Conditional Access applies when:
- User authenticates to WiFi
- Microsoft Entra ID evaluates policies
- Access granted or denied based on policy
Multi-Factor Authentication
Enable MFA
- In Microsoft Entra ID, configure MFA settings
- Enable for users/groups
- Choose verification methods
WiFi with MFA
For PEAP-MSCHAPv2:
- MFA is checked during initial auth
- App-based MFA (Microsoft Authenticator recommended)
For EAP-TLS:
- Certificate serves as strong authentication
- Additional MFA may be policy-dependent
User Provisioning
Automatic Sync
IronWiFi can sync users from Microsoft Entra ID:
- Enable User Provisioning in connector settings
- Select groups to sync
- Configure sync schedule
- Users appear in IronWiFi automatically
Group Sync
Map Microsoft Entra ID groups to IronWiFi:
- Security groups
- Microsoft 365 groups
- Dynamic groups
Troubleshooting
Authentication Fails
- Verify user exists in Microsoft Entra ID
- Check password is correct
- Confirm password hash sync is working
- Review Microsoft Entra sign-in logs
"User Not Found"
- Check username format matches Entra ID UPN
- Verify user is synced to IronWiFi
- Check group membership if filtered
MFA Prompts Not Working
- Verify MFA is enabled for user
- Check Conditional Access policies
- Some EAP methods don't support interactive MFA
Sync Errors
- Verify Microsoft Entra ID permissions
- Check client secret hasn't expired
- Review connector logs in IronWiFi
Client Secret Expired
If sync stops working after the secret expires:
- Go to Azure > App registrations > Your app > Certificates & secrets
- Create a new client secret
- In IronWiFi Console, update the connector with the new secret
- Set a calendar reminder for future expiration
Authorization Failed
- Verify redirect URI is
https://console.ironwifi.com/api/oauth2callback - Check you're signing in with an Entra ID admin account
- Ensure admin consent was granted for Directory.Read.All
- Try removing and re-creating the connector
Microsoft Entra Sign-In Logs
Monitor authentications in Azure:
- Go to Microsoft Entra ID > Sign-in logs
- Filter by application (IronWiFi)
- Review success/failure details
- Check Conditional Access results
Best Practices
- Use certificate-based auth when possible (EAP-TLS)
- Enable password hash sync for PEAP fallback
- Implement Conditional Access for security
- Monitor sign-in logs regularly
- Track secret expiration - Set calendar reminders before client secrets expire
- Test with pilot group - Sync a small group first before full deployment
- Document group mappings - Record which Entra ID groups map to which IronWiFi groups
Related Topics
- SCEP with Intune - Certificate provisioning
- Azure Integration - General Azure setup
- EAP-PEAP Configuration
- EAP-TLS Configuration
Was this page helpful?