Microsoft Entra

Overview

This integration is designed to manage named locations in Microsoft Azure Conditional Access policies via the Microsoft Graph API. It allows users to add, delete, or flush named locations related to specific IP addresses. This integration with knocknoc enables IP whitelisting within Microsoft 365. An example of a user's experience can be found below:

1. User attempts to access Microsoft 365 services:

   

2. User must authenticate with knocknoc and will see their granted ACL on the right hand side:
   

   

    

3. User can now access Microsoft 365 services:
   

   

Prerequisites

Before running this script, ensure that you have the following prerequisites installed and configured:

• Powershell - Install PowerShell on your system. For Debian, follow these steps:

  # Update the list of packages
  sudo apt-get update
  
  # Install pre-requisite packages.
  sudo apt-get install -y wget
  
  # Download the PowerShell package file
  wget https://github.com/PowerShell/PowerShell/releases/download/v7.4.3/powershell_7.4.3-1.deb_amd64.deb
  
  ###################################
  # Install the PowerShell package
  sudo dpkg -i powershell_7.4.3-1.deb_amd64.deb
  
  # Resolve missing dependencies and finish the install (if necessary)
  sudo apt-get install -f
  
  # Delete the downloaded package file
  rm powershell_7.4.3-1.deb_amd64.deb

• Azure Enterprise Application: An enterprise application must be created to allow knocknoc to authenticate and change conditional access policies and named locations. Create an enterprise application, create a client secret, and copy the application's client id, azure tenant id and secret. You'll need these later.
  
  

• Microsoft Graph API Permissions: Ensure that the application has the necessary permissions to access the Microsoft Graph API, particularly for managing conditional access policies and named locations. These can be found below:
  

  
  

  
  

  API Name	Claim value	Permission	Type	Granted through	Granted by

  Microsoft Graph
  Microsoft Graph	User.Read	Sign in and read user profile	Delegated	Admin consent	An administrator
  Microsoft Graph	Policy.ReadWrite.IdentityProtection	Read and write your organization’s identity protection policy	Application	Admin consent	An administrator
  Microsoft Graph	Policy.ReadWrite.FedTokenValidation	Read and write your organization's federated token validation policy	Application	Admin consent	An administrator
  Microsoft Graph	Policy.Read.ConditionalAccess	Read your organization's conditional access policies	Application	Admin consent	An administrator
  Microsoft Graph	Policy.ReadWrite.PermissionGrant	Manage consent and permission grant policies	Application	Admin consent	An administrator
  Microsoft Graph	Policy.ReadWrite.ConditionalAccess	Read and write your organization's conditional access policies	Application	Admin consent	An administrator
  Microsoft Graph	Policy.ReadWrite.AuthenticationMethod	Read and write all authentication method policies	Application	Admin consent	An administrator
  Microsoft Graph	Policy.Read.PermissionGrant	Read consent and permission grant policies	Application	Admin consent	An administrator
  Microsoft Graph	Policy.ReadWrite.AuthenticationFlows	Read and write authentication flow policies	Application	Admin consent	An administrator
  Microsoft Graph	Policy.ReadWrite.ApplicationConfiguration	Read and write your organization's application configuration policies	Application	Admin consent	An administrator
  Microsoft Graph	Application.ReadWrite.All	Read and write all applications	Application	Admin consent	An administrator
  Microsoft Graph	Policy.ReadWrite.ConsentRequest	Read and write your organization's consent request policy	Application	Admin consent	An administrator
  Microsoft Graph	Policy.ReadWrite.ExternalIdentities	Read and write your organization's external identities policy	Application	Admin consent	An administrator
  Microsoft Graph	Policy.ReadWrite.SecurityDefaults	Read and write your organization's security defaults policy	Application	Admin consent	An administrator
  Microsoft Graph	Policy.Read.All	Read your organization's policies	Application	Admin consent	An administrator
  Microsoft Graph	Policy.ReadWrite.CrossTenantAccess	Read and write your organization's cross tenant access policies	Application	Admin consent	An administrator
  Microsoft Graph	Application.Read.All	Read all applications	Application	Admin consent	An administrator
  Microsoft Graph	Policy.ReadWrite.Authorization	Read and write your organization's authorization policy	Application	Admin consent	An administrator
  Microsoft Graph	Policy.ReadWrite.FeatureRollout	Read and write feature rollout policies	Application	Admin consent	An administrator
  Microsoft Graph	Policy.Read.IdentityProtection	Read your organization’s identity protection policy	Application	Admin consent	An administrator
  Microsoft Graph	Policy.ReadWrite.TrustFramework	Read and write your organization's trust framework policies	Application	Admin consent	An administrator
  Microsoft Graph	Policy.ReadWrite.AccessReview	Read and write your organization's directory access review default policy	Application	A	An administrator

• Conditional Access Policy/Policies: Knocknoc needs to be able to distinguish between policies it can amend and policies it cannot. Therefore, knocknoc looks for a prepending "knocknoc_" ahead of the name of the ACL.  For example, a conditional access policy might be named "knocknoc_financedepartment" with specific rules around applications and services that group can access. These must be created PRIOR to configuring anything in the knocknoc admin portal. 
  
  

• Credentials File: Ensure that a credentials file is present at /opt/knocknoc-agent/etc/entra-credentials.sh with the following content:

   

  entra_clientid=""
  entra_tenantid=""
  entra_clientsecret=""

  You will need to input the necessary ClientID for your  Azure Enterprise Application, your Azure Tenant ID and your application's client secret. 

Admin Portal Configuration