Skip to main content

Getting Started with the Illumio Console

Using MS Entra ID to Add External Groups

You can use Microsoft Entra ID as an OIDC-compliant Identification Provider (IdP) for external groups in your Illumio Console instance. (Note that Azure Active Directory (AD) is now named Microsoft Entra ID.) You can then add the group and its members to Illumio Console. What are called users in an Ilumio Console group are called members of an Entra ID group.

First create a new group in the Entra ID application that you have previously created for your Illumio Console instance, add owners and members (users) for the group, and then set some basic configuration values.

Prerequisite: You have an Entra ID account, and have set up an Enterprise application on it to serve as the IdP for your Illumio Console instance.

Add Roles and Groups to an Entra ID Application

Create a role for your Entra ID Enterprise application that maps to a user role in Illumio Console,

  1. Log in to the Entra ID (Azure) account for your Enterprise application.

  2. From Home on the left navigation pane, go to the application page of your enterprise application for Illumio Console.

  3. Under Manage, click App roles.

  4. At the App roles page, click the Create app role link (near the plus sign).

  5. At the Create app role pane, enter:

    1. Display name

    2. For Allowed member types, select Users/Groups

    3. Value

      Remember this value, because this is also entered as the Claim value when adding the external group in Illumio Console.

    4. Description

    Also enable the checkbox for Do you want to enable this app role?

Adding a New External Group and Users in Entra ID

  1. Log in to the Entra ID (Azure) account for your Enterprise application.

  2. Go to the All Groups page: Either in left navigation pane follow Access > Users and Groups > Groups > All Groups, or Search for "groups" using the search bar, and click the "Groups" results with the icon next to it.

  3. Click New Group.

  4. At the New Group page, enter the following:

    1. Group type - Use Security.

    2. Group name

    3. Optional Group description

    4. Owners of the new group by clicking the link:

      1. At the Add Owners page, use Search to find Entra ID users.

      2. Select the checkbox for one or more users to be assigned as an owner of this group.

      3. Click Select when satisfied with the users listed on the far right panel as group owners.

    5. Members of the new group by clicking the link:

      1. At the Add members page, use Search to find Entra ID users.

      2. Select the checkbox for one or more users to be assigned as members of this group.

      3. Click Select when satisfied with the users listed on the far right panel as group members.

    After selecting Owners and selecting Members, click Create.

  5. Go to your Enterprise application for Illumio Console.

  6. In the left navigation pane, under Manage , click Users and groups.

  7. At the Users and groups page, click Add user/group.

  8. At Add Assignment, click Users and groups.

  9. At Users and Groups page, click the Groups tab to see all groups, or use Search to find a specific group, like the one you just added.

  10. Select the checkbox for each group to be assigned to your organization application.

  11. Click Select when satisfied with the group or groups listed on the far right panel.

  12. Click Assign.

    The Users and groups page lists the group or groups you assigned (that is, added) to your application.

  13. At the Users and groups page, click Add user/group.

  14. Search for your group name, and select it.

  15. At the Edit Assignment page, click Select a role.

  16. In the Select a role pane, click on the app role you create earlier, and click Select.

    At the Users and groups page for your application, the new group is listed as a Group object type, and has the role you just assigned to it. Users in this group will inherit access to this OIDC application.

  17. In the left navigation pane, under Manage click Single sign-on.

  18. In the Attributes & Claims section, click Edit.

  19. Add a new claim at the Manage claim page, by entering:

    1. Name: groupNames

    2. Source: Attribute

    3. Source attribute: user.assignedroles

Add Permissions to an Entra ID External Group

  1. Log in to the Entra ID (Azure) account for your Enterprise application.

  2. Click Security > Permissions in the left navigation pane.

  3. At the Permissions page, click Grant admin consent for <your_ilo_org>, where <your_ilo_org> is the name of your Illumio Console organization.

  4. At the sign in prompt, enter your login credentials.

  5. At the Permissions page, click the Application registration link.

  6. At the API permissions page, under the Configured permissions heading you should see a green checkmark next to "Grant admin consent for <your_ilo_org>," which confirms the admin consent was activated.