Contact UsGet started

User group mapping in Microsoft Entra ID

Written by
Updated at April 16, 2025

You can use Microsoft Entra ID (formerly Azure Active Directory) to authenticate users in an organization.

To configure user group mapping in Entra ID and in an identity federation:

  1. Start configuring an application in Azure.
  2. Create a federation in Yandex Cloud Organization.
  3. Add the application's SAML certificate to the federation.
  4. Complete configuring the application.
  5. Configure group mapping on the application side.
  6. Configure group mapping on the federation side.
  7. Test authentication.

Getting started

Make sure you have access to the following services on the Azure portal:

  • Enterprise applications.
  • Microsoft Entra ID.

Start configuring an application in Azure

The identity provider's (IdP) role is played by Microsoft Azure with Single Sign-On (SSO) configured. To create an application and begin configuring it:

  1. Go to the Azure portal.

  2. Under Azure services, select Enterprise applications.

  3. On the left-hand panel, select Enterprise applicationsAll applications.

  4. Click New application.

  5. On the Browse Microsoft Entra gallery page, click Create your own application.

  6. In the window that opens:

    1. Name your app, e.g., yandex-cloud-saml.
    2. Select Integrate any other application you don't find in the gallery.
    3. Click Create.

    You will be taken to your new app's page.

  7. In the left-hand panel, select Single sign-on.

  8. Select the SAML single sign-on.

    The SAML-based sign-on page will open.

  9. Download the application's SAML certificate used to sign messages from Entra ID:

    1. Find SAML certificatesAssertion signing certificate.
    2. Use the link in the Certificate (Base64) field to download the certificate.

  10. Save the credentials you will need later to configure your identity federation:

    1. Find the yandex-cloud-saml configuration section.

      If you have chosen a different application name, the section name will be different from the one provided.

    2. Save the following credentials:

      • Login page URL in the following format:

        https://login.microsoftonline.com/<tenant_ID>/saml2

      • Microsoft Entra ID in the following format:

        https://sts.windows.net/<tenant_ID>/

Note

The configuring of SAML-based sign-on for the application will continue after you create an identity federation.

Do not close the configuration tab in your browser.

Create a Yandex Cloud Organization federation

  1. Go to Yandex Cloud Organization.

  2. In the left-hand panel, select Federations.

  3. Click Create federation in the top-right corner of the page. In the window that opens:

    1. Enter a name for the federation, e.g., demo-federation. It must be unique within the folder.

    2. You can also add a description, if required.

    3. In the Cookie lifetime field, specify the time before the browser asks the user to re-authenticate.

    4. In the IdP Issuer field, paste the Microsoft Entra ID you got when configuring the Azure app.

    5. In the Link to the IdP login page field, paste the login page URL you got when configuring the Azure app.

    6. Enable Automatically create users to automatically add a new user to your organization after authentication. Otherwise, you will need to manually add your federated users.

      A federated user is created automatically only when they log in to a cloud for the first time. If you removed a user from the federation, you can only add them back manually.

    7. (Optional) To make sure that all authentication requests from Yandex Cloud contain a digital signature, enable Sign authentication requests. You will need to install a Yandex Cloud SAML certificate on the IdP side.

      In the SAML certificates block that appears, you will see the information about the current Yandex Cloud SAML certificate.

      Click Download and save the downloaded certificate file. You will need to upload it to you IdP server.

      Tip

      Track certificate expiration dates and always install a new certificate before the current one expires. Make sure to download the re-issued Yandex Cloud SAML certificate and install it on the IdP provider's side and in your federation well in advance.

      You can download and install a Yandex Cloud certificate even after creating a federation.

      You will need this certificate later when configuring SAML-based sign-on for the Azure app.

    8. Enable Mandatory re-authentication (ForceAuthn) in IdP to set ForceAuthn to true in the SAML authentication request. If enabled, the IdP will request the user to re-authenticate once the Yandex Cloud session expires.

    9. Click Create federation.

Add the Azure app's SAML certificate to the federation

To enable Cloud Organization to verify the app's SAML certificate during authentication, add the certificate to the federation:

  1. Log in to Yandex Cloud Organization.

  2. In the left-hand panel, select Federations.

  3. Click the row with demo-federation to add your certificate to.

  4. Click Certificates under Adding a certificate at the bottom of the page.

  5. Enter certificate name and description.

  6. In the Method field, select Text and paste the contents of the certificate you got earlier.

  7. Click Add.

Complete the Azure app configuration

  1. Navigate to the browser tab on which you were configuring SAML-based sign-on for the yandex-cloud-saml application.

  2. Specify the redirect URL:

    1. Find the Basic SAML configuration section.

    2. In the section, click Edit.

    3. Specify the same redirect URL in both the ID (entity) and Response URL (assertion consumer service URL) fields.

      The redirect URL must be in the following format:

      https://console.cloud.yandex.ru/federations/<federation_ID>
      How to get the federation ID
      1. Log in to Yandex Cloud Organization.
      2. In the left-hand panel, select Federations.
      3. Select the required federation and copy the Identifier field value on the federation info page.

    4. Click Save in the right-hand panel.

  3. (Optional) If you enabled Sign authentication requests when creating the federation in Yandex Cloud Organization, add the previously downloaded Yandex Cloud SAML certificate to the application:

    1. Find SAML certificatesVerification certificates (optional) and click Edit.

    2. Enable Require verification certificates.

    3. Click Send certificate.

    4. Upload the certificate in PEM format.

      If you did not download a SAML certificate when creating the federation, you can download it on the Yandex Cloud Organization federation info page by clicking Download certificate in the Sign authentication requests field.

    5. Click Save in the right-hand panel.

  4. Click Save.

Configure group mapping on the Azure app side

Create a user

  1. Go to the Azure portal.

  2. Under Azure services, select Microsoft Entra ID.

  3. In the left-hand panel, select UsersAll users.

  4. Click New user. Select Create new user from the drop-down menu.

  5. Go to the Basics tab.

  6. In the User principal name field, enter a name for the user (e.g., az_demo_user) in combination with the domain (e.g., example.com).

  7. In the Mail nickname field, specify an email address. By default, the nickname matches the username.

    You may specify a different nickname:

    1. Uncheck Derive from user principal name.
    2. Enter the mail nickname you prefer.

    For example, you can use ivan_ivanov for the az_demo_user@example.com user.

  8. In the Display name field, enter a display name for the user that will appear in the interface, e.g., Ivan Ivanov.

  9. In the Password field, provide the user password to be used for the first log in. By default, the password is generated automatically.

    You can specify the password manually:

    1. Uncheck Auto-generate password.
    2. Enter the password you prefer.

  10. Make sure the Account enabled option is checked on the Basics tab.

  11. Click Review and create.

Create a group and add a user to it

  1. Go to the Azure portal.

  2. Under Azure services, select Microsoft Entra ID.

  3. Create a group:

    1. In the left-hand panel, select GroupsAll groups.
    2. Click Create group.
    3. From the Group type drop-down list, select Security group.
    4. In the Group name field, enter a name for your group, e.g., az_demo_group.
    5. Under Members, click the No members selected link.
    6. In the window that opens, check the az_demo_user@example.com user and click Select.
    7. Click Create.

  4. Get the ID of the group you created:

    1. In the left-hand panel, select GroupsAll groups.

    2. Find az_demo_group in the list and copy its ID from the Object ID column.

      The ID has the following format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.

Configure access permissions for your group

Configure the application for the new group to have access to it.

  1. Go to the Azure portal.
  2. Under Azure services, select Enterprise applications.
  3. On the left-hand panel, select Enterprise applicationsAll applications.
  4. Select the yandex-cloud-saml application you created earlier.
  5. On the left-hand panel, select Users and groups.
  6. Click Add user or group.
  7. In the Groups field, click None selected.
  8. In the window that opens, check the az_demo_group group and click Select.
  9. Click Assign.
  10. Click Save.

Configure group mapping

  1. Go to the Azure portal.

  2. Under Azure services, select Enterprise applications.

  3. On the left-hand panel, select Enterprise applicationsAll applications.

  4. Select the yandex-cloud-saml application you created earlier.

  5. In the left-hand panel, select Single sign-on.

  6. Find the Attributes and claims section and click Edit. Next, you will configure the necessary claims.

  7. Click Add a group claim.

  8. Under Which groups associated with the user should be returned in the claim?, select Security groups.

  9. Select Group ID from the Source attribute drop-down list.

  10. Expand the Advanced options section and make the following changes:

    1. Enable Change the name of the group claim.
    2. In the Name (optional) field, enter member.

  11. Click Save in the right-hand panel.

  12. Click Save.

Configure group mapping on the federation side

  1. Log in to Yandex Cloud Organization.

  2. Create a user group named yc-demo-group in Cloud Organization and authorize it to view resources in the cloud or a separate folder (the viewer role).

  3. In the left-hand panel, select Federations.

  4. Select demo-federation you created previously and navigate to the IdP group tab.

  5. Enable Mapping group in IdP.

  6. Click Add group.

  7. In the Group name field, enter the az_demo_group ID you got in Entra ID earlier.

    Warning

    You selected group ID as the source attribute when configuring group mapping on the Azure side.

    Therefore, enter the group ID, not its name.

  8. In the IAM group field, select the yc-demo-group group you created in Yandex Cloud Organization from the list.

  9. Click Save.

  1. Describe the properties of the new resources in the Terraform configuration file:

    # Creating a user group
resource "yandex_organizationmanager_group" "my-group" {
  name            = "yc-demo-group"
  organization_id = "demo-federation"
}

# Assigning the viewer role for a folder
resource "yandex_resourcemanager_folder_iam_member" "viewers" {
  folder_id = "<folder_ID>"
  role      = "viewer"
  member    = "group:${yandex_organizationmanager_group.my-group.id}"
}

# Enabling federated user group mapping
resource "yandex_organizationmanager_group_mapping" "my_group_map" {
  federation_id = "demo-federation"
  enabled       = true
}

# Configuring a federated user group mapping
resource "yandex_organizationmanager_group_mapping_item" "group_mapping_item" {
  federation_id     = "demo-federation"
  internal_group_id = yandex_organizationmanager_group.my-group.id
  external_group_id = "<az_demo_group_ID>"

  depends_on = [yandex_organizationmanager_group_mapping.group_mapping]
}

    Where:

    For more information, see yandex_organizationmanager_group_mapping and yandex_organizationmanager_group_mapping_item in the Terraform provider documentation.

  2. Create the resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

Test authentication

  1. Open your browser in guest or private browsing mode.

  2. Use this URL to log in to the management console:

    https://console.cloud.yandex.com/federations/<federation_ID>
    How to get the federation ID
    1. Log in to Yandex Cloud Organization.
    2. In the left-hand panel, select Federations.
    3. Select the required federation and copy the Identifier field value on the federation info page.

    If you have set up everything correctly, the browser will redirect you to the authentication page in Entra ID.

  3. Enter the credentials of the az_demo_user@example.com user you created earlier in Entra ID and click Sign in.

    On successful authentication, the IdP server will redirect you to the https://console.cloud.yandex.ru/federations/<federation_ID> URL you specified in the SAML settings for the Azure app and then to the management console home page.

  4. Make sure the signed in user belongs to yc-demo-group and has the viewer permissions for resources according to the role assigned to the group.

Previous
User group mapping in Active Directory Federation Services
Next
User group mapping in Keycloak