Entra connection
EntryPoint can use Microsoft Entra ID as the backend identity store for 802.1X. The connection lets EntryPoint resolve a user’s group membership and identity on every authentication, and — where Microsoft Intune is in use — check the device’s compliance state before granting access.
The Entra connection is required for the EAP-TLS variants and optional for EAP-PEAP, where it allows PEAP groups to be backed by Entra membership rather than managed entirely by hand.
Application registration
Section titled “Application registration”EntryPoint authenticates to Microsoft Graph through an application registration created in the organization’s Entra tenant. Three values from that registration are held on the context:
| Value | Source |
|---|---|
| Directory (tenant) ID | The Entra tenant |
| Application (client) ID | The app registration |
| Client secret | Generated during the app registration |
The context shows the connection’s health in a status panel, so administrators can confirm that identity synchronisation is working.
API permissions
Section titled “API permissions”The registered application is granted the Microsoft Graph permissions EntryPoint needs to read identities and group membership, with administrator consent:
- Group.Read.All — to retrieve group memberships.
- User.Read.All — to read user identity information.
Device compliance (Intune)
Section titled “Device compliance (Intune)”Device compliance is an optional layer on top of the Entra connection. When Device Compliance Check is enabled on the context, every EAP-TLS authentication — whether it uses a user or a device certificate — triggers an additional Entra lookup after the certificate and group match succeed:
- Compliant → the authentication proceeds and the group’s network policy is returned.
- Not compliant → the authentication is rejected, even when everything else would have allowed it.
Compliance state comes from Microsoft Intune, so devices must meet the organization’s Intune policy (for example OS version, patch level, and encryption) to pass.
Related sections
Section titled “Related sections”- Certificates & PKI: the certificates EAP-TLS validates.
- EAP-TLS with Entra: the variant built on this connection.
- EAP-TLS — Device certificate: device-named certificates, optionally with Entra and Intune.