This article explains how to configure Microsoft Entra ID as a NAC (Network Access Control) provider for authenticating your employees in Cloudi-Fi Cloud NAC.
1. Create an Application in Microsoft Entra ID
In the Azure portal, navigate to: Azure Services > App registrations > New registration.
Name the application (e.g., Cloudi-Fi 802.1X).
Under “Who can use this application”, choose the option that matches your environment. (In this example: “Accounts in this organizational directory only (Default Directory only – Single tenant)”).
Then click Register.
2. Configure API permissions
Go to Manage > API permissions and add the required permissions.
Delegated permissions
Click Add a permission > Microsoft APIs > Microsoft Graph > Delegated permissions.
Select the following permissions:
Device.Read.All
Directory.Read.All
email
Group.Read.All
GroupMember.Read.All
offline_access
openid
profile
User.Read
Application permissions
Click Add a permission > Microsoft APIs > Microsoft Graph > Application permissions.
Select the following permissions:
AccessReview.Read.All
AccessReview.ReadWrite.All
AccessReview.ReadWrite.Membership
Device.Read.All
Directory.Read.All
Group.Read.All
User.Read.All
3. Create a client secret
Go to Manage > Certificates & secrets > Client secrets.
Click New client secret.
Add a description and set an expiration (e.g., 180 days (6 months)).
Click Add.
Copy the Value and Secret ID immediately — they won’t be shown again.
4. Collect required parameters
From Overview, copy:
Application (client) ID
From Overview > Endpoints, copy:
OAuth 2.0 token endpoint (v2)
You should now have:
Client Secret Value (see 3. Create a client secret)
Secret ID (if needed) (see 3. Create a client secret)
OAuth 2.0 token endpoint (v2) (see 4. Collect required parameters)
Application (client) ID (see 4. Collect required parameters)
5. Setup a new NAC Provider in Cloudi-Fi
In Cloudi-Fi Admin UI, go to Network > NAC Providers > Add NAC Provider.
Select Entra ID and click Next.
Enter:
Name: e.g., EntraID 802.1X
OAuth authorization endpoint: (OAuth 2.0 token endpoint (v2) from 4. Collect required parameters)
Client secret: (Client Secret Value from 3. Create a client secret)
Click Test. If successful, you will see “Test successful”.
Click Next.
6. Configure attribute mapping
In the Mapping section, define which Entra ID attributes will be used by Cloudi-Fi.
Example:
User login: displayName
Full name: givenName
Group name: group.displayName
Click Test. A successful connection will return “Status: success”.
Click Next.
7. Test authentication
Use a valid Entra ID user’s login and password to verify authentication.
If successful, you will see “Status: success”.
Click Save and Done to complete the configuration.
You have now successfully configured Microsoft Entra ID as a NAC provider for Cloudi-Fi Cloud NAC.
8. Activate your provider
Go to Cloudi-Fi Admin UI > Policies > NAC and edit the default rule.
If you want to assign the same Identity Provider to all of your locations, simply select the Identity Provider you previously activated and click Save.
However, if you want to assign different Identity Providers based on locations, you can leave the selection disabled on the default rule and create a dedicated policy.
In this policy, you can set the desired Identity Provider as the authentication and specify criteria such as the target location.