Overview

This guide provides instructions for:

• Setting up Beyond Identity as a passwordless authentication solution for a Hybrid Microsoft Entra ID environment

• Configuring Active Directory and Microsoft Entra ID to use Beyond Identity as the Identity Provider

• Setting up the Beyond Identity Admin Console and User Console applications in Microsoft Entra ID

• Configuring SCIM-based provisioning from Microsoft Entra ID to the Beyond Identity Cloud

Prerequisites

Before you begin, ensure you have the following:

1. Active Directory Admin account with Enterprise Administrator privileges to:

   • Configure groups

   • Configure an alternative domain name

2. Microsoft Entra ID Connect Administrator account to:

   • Configure Microsoft Entra ID Connect

3. Entra ID Active Directory Admin account with Entra Global Administrator privileges to:

   • Configure Beyond Identity Admin Console and User Console applications

   • Set up SCIM-based provisioning from Microsoft Entra ID to the Beyond Identity Cloud

4. Hybrid Identity deployment with Active Directory, Microsoft Entra ID Connect, and Microsoft Entra ID

5. Alternative domain name for the Beyond Identity test phase:

   • Must be a top-level domain (not a subdomain).

   • Example: If the primary domain is contoso.com, use contoso.org as the alternative.

   • You must have access to the domain’s DNS settings to verify it in Microsoft Entra ID.

6. Windows machine with administrator privileges and the MSOnline PowerShell module to:

   • Set up the domain for federated authentication

7. Office 365 Administrator account to:

   • Set up Office 365 mailbox accounts

 

Beyond Identity Configuration Information

Provide the following information to the Beyond Identity Field Team:

Field	Value to Provide
Company Name	Your company name
Microsoft Entra ID Instance ID	Your Microsoft Entra ID instance ID
Admin Console SAML SSO Credentials	SSO URLSSO Entity IDSSO X.509 Signing Certificate
User Console Credentials	SSO Client IDSSO Client Secret
(Optional) Company Logo	300 × 150 pixels or smallerFile size: 10 KB or lessFormats: SVG, PNG, JPG, or GIF

 

Information you will receive from the Beyond Identity Field Team

Field	Value Provided
Admin Console SAML URLs	Identifier/Entity ID: https://admin.byndid.com/auth/saml/<Conn-ID>/sso/metadata.xml Reply/ACS URL: https://admin.byndid.com/auth/saml/<Conn-ID>/sso
SCIM / Event Hook API Bearer Token	From Beyond Identity SE
Beyond Identity Org ID	From Beyond Identity SE
SCIM API Endpoints	https://api.byndid.com/scim/v2/Usershttps://api.byndid.com/scim/v2/Groups

 

Alternative Domain Configuration

Beyond Identity recommends using an alternative domain during the test phase.

• If you already own a spare domain, you can use that.

• If not, purchase a new domain from any domain registrar.

Once you have selected a domain, add it as a Custom Domain in the Entra ID Portal by following Microsoft’s instructions: Add a custom domain in Entra ID Active Directory

 

Section 1-A: Use Entra ID Portal for Group Creation

Beyond Identity service assignment is required for IT Admin and End Users. The following steps describe how to create the BI_Admins, BI_Users, and BI_Push_Groups groups, and assign users to those groups, if groups are synced from AD to AAD.

1. Log in to Microsoft Entra ID admin center as a Entra Global Administrator.

2. In the left navigation pane, click Groups. 
   
   

3. Click New group. 
   
   

4. In the Group type drop-down, select Security.

5. Enter the following for the Admins group:

   • Group Name: BI_Admins

   • Group Description: Beyond Identity Admins

   • Membership Type: Assigned

   • Click Create.
     
     

6. To add members to the new group, click All groups in the left navigation panel. Then, click the new group name (e.i. BI_Admins group).
7. Click Members from the left navigation panel, then click Add members and add the appropriate administrator accounts (by UPN). 
   
   
   
   

8. Return to Groups.
   
   

9. Click New group and create the Users group with the following:

   • Group name: BI_Users
   • Group description: Beyond Identity Users
   • Membership type: Assigned
   • Click Create. 

    

10. Open the BI_Users group. Under Members, click Add members, and add the appropriate user accounts accounts (by UPN). 

11. Return to Groups and click New group. 
    
    
    

12. Create a group called Push Groups with the following:

• Group type: Security

• Group Name: BI_Push_Groups

• Group Description: Groups used for Beyond Identity policy enforcement

• Membership Type: Assigned

• Click Create.
  
  

12. Return to Groups and open the BI_Push_Groups group.
    
    

13. Click Members on the left navigation panel, click Add members, and add any groups you want to use for policy assignment.
    
    

14. Confirm that all group members have a First Name, Last Name, Display Name, and email address configured in Entra ID. When you are done click, Select. 
    
    Note: If syncing from on-prem AD with Microsoft Entra ID Connect, run a delta sync to push these new groups and memberships into Entra ID.

 

 

Section 2: Set up an Alternative Domain Name for Testing

The following steps show an example configuration using contoso.com as the primary domain and contoso.org as the alternative domain.

1. Log in to Active Directory or another domain server as an Enterprise Administrator.

2. Start Server Manager, then click Tools in the top-right corner.
   
   
   
   

3. From the Tools drop-down menu, select Active Directory Domains and Trusts.
   
   
   
   

4. In the Active Directory Domains and Trusts window, right-click Active Directory Domains and Trusts, then select Properties.
   
   
   
   

5. In the UPN Suffixes tab, add the alternative UPN suffix (for example, contoso.org).
   
   
   

6. Click Apply, then click OK.

7. Run the following PowerShell command to synchronize the newly created alternative UPN:
   Start-ADSyncSyncCycle -PolicyType Delta
   
   

Section 3: Set up Beyond Identity Admin Console in Microsoft Entra ID

1. Log in to the Microsoft Entra admin center (https://entra.microsoft.com) as a Entra Global Administrator

2. From the Home screen, click Enterprise applications on the left navigation panel. 
   
   

3. At the top of the Enterprise applications screen, click New application.
   
   

4. In the search bar, type Beyond Identity, then select and click Beyond Identity Admin Console from the gallery.
   
   

5. From Enterprise applications, open the Beyond Identity Admin Console application.

   • In the left menu, click Owners, then click Add.
     
     

   • Search for users by UPN, select them, and click Select to assign them as Owners.

    

6. In the Beyond Identity Admin Console application, click Users and groups → Add user/group.
   
   

   • Select the BI_Admins group, then click Assign.

7. Open the Beyond Identity Admin Console application again.

   • In the left menu, click Single sign-on.
     
     

   • Click Change single sign-on modes.
     
     

   • Click the SAML tile.
     
     
     
     

8. On the Set up Single Sign-on with SAML page, click Edit for the Basic SAML Configuration section. 
   
   

9. Enter the values provided by Beyond Identity SE. 
   Note: Replace <connection-id> in the URL with your actual connection ID. For instructions on locating your connection ID, see Section 4, Step 4.

   • Identifier (Entity ID): https://admin.byndid.com/auth/saml/<connection-id>/sso/metadata.xml

   • Reply URL (ACS URL): https://admin.byndid.com/auth/saml/<connection-id>/sso

   • Mark the new Entity ID and Reply URL as default.

   • Remove the sample Entity ID entry.

   • Click Save.
     
     

10. Still on the Set up Single Sign-on with SAML page:
    a. In the SAML Certificates section, download the Certificate (Base64).
    
    
    b. If no certificate is available, click Edit → New Certificate → Save, then download the Base64 certificate.

11. Copy and save the following URLs from the Set up Single Sign-on with SAML page (under Set up Beyond Identity Admin Console). These will be used in the next section:
    a. Login URL
    b. Microsoft Entra Identifier
    
    

 

Section 4: Set up Admin Portal Access Authentication using SSO

1. Log in to the Beyond Identity Admin Console at https://admin.byndid.com, then click Log in with Beyond Identity.

2. In the Admin Console, click Settings.

3. On the Settings page, click the Console Login tab.

4. In the Admin Console SSO Integrations section, click Edit SSO for the Custom SAML SSO integration.

   • Copy the ID value. This serves as the Connection ID required in the previous section.

5. In the same Admin Console SSO Integrations section, click Edit SSO again for the Custom SAML SSO integration, then configure the following parameters:

   • Name: Admin Console SSO – Entra ID

   • IDP URL: https://login.microsoftonline.com//saml2 (use the value recorded in the previous step)

   • IDP Entity ID: https://sts.windows.net// (use the value recorded in the previous step)

   • Name ID Format: emailAddress

   • Subject User Attribute: UserName

   • Request Binding: HTTP Redirect

   • X.509 Signing Certificate: Upload the certificate file downloaded in the previous step

6. After these values are provisioned, log in to the Beyond Identity Admin Console using SSO. Confirm that an admin (a user from the BI_Admins group) has access to the Beyond Identity Admin Console.

 

Step 5: Set up Beyond Identity User Console in Microsoft Entra ID

1. Log in to the Entra ID Portal as a Entra Global Administrator.

2. From the Home screen, click Microsoft Entra ID (or search for it).

3. In the left menu, click Manage > Enterprise Applications.
   
   

4. At the top of the screen, click New Application.
   
   

5. At the top of the screen, click Create your own application.
   
   

6. On the Create your own application page, enter the following:

   • Name: Beyond Identity User Console

   • What are you looking to do with your application? Select Integrate any other application you don’t find in the gallery (Non-gallery)

   • Click Create

   • (Optional) From Home → Tenant Name → Enterprise Applications → Beyond Identity User Console → Properties, upload the Beyond Identity logo.
     
     

7. In the Beyond Identity User Console application, click Owners from the left navigation panel, then click Add.
   
   

   • Search for users by UPN, select them, then click Select to assign them as Owners.

8. In the Beyond Identity User Console application, click Single Sign-on.

   • Select Linked.
     
     

   • In Sign-On URL, enter the URL below. Note: Make sure you replace BI_Tenant_Name with the actual name of your BI tenant.
     https://user.byndid.com/auth-user/?org_id=<BI_Tenant_Name>


9. In the Provisioning blade, for the Map attributes tile, click Edit Attributes.
   
   

   • Under Provisioning Mode, select Automatic.

   • On the Admin Credentials tab:

     • Tenant URL: https://api.byndid.com/scim/v2

     • Secret Token: Enter the Tenant API token provided by Beyond Identity SE

     • Click Test Connection

     • After a successful SCIM connection test, click Save
       
       
       

   • On the Mappings tab:

     • Ensure Provisioning Entra ID Active Directory Groups is enabled

     • Ensure Provisioning Entra ID Active Directory Users is enabled
       
       

   • On the Settings tab:

     • Select Send an email notification when a failure occurs and provide a valid IT admin email

     • Select Prevent accidental deletion 

     • Set Scope to Sync only assigned users and groups

     • Click Save

   • Set Provisioning Status to On
     
     
     

10. In the Provisioning blade, click Mappings, then select Provision Microsoft Entra ID Users to edit the attribute mappings.
11. Click Add New Mapping.
    
12. Add the following values to the new attribute:
    • Mapping Type: Direct
    • Source attribute: mail
    • Default value if null (optional): leave blank
    • Target attribute: emails
    • Match object using this attribute: no
    • Apply this mapping: Always
    • Click OK to save

13. In the Provisioning blade, click Mappings, then select Provision Microsoft Entra ID Users to edit the attribute mappings.

    • Ensure Target Object Actions has Create, Update, and Delete enabled

    • Select Show Advanced Options, then click Edit Attribute List for customappssso (Note: "customappssso" is a name we've given the app for these walk-through. Ensure you select the name of your own app). 
      
      
      

    • Ensure the following attributes are set:

      • active: Required

      • displayName: Required

      • username: Required

      • name.givenName: Required

      • name.familyName: Required

      • externalId: Required

      • emails (type eq "work"): Multi-value
      • Click on an empty field at the bottom to add this attribute:
        urn:ietf:params:scim:schemas:extension:beyondidentitymsft:2.0:User:msAdObjectSid
        (No need to check a box.)
        Note: Adding this attribute will also allow Admins to use the Beyond Identity Windows Desktop Login feature.

      • Click Save
        
        The image below shows how the attributes should be set.

12. Next, click to edit the emails (type eq "work") attribute. 
13. Change the value for the Match objects using this attribute field to:
    Only during object creation
    
    
14. To save, click OK.

15. In Attribute Mappings, click the entry for externalId (click the left side of the row), then update:

    • Mapping type: Expression

    • Expression: Switch(IsPresent([immutableId]), [userPrincipalName], "True", [immutableId])

    • Default value if null (optional): leave blank
    • Target attribute: externalid
    • Match objects using this attribute: No

    • Leave other fields as default

    • Click OK

    • On the Provisioning page, click Save.
      
      

16.  From Home → Tenant Name → Enterprise Applications → Beyond Identity User Console:
    

    • Click Users and groups → Add user/group.

    • Select the BI_Users and BI_Push_Groups groups.

    • Click Assign.
      
      

17. Open App registrations (top search) → All applications → Beyond Identity User Console, then:

    • From Overview, note the Application (client) ID. (You’ll use this later.)
    • From Overview, note the Directory (tenant) ID. (You’ll use this later.)
    • Open Authentication → Platform configurations → Add a platform → Web, then enter:
      • Redirect URL: https://user.byndid.com/auth-user/callback
      • Implicit grant and hybrid flows: select ID tokens
      • Supported account types: Accounts in this organizational directory only (Single tenant)
      • Advanced settings → Allow public client flows: No
      • Click Save.
18. Navigate to App registrations → Beyond Identity User Console → Certificates & secrets:

• Under Client secrets, click New client secret.
• Description: Beyond Identity User Console; Expires: 24 months.
• Copy the Client secret value. (You’ll use this later.)
• Token configuration: No changes required. 

19. Navigate to App registrations → Beyond Identity User Console → API permissions:

• Click Add a permission.
• Select Microsoft Graph.
• Select Delegated permissions.
• Under OpenID permissions, select: email, offline_access, openid, profile.
• Click Add permissions.
• Click Grant admin consent for <Tenant Name> → Yes.
• App roles: No changes required.

Optional - Enabling Windows Desktop Login with Beyond Identity

If you are an administrator who wants to enable Windows Desktop Login with Beyond Identity, complete the following additional steps.

Steps

1. Verify that the attribute mappings defined in Section 5, item 13 (above) have been correctly applied.

2. In the Provisioning blade, click Mappings, then select Provision Microsoft Entra ID Users to edit the attribute mappings.

3. Click Add New Mapping.

4. In the Edit Attribute window, add the following: 

• Mapping Type: Direct
• Source attribute: onPremisesSecurityIdentifier
• Default value if null (optional): leave blank
• Target attribute: urn:ietf:params:scim:schemas:extension:beyondidentitymsft:2.0:User:msAdObjectSid
• Match object using this attribute: no
• Matching precedence: leave blank
• Apply this mapping: Always
• Click OK to save

The new attribute should display as shown in the screenshot below.

5. In the Provisioning blade, click Mappings, then select Provision Microsoft Entra ID Users to edit the attribute mappings. Then, select Show Advanced Options, then click Edit Attribute List for customappssso (Note: "customappssso" is a name we've given the app for these walk-through. Ensure you select the name of your own app). 

6. Scroll to the bottom to the empty row, and enter into the first column: urn:ietf:params:scim:schemas:extension:beyondidentitymsft:2.0:User:msAdObjectSid

7. Leave the all boxes for this attribute unchecked, then click Save.

 

Provisioning Configuration Recommendations

Before turning on Provisioning, we recommend using Provision on Demand to verify that both a single user and a single group can successfully SCIM from Entra to Beyond Identity. Follow these steps:

1. In the new application you created in Entra, click Provision on Demand.

2. In the selection box, find a user that should be SCIMed.

3. Click Provision.

   • Entra should display only green success messages if everything is working correctly.

4. In the Beyond Identity directory, confirm that the user is now available.

   • The user entry should show Source = scim.

5. Provision the same user a second time to validate that updates to existing users are also processed successfully.

6. Repeat steps 2–5 for a group:

   • Select a group that should be SCIMed.

   • Click Provision, and confirm successful results in both Entra and Beyond Identity.

7. Once you are satisfied that Provision on Demand works for both users and groups, turn on Provisioning for the application.

   • This will automatically SCIM all users and groups approximately every 40 minutes.

8. After the initial setup, return to Entra a few hours (or a day) later and review your Provisioning Logs.

   • There should be no errors. If errors appear, revisit these steps or contact Beyond Identity Support.

Update the default Group settings for External ID

Overview
If you haven’t already, make sure to update the externalID attribute (automatically created for you) so that its mapping applies only during object creation.

1. Navigate to the objectId attribute and click to edit it.

2. In the Edit Attribute window, go to the Apply this mapping only during object creation field, and choose Only during object creation. Then, click OK (or Save). 

 

Section 6: Configure Beyond Identity User Console

1. Log into the Beyond Identity admin console.
2. Click Settings on the left-hand navigation.
3. Click the Console Login tab, then in the User Console SSO Integrations tile, click Add OIDC SSO.
   
4. Edit SSO fields according to following steps and as explained diagram:
   • Name: <Name of the SSO>
   • Client ID: <Use the value recorded in the previous step>
   • Client Secret: <Use the value recorded in the previous step>
   • Issuer: https://sts.windows.net/<Azure-AD-Tenant-ID>/ (Remember to add the name of your Entra tenant and a trailing slash at the end)
   • Token Field: upn
   • Token Field Lookup: user name
   • Scopes: select the ones that apply to your organization
   • Click Save Changes.
     
     
     
     5. After these values are provisioned, login and confirm that the user has access to the Beyond Identity User Console. (If this step fails, use “provision on demand” steps to provision the user in Beyond Identity first)

Section 7: Setup Beyond Identity Console for User Authentication (WS-FED federation):

1. Log in to the Beyond Identity admin console, then click Integrations.
2. Click the WS-FED tab.
3. Click Add WS-FED Configuration and update the fields as following:
   • Name: Entra ID WS-FED
   • SP Single Sign on URL: https://login.microsoftonline.com/login.srf
   • SP Audience URI: https://login.microsoftonline.com/<Azure-AD-Tenant-ID>/
   • Name ID Format: Unspecified
   • Subject User Attribute: ExternalID
   • Authentication Context Class: X509
   • Add the the first Attribute Statement:
     • Name: ImmutableID, Name format: unspecified, Value: {{ExternalID}}, Name space: http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID 
   • Add a secondAttribute Statement:
     • Name: emailaddress, Name format: unspecified, Value: {{Email}}, Name space: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress 
   • Add a third Attribute Statement:
     
     • Name: UPN, Name format: unspecified, Value: {{UserName}}, Name space: http://schemas.xmlsoap.org/claims
   • And, add a final fourth Attribute Statement:
     • Name: authnmethodsreferences, Name format: unspecified, Value (custom string): http://schemas.microsoft.com/claims/multipleauthn, Namespace: http://schemas.microsoft.com/claims

4. Click Save Changes.

5. Note the following fields from the recently created WS-FED Connection. This will be required in the next step.

1. • IdP Id (Beyond Identity Connection ID)
   • IdP Passive Logon URL: https://auth.byndid.com/wsfed/v1/<BI-Connection-ID>/sso
   • IdP Issuer: https://auth.byndid.com/wsfed/v1/<BI-Connection-ID>
   • IdP Metadata URL: https://auth.byndid.com/wsfed/v1/<BI-Connection-ID>/sso/metadata.xml
   • Download IdP Signature Certificate.

 

Section 8: Configure Beyond Identity as the Identity Provider (WS-FED Federation)

Use the commands below to configure Beyond Identity as the Identity Provider. Alternatively, refer to the Appendix to run a batch script provided by the Beyond Identity field team.

1. Login to any Windows machine and run Powershell as an administrator.
2. Issue following PowerShell commands.

• Connect-MsolService (Login as Entra Global Administrator you may be required to Install MSOnline PowerShell module using “install-module MSOnline” command)
• $domain=”contoso.org” (Replace with customer’s alternative domain configured in Section 2)
• $BrandName = "Beyond Identity WS-FED"
• $Issuer = “https://auth.byndid.com/wsfed/v1/<BI-Connection-ID>”
• $LogOnUrl = “https://auth.byndid.com/wsfed/v1/<BI-Connection-ID/sso”
• $mex = “”
• $LogOffUrl = “https://portal.azure.com” (or Company website)
• $SigningCert = "[BI WSFED X.509 certificate in string format]”

(Make sure the customer downloads the certificate from BI Admin Console or SE should share the certificate by email. Do not send BI certificate via zoom/slack chat).

• $Protocol = "WSFED"
• Set-MsolDomainAuthentication -DomainName $domain -Authentication “managed”
• Set-MsolDomainAuthentication -DomainName $domain -Authentication federated -FederationBrandName $BrandName -IssuerUri $Issuer -PassiveLogOnUri  $LogOnUrl -MetadataExchangeUri $mex -LogOffUri $LogOffUrl  -PreferredAuthenticationProtocol $Protocol -SigningCertificate $SigningCert -SupportsMfa $True

 

Setting Up Test Users

User Enrollment

1. To enroll a user in the Beyond Identity experience, assign the user to the BI_Users Group in Active Directory. (Note: BI_Users is the name we are using for this walk-through, use the name you used in the original configuration). 

1. • Right Click BI_Users group and click Members tab. 
   • Click Add.
   • In the Enter the Object names to select, enter UPN for the user.
   • Click OK.

The newly enrolled user will receive an email from Beyond Identity welcoming them to the new Identity Provider. 
2. Each enrolled user will be asked to follow the two steps below:

Step 1: Download the Beyond Identity Authenticator to their device.

1. 1. 1. 1. When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.
         2. Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.

Step 2: Register their Credential in the Beyond Identity IdP.

1. 1. 1. 1. 1. By clicking on Step 2 Register New Credential, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see a credentials in the Authenticator. 
            2. See example image below:
               
               

 

User Authentication (Signing in)

1. Each enrolled user can visit their myapps.microsoft.com (or myapps.company.com or portal.azure.com) site or any application supported by Microsoft Entra ID SSO to sign into their corporate applications. 
2. The Microsoft applications or SSO-supported application will ask the user to enter their username. (Remember to use Alternate Username during PoC for the passwordless experience)
3. Once the username is submitted, a prompt to use or open the Beyond Identity app for authentication will display for the user.
4. The user should click affirmatively on the prompt to be signed into their application, without the use of a password. The Beyond Identity app along with a success notification will display.
   1. Note: For iOS devices, some application sign-in processes will ask the user to exit out of the Beyond Identity Authenticator to return to their app after successful authentication.

User De-provisioning

1. To de-provision a user from the Beyond Identity experience, remove user from the “BI_Users” Group in Active Directory. (Note: BI_Users is the name we are using for this walk-through, use the name you used in the original configuration). 
   
   
   • Right Click BI_Users and click the Members tab.
   • Select the user and click Remove.
   • In the confirmation dialog click Yes.
   • Click OK.

 

Appendix A: PowerShell Command example to set up Domain for Federated Mode or Managed Mode (WS-FED Specific)

 

Step / Purpose	PowerShell Command
Connect to Microsoft Entra ID as Entra Global Administrator	Connect-MsolService
Set domain name you want to configure for authentication	$domain = "contoso.org"
Define Identity IdP name	$BrandName = "Beyond Identity WS-FED"
Set Logon URL (mandatory)	$LogOnUrl = "https://auth.byndid.com/wsfed/v1/<connection-identifier>/sso"
Set Logoff URL (mandatory)	$LogOffUrl = "https://portal.azure.com" (or your company website)
Define the Beyond Identity WSFED IdP X509 Certificate	$SigningCert = "[BI WSFED X509 certificate in string format]"
Set Beyond Identity issuer URI	$issueruri = "https://auth.byndid.com/wsfed/v1/<connection-identifier>"
Set Beyond Identity Metadata URI	$mex = ""
Set authentication protocol	$Protocol = "WSFED"
Set domain for “Federated” Authentication (first set to “Managed”)	Set-MsolDomainAuthentication -DomainName $domain -Authentication "managed"
Configure domain for Federated Authentication	Set-MsolDomainAuthentication -DomainName $domain -FederationBrandName $BrandName -Authentication federated -IssuerUri $issueruri -PassiveLogOnUri $LogOnUrl -MetadataExchangeUri $mex -SigningCertificate $SigningCert -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol -SupportsMfa $True
Get domain federation settings	Get-MsolDomainFederationSettings -domainname $domain | fl *
Revert domain back to Managed Mode	Set-MsolDomainAuthentication -DomainName $domain -Authentication "managed"

 

Appendix B: PowerShell Command to help debug

Step / Purpose	Command
Install MSOnline PowerShell module	Install-Module MSOnline
Check if device is Hybrid joined	dsregcmd /status
Support Microsoft Entra ID–created users (single user)	powershell<br />Connect-MsolService<br />$upn = "user@contoso.com"<br />$user = Get-MsolUser -UserPrincipalName $upn<br />$uuid = [system.convert]::ToBase64String(([GUID]$user.objectID.Guid).ToByteArray())<br />Set-Msoluser -UserPrincipalName $upn -ImmutableID $uuid
Support Microsoft Entra ID–created users (bulk)	Command will be updated soon.
Check if domain is Managed or Federated	powershell<br />Connect-AzureAD<br />Get-AzureADDomain
Perform delta sync from AD Connect	powershell<br /># Run PowerShell as Administrator<br /># If ADSync PowerShell Module is not installed:<br />Install-Module ADSync<br /><br />Start-ADSyncSyncCycle -PolicyType Delta
Convert Immutable ID to GUID	powershell<br />$immutableId = "ZY721Mo4Q0+vLVO9I/1MsQ=="<br />Write-Host "Convert $immutableId to guid" -NoNewline ([GUID][System.Convert]::FromBase64String($immutableId)).Guid
Convert GUID to Immutable ID (base64 hash)	powershell<br />$objectid = "e35a9b14-12fc-4f9d-9002-05e53ea2bda5"<br />[Convert]::ToBase64String([guid]::New($objectid).ToByteArray())

 

Appendix C: PowerShell Script to automate Commands

Step / Purpose	Command / Action
Start PowerShell as Administrator	Login to any Windows machine and open PowerShell as an administrator.
Install MSOnline PowerShell module	Install-Module MSOnline
Set execution policy to allow script execution	Set-ExecutionPolicy Unrestricted
Run the Beyond Identity setup script (interactive mode)	Setup_Beyond_Identity_Auth.ps1
Steps to run in interactive mode	- Right-click on the file name.- Select Edit.- PowerShell ISE opens.- Review all parameters.- Click the Green button to run the script.
Authenticate as an Entra Global Administrator	Log in when prompted.
Verify certificate upload	Review the output of the final command to confirm successful certificate upload.
Confirm domain status	In the Azure Portal, ensure that the domain shows as Federated.

 

Appendix D: Entra ID B2B Integration

To enable B2B Integration in Microsoft Entra ID with Beyond Identity, use following steps.

1. Configure Beyond Identity to receive inbound SAML request from Partner’s Microsoft Entra ID.
2. Set up Beyond Identity as the external identity Provider in Partner’s Microsoft Entra ID tenant.
3. Invite External Users to Collaborate.
4. Access partner Apps.

Beyond Identity SAML Connection Configuration for B2B Connections

11. Log in to the Beyond Identity admin console.
12. Click on the Integrations tab, then click SAML Connections.
13. Click Add SAML Connection and update the fields as follows:
    1. Name: Beyond Identity IdP
    2. SP Single on URL: https://login.microsoftonline.com/login.srf 
    3. SP Audience URI: urn:federation: MicrosoftOnline
    4. Name ID Format: Persistent
    5. Subject User Attribute: ExternalID
    6. Request Binding: http-redirect
    7. Signed Response: Signed
    8. X509 (Request) Signing Certificate: Not required
    9. Optional Attributes: Name: IDPEmail, Nameformat: uri, Value: {{UserName}}
    10. Optional Attributes:
        1. Name: http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
        2. Nameformat: unspecified
        3. Value (custom string): http://schemas.microsoft.com/claims/multipleauthn
14. Click Save Changes.
    
    
15. Note down the following fields from the recently created SAML Connection. This will be required in the next step.
    1. IdP Id (Beyond Identity Connection ID)
    2. IdP Single Sign-On URL: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso
    3. IdP Issuer: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso/metadata.xml
    4. Download IdP Signature Certificate
    5. Download Metadata file.

 

External Identity Provider Configuration

1. Log in to Azure Portal as an Administrator.
2. Click the Entra ID logo or search Entra ID.
3. Click External Identities from the left menu bar.
4. Click All Identity Providers from the left menu bar.
5. Click New SAML/WS-Fed IdP from the top menu bar.
6. Select following Parameters for the new external IdP.
   1. Identity Provider Protocol: SAML
   2. Domain name of federating IdP: <fabrikam.com> (Enter your partner’s domain name.)
   3. Select a method for populating metadata: Parse Metadata file (Pull down menu)
   4. Upload metadata file and click Parse.
   5. Click Save.
      
      
      

Create and Invite External Users to Collaborate

1. Log in to Entra ID Portal as an Administrator.
2. Click the Entra ID logo or search Entra ID. 
3. Click Users from the left side menu.
4. Click New guest user from the top menu.
5. Update following fields before sending invite.
   1. Name: <John Doe>
   2. Email address: john.doe@fabrikam.com
   3. First Name: <John>
   4. Last name: <Doe>
   5. Personal Message: “Message to invite them to collaborate”.
   6. Groups: Add the user to appropriate groups.
   7. Usage Location: <United States>
   8. Click Invite.
6. After accepting invite, user should be able to access applications by going to one of the following URLs.
   • https://myapps.microsoft.com/?tenantid=<Azure-AD-Tenant-ID>
   • https://myapps.microsoft.com/<your verified domain>.onmicrosoft.com
   • https://portal.azure.com/<Azure-AD-Tenant-ID>

Appendix E: Entra ID Staged Rollout

To enable Beyond Identity passwordless login to only a subset of users without using an alternative domain follow the information below.

Caveats

1. This configuration applies only to Hybrid Microsoft Entra ID deployments.

2. In a Hybrid Microsoft Entra ID environment, if some users are Microsoft Entra ID–only:

   • Those users must use Beyond Identity federation.

   • New Microsoft Entra ID users must be created using a special PowerShell script.

   • If those users join a domain, they should be set up with Windows Hello for Business (WHfB) or Windows Desktop Login (WDL).

   • Note: Domain join has unique prerequisites and considerations (TAP, Intune, etc.).

3. This configuration is recommended for final production deployment only and should not be used during a proof-of-concept (POC) stage.

4. Perform this configuration during a maintenance window and notify users in advance, as authentication errors may occur during the change.

For additional details on supported and unsupported scenarios, see: Microsoft Docs – Staged Rollout

Prerequisites

The customer must already be using one of the following authentication options:

• Password Hash Synchronization (PHS)

• Pass-through Authentication (PTA)

• Microsoft Entra ID Certificate-Based Authentication (CBA)

Create the Password_Authenticated_Users Group

To manage users who should be excluded from Beyond Identity, you must first create a security group. Initially, this group should contain all users in the Entra ID tenant. Over time, you can remove users from the group to allow them to authenticate with Beyond Identity.

Steps

1. Sign in to the Entra ID Portal (https://portal.azure.com) as an Administrator.
2. In the left navigation menu, select Entra ID.
3. Select Groups.
4. At the top of the page, click New group and configure the following parameters:
- Group type: Security
- Group name: Password_Authenticated_Users
- Group description: Password Authenticated Users
- Membership type: Assigned
5. Click Create.
6. Open the newly created Password_Authenticated_Users group.
7. In the group menu, select Members.
8. Click Add members.
9. Select all users in the tenant (one by one).
10. Click Select to confirm.

 

Notes:

For tenants with many users, use a script instead to export all users and add them to this group.

If you have more than 200 users, the next step (Enable Staged Rollout) will error. As a workaround, don’t add any members to this group (leave it with 0 members), complete the next step first and then run the script to add all users to this group.

 

Enable Staged Rollout

1. Log in to Entra ID Portal as Administrator.
2. Click the Entra ID logo or search for Entra ID.
3. Click Microsoft Entra ID Connect from the left menu bar.
4. Click Enable staged rollout for managed user sign-in.
   
   
   
   
   
5. Turn on Password Hash Sync and click Manage groups.
6. Click Add Groups.
7. Select Password_Authenticated_Users.
8. Click Select.
   
   
   

 

Federate the Primary Domain

Configure Beyond Identity as the federated identity provider for your primary domain by following the steps outlined in the main section of this guide.

Test Federation with Beyond Identity

1. Remove a few users from the Password_Authenticated_Users group.

   • These users will be federated to Beyond Identity and will sign in without a password.

2. All remaining users will continue to authenticate using their passwords.

Notes

• After deployment, be sure to add every new user to the Password_Authenticated_Users group unless you specifically want them to start with passwordless authentication.

• Any user not in the group becomes eligible for Beyond Identity rollout.

• When moving users into or out of this group, allow time for changes to take effect. Delays may occur due to Entra ID caching.