To set up Multi-Pass, ensure you meet the following requirements

- An Active MPAS subscription with admin rights to a realm
- Global Admin or Application administrator role on Azure

- metadata to configure an EAM
- Privileged Role Administrator on Azure

- Entra P1 or P2 License

Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment.

 Azure EAM - MPAS integration

Configure EAM App Registration in portal

1. From the Azure portal, search for App Registrations
   

1. Click on New Registration
   

1. Enter a name for your registration (for example Multi-Pass EAM)
   
2. For the Redirect URI:
   
1. Open the dropdown menu labeled "Select a platform" and choose Web.
   
2. Enter the following Redirect URI: https://ca.auth.kzero.com/realms/<TENANT_NAME>/protocol/openid-connect/auth
   
3. Click Register to complete the process

From the App Registration Overview page, take note of the Application (client) ID and Directory (tenant) ID of the newly created App Registration. You will need this for the next step

1. In azure, click authentication preview on the left menu, click on settings, ensure that in "Implicit grant and hybrid flows ID tokens" (used for implicit and hybrid flows) click SAVE

Configure the EAM client in MPAS

Create Authenticator Flow

1. Open Multi-Pass Dashboard
   
2. Select the appropriate tenant and click on "Advanced Console", on the bottom left of your page.

1. On the left-hand side of your screen, click on "Authentication," then select "MPAS - Passwordless Selector."
   

1. Click "Duplicate" as the action on the top right

1. Set the name "MPAS - Passwordless Selector - EAM"
   

1. Click on Add steps and create the step called "Microsoft Entra ID EAM enabler
   
2. Click on "Add a sub flow", name it "MPAS - Passwordless Sub Flow"
   

1. A new line appear, click on the "+" sign, Add step, select "Cookie"
   
2. Click "add"
   

1. As you will see under the sub flow you have created, you can see "cookie" you can delete the line with the same name and start draging the other steps like the screenshot below.
   
1. Make sure MPAS - Passwordlesss Sub flow is "required" and the others are "Alternative"
   

1. Select the gear icon on "Micorsoft Entra ID EAM Enabler"
2. Assign "Azure Tenant ID" it is corresponding to the Directory (tenant) ID and the Azure App registration ID it is corresponding to application (Client) ID.

Edit Authentication Method AMR claim in MPAS

Microsoft requires JWT tokens to contain an AMR claim to confirm a valid FIDO authentication method was used in the verification process. More information about required AMR claims can be found here: Microsoft Entra multifactor authentication external method provider reference (Preview) - Microsoft Entra ID | Microsoft Learn

1. Ensure WebAuthn Passwordless Authenticator is configure too, click on the gear
   

1. Complete the fields
   
1. Alias = fpt
   
2. Authenticator Reference = fpt
   
2. then move to MPAS App Mobile (Digital) and complete the fields with : 
   
1. Alias = face
   
2. Authenticator Reference = face

1. Click Save
   

1. Click on Clients in the navigation menu.
2. Click on Create client
   

1. Assign a unique Client ID and Name to your client. For example:
   
1. Client ID: azure-mfa
   
2. Name: azure-mfa
   
3. Description: (optional – can be left blank or used for internal reference)
   
2. Once completed, click Next to proceed.
   

1. On the next page, make sure you toggled the right parameters :
   
1. Keep Client Authentication disabled.
   
2. Enable Implicit Flow.
   
3. Disable Standard Flow
   
2. Click Next
   

1. On the next screen please add Valid redirect URIs (https://login.microsoftonline.com/common/federation/externalauthprovider)
2. Click Save.
   
3. On the Client Details page of the client you just created, click on Client Scopes.
   
4. Select the dedicated assigned client scope.
   
5. Click on configure a new mapper
   
6. choose Authentication Method Reference (AMR)
   

1. Name = AMR
   

1. To configure the ACR claim, follow these steps:
   
2. Click on Add Mapper
   
3. Select By Configuration > Authentication Context Class Reference (ACR)
   

1. Add possessionorinherence as the claim value
   

1. Finally click on "Add mapper", by configuration
   
2. Scroll down and select User session note
   

1. Complete the form :
   
1. Name = sub
   
2. User Session Note = MS_EAM_SUBJECT
   
3. Token Claim Name = sub
   

1. Go to advanced tabs, scroll down to "Authentication flow overrides" for the browser flow,  select the "MPAS - Passwordless Selector - EAM"
   
2. Click Save
   

1. Scroll down to the ACR to LoA Mapping section.
   
2. Click Add ACR to LoA Mapping
   

1. Enter the following mappings:
   

Key	Value
possessionorinherence	0
knowledgeorpossessionorinherence	1

1. Click Save
   

Configuring the Azure External Authentication Method with Multi-Pass

Configure Azure as an External Authentication Method

1. Return to your Azure External Authentication Method session in the browser.
   
2. Add the Client ID:
   
1. Enter the Client ID that you created in MPAS into the Client ID field (e.g azure-mfa)
   
3. Add the OIDC Discovery Endpoint:
   
1. In MPAS, go to the Realm Settings page.
   
2. Scroll down and click on OpenID Endpoint Configuration.
   
3. A new window opens and copy the URL
   
1. Copy the following format: https://ca.auth.kzero.com/realms/<TENANT_NAME>/.well-known/openid-configuration
   

1. Add the App ID:
   
1. Enter the Application (client) ID from the Azure App Registration, which enables Entra to act as an Identity Provider for MPAS
   

1. Once the App ID is added, Azure will inspect the value and determine if admin consent is required.
   

1. If prompted, click on Request Permission to complete the process.
   
2. In the Enable and Target tab: 
1. Make sure in the enable and target tab "enable" is toggled to ON
   

1. Click Save

Configure EAM in Entra

In this procedure, you let MPAS know which app user to authenticate when an EAM request is made for the associated user in Microsoft Entra ID. This ensures that the same end user is authenticated in both Microsoft Entra ID and MPAS. Map the user account with the Microsoft Entra ID admin center and the MPAS  Admin Console

1. Sign in to https://entra.microsoft.com/.
   
2. Navigate to Authentication methods.
3. Click on Add external method (Preview)
   

1. Click Users.
   
2. Search for and select the MPAS user.
   
3. Click the Copy to clipboard icon beside the Object ID. Paste this ID in a secure location.
   
4. In MPAS, open  the user tab and select the user and copy the Entra ID Object ID in the field "Microsoft User Object ID"