To set up Multi-Pass, ensure you meet the following requirements

- An Active MPAS subscription with admin rights to a realm
- Global Admin or Application administrator role on Azure

- metadata to configure an EAM
- Privileged Role Administrator on Azure
- Users must exist and be synced in both MPAS and Azure using either SCIM or OIDC Force Sync

- Entra P1 or P2 License

Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment.

​

Create MPAS EAM for Entra

Edit Authentication Method AMR claim in MPAS

Microsoft requires JWT tokens to contain an AMR claim to confirm a valid FIDO authentication method was used in the verification process. More information about required AMR claims can be found here: Microsoft Entra multifactor authentication external method provider reference (Preview) - Microsoft Entra ID | Microsoft LearnWe will ensure that the MPAS authentication methods include an AMR claim.

1. First, log in to your dashboard by following this link: https://dashboard.kzero.com/
   
2. Select the appropriate deployment and click on "Admin Console."
   
3. On the left-hand side of your screen, click on "Authentication," then select "MPAS - Passwordless Selector."
   

1. Ensure that the Digital and Card steps include an AMR claim.
   

If they do not have one, click on the gear icon and provide the following details and click Save. The list of allowed claims are listed here -> Microsoft Entra multifactor authentication external method provider reference (Preview) - Microsoft Entra ID | Microsoft Learn

Create EAM App Registration

1. From the Azure portal, search for App Registrations
   

1. Click on New Registration
   

1. Enter a name for your registration
   
2. For the Redirect URI:
   
1. Open the dropdown menu labeled "Select a platform" and choose Web.
   
2. Enter the following Redirect URI: https://ca.auth.kzero.com/realms/<realmname>/protocol/openid-connect/auth
   
3. Click Register to complete the process
   

From the App Registration Overview page, take note of the Client ID of the newly created App Registration. You will need this for the next step.

Create EAM and Client

Create an EAM in the Entra Admin Center

1. Sign in to https://entra.microsoft.com/.
2. Navigate to Protection > Authentication methods.
3. Click on Add external method (Preview)
   

You will need to provide the following information, which will be obtained from MPAS

Create a client on MPAS

1. Sign in to your realm's admin console on MPAS at: https://ca.auth.kzero.com/admin/<realm>/console.
2. Click on Clients in the navigation menu.

1. Click on Create client

1. Assign a unique Client ID and Name to your client.
2. Click Next to proceed.
   

1. Keep Client Authentication disabled.
   
2. Enable Implicit Flow.
   
3. Disable Standard Flow
   

1. Click Save on the next screen to confirm your settings.
   

1. Click on Add Mapper
   
2. Select By Configuration > Audience
   
3. Add the Client ID (App ID) from the Azure App Registration created earlier
   

1. Return to the Azure External Authentication Method browser session
   
2. Add the Client ID you just created:
   
1. Enter the Client ID from MPAS into the Client ID field.
   
3. Add the MPAS OIDC Discovery Endpoint:
   
1. This URL can be copied from the Realm Settings page in MPAS.
   
2. It will always follow this format: https://ca.auth.kzero.com/realms/<REALMNAME>/.well-known/openid-configuration
   
4. Add the App ID:
   
1. Enter the Application ID from the Azure App Registration, which enables Entra to act as an Identity Provider for MPAS.
   
2. Once the App ID is added, Azure will inspect the value and determine if admin consent is required.
   
5. If prompted, click on Request Permission to complete the process.