Kaspersky Security Center Cloud Console
English

Contents

Configuring integration with Microsoft Entra ID

You have to configure integration with Microsoft Entra ID to allow the users in your organization to sign in to Kaspersky Security Center Cloud Console with their Microsoft Entra ID account credentials.

Integration with Microsoft Entra ID is available for the primary Administration Server only. You cannot configure the integration for secondary or virtual Administration Servers.

To configure integration with Microsoft Entra ID:

  1. In the main menu, click the settings icon () next to the name of the Administration Server.

    The Administration Server properties window opens.

  2. On the General tab, select the Microsoft Entra ID section.
  3. Turn on the Microsoft Entra ID integration toggle button.
  4. Copy the links from the following fields:
    • Callback URL
    • Front-channel logout URL

      You will need these URLs to register Kaspersky Security Center Cloud Console in the Microsoft Entra ID tenant.

    • Login URL

      You will need this URL to allow users to sign in to the Kaspersky Security Center Cloud Console workspace with their Microsoft Entra ID credentials after the integration with Microsoft Entra ID is complete.

  5. Sign in to the Microsoft Entra admin center, and then select the tenant of your organization.

    You must have the Global administrator or the Application administrator role in the tenant.

  6. In the main menu, go to IdentityApplicationsApp registrations, and then click the New registration button.
  7. In the window that opens, do the following:
    • Specify a name for the Kaspersky Security Center Cloud Console application.
    • In the Supported account types section, select the Accounts in this organizational directory only (<tenant_name> only - Single tenant) option.
    • In the Redirect URI section, select Web from the drop-down list, and then enter the callback URL that you copied from Kaspersky Security Center Cloud Console at step 4.
  8. Click the Register button.

    The Kaspersky Security Center Cloud Console application is registered in Microsoft Entra ID, and the application overview page opens.

  9. If necessary, add Kaspersky Security Center Cloud Console to the list of applications.

    The users will be able to open Kaspersky Security Center Cloud Console by clicking its name in the list of applications in My Apps and Office 365 Launcher, without using the login URL.

  10. Copy the Application (client) ID and the Directory (tenant) ID, and save them in any convenient way.

    You will need these IDs when filling in the mandatory fields in Kaspersky Security Center Cloud Console at step 14.

  11. In the menu of the Kaspersky Security Center Cloud Console application, go to the Authentication section, and then enter the URLs that you copied from Kaspersky Security Center Cloud Console at step 4:
    • In the Web section, click the Add URI button, and then enter the login URL.
    • In the Front-channel logout URL section, enter the front-channel logout URL.
  12. In the menu of the Kaspersky Security Center Cloud Console application, go to the Certificates & secrets section, and then do the following:
    1. Go to the Client secrets tab, and then click the New client secret button.
    2. In the window that opens, specify any description for the client secret, and then select the period after which the secret expires.

    We recommend that you copy the date after which the secret expires, in any convenient way, to rotate the secrets in a timely manner.

    1. Click the Add button.

      The created secret is displayed on the Client secrets tab.

    2. Copy the information from the Value column.

      We strongly recommend that you copy the information immediately after creating the client secret.

  13. In the menu of the Kaspersky Security Center Cloud Console application, go to the Token configuration section, and then do the following:
    • Add the onprem_sid optional claim:
      1. Click the Add optional claim button.
      2. In the window that opens, select the ID token type, and then in the Claim column, select the check box next to the onprem_sid.
      3. Click the Add button.

      The onprem_sid optional claim is displayed on the Optional claims page.

    • Add the preferred_username optional claim:
      1. Click the Add optional claim button.
      2. In the window that opens, select the Access token type, and then in the Claim column, select the check box next to the preferred_username.
      3. Click the Add button.

      The preferred_username optional claim is displayed on the Optional claims page.

  14. In the menu of the Kaspersky Security Center Cloud Console application, go to the API permissions section, and then add the permissions:
    • User.Read.All
    • User.Export.All
    • GroupMember.Read.All
    • Directory.Read.All

    To add a permission, do the following:

    1. Click the Add a permission button, and then select the Microsoft APIs tab.
    2. Select Microsoft GraphApplication permissions, and then select the permission you want to add.
    3. Click the Add permission button.

      The four permissions are added and displayed on the Configured permissions page.

    4. Click the Grant admin consent for <tenant_name> button, and then in the window that opens, click Yes to confirm the granting of consent for the permissions you added.
  15. Go back to Kaspersky Security Center Cloud Console, and on the General tab, fill in the following mandatory fields:
    • Tenant ID. The Directory (tenant) ID that you copy at step 10.
    • Client ID. The Application (client) ID that you copy at step 10.
    • Client secret. The value that you copy at step 12.
  16. Click the Check connection button to check if the settings are correct, and then after the Connected status is displayed, click the Save button.

The integration settings are saved, and the integration with Microsoft Entra ID is configured.

After you configure the integration with Microsoft Entra ID, you have to do the following:

  1. In the Kaspersky Security Center Cloud Console main menu, go to Users & rolesUsers & groups to make sure that the users and groups from Microsoft Entra ID are added to Kaspersky Security Center Cloud Console.

    If the users and groups in your Microsoft Entra ID tenant are synchronized from the Active Directory of your organization, and Active Directory polling is configured, then the users and groups are already added to Kaspersky Security Center Cloud Console as a result of Active Directory polling.

    Otherwise, you have to enable and run Microsoft Entra ID polling to add the users and groups from your Microsoft Entra ID tenant to Kaspersky Security Center Cloud Console.

  2. Assign necessary roles to the users and groups.

    When assigning roles to a user on a virtual Administration Server, in the main menu, go to Users & rolesUsers & groups, and then select the Users tab. If you select the Groups tab, and then assign roles to the group where the user is a member, the user will not be able to log in to Kaspersky Security Center Cloud Console.

  3. Send the login URL that you copied at step 4 to the users. They will enter this URL to sign in to the Kaspersky Security Center Cloud Console workspace by using their Microsoft Entra ID credentials.

    When a user signs out of the Microsoft Entra ID account that was used for authentication in Kaspersky Security Center Cloud Console, and Kaspersky Security Center Cloud Console is open on a different tab or window of the same browser, the session also ends for Kaspersky Security Center Cloud Console and the user signs out of the console automatically.

    If Kaspersky Security Center Cloud Console is open in a different browser or on different devices, the session continues when the user signs out of the Microsoft Entra ID account.

To sign in to Kaspersky Security Center Cloud Console with Microsoft Entra ID account credentials, users must be able to sign in to their Microsoft Entra ID account.

Page top
[Topic 271549]

Enabling Microsoft Entra ID polling

You have to enable Microsoft Entra ID polling to add the users from your Microsoft Entra ID to Kaspersky Security Center Cloud Console.

To enable Microsoft Entra ID polling:

  1. In the main menu, click the settings icon () next to the name of the Administration Server.

    The Administration Server properties window opens.

  2. On the General tab, select the Microsoft Entra ID section.
  3. In the User discovery section, turn on the Microsoft Entra ID polling toggle button.
  4. If you want to change the default polling schedule, click the Schedule settings button, specify the polling frequency and time in the window that opens, and then click the Save button.

    Microsoft Entra ID polling will run according to the schedule that you configure.

  5. If you want to run Microsoft Entra ID polling immediately, click the Run now button.

    The users are loading. When the users are loaded, the Microsoft Entra ID polling is finished.

  6. Click the Save button.

The Microsoft Entra ID polling is complete, and the users from your Microsoft Entra ID are added to Kaspersky Security Center Cloud Console.

Page top
[Topic 272463]

Adding Kaspersky Security Center Cloud Console to the list of applications

You can allow users to open Kaspersky Security Center Cloud Console by clicking its name in the list of applications, without entering the login URL. The application list is available in My Apps and Office 365 Launcher.

To add Kaspersky Security Center Cloud Console to the list of applications:

  1. In the Microsoft Entra admin center main menu, go to IdentityApplicationsApp registrations, and then on the All applications tab, select the Kaspersky Security Center Cloud Console application that you have previously registered in Microsoft Entra ID.
  2. In the menu of Kaspersky Security Center Cloud Console, select the Branding & properties section, and then do the following:
    1. In the Home page URL field, enter the login URL.
    2. If necessary, in the Upload new logo field, add an image that will be used as the application icon in the list of applications.
    3. Click the Save button.
  3. In the Microsoft Entra admin center main menu, go to IdentityApplicationsEnterprise applications, and then select Kaspersky Security Center Cloud Console.

    The application overview page opens.

  4. In the menu of Kaspersky Security Center Cloud Console, select the Properties section, and then do the following:
    1. Set the following options to Yes:
      • Enabled for users to sign-in?

        This action is necessary only if the option is not set to Yes by default.

      • Visible to users?
    2. Click the Save button.
  5. In the menu of Kaspersky Security Center Cloud Console, select the Users and groups section, and then do the following:
    1. Click the Add user/group button, and then click the link below Users and groups.
    2. In the window that opens, select users and groups, and then click the Save button.

      The window is closed.

    3. Click the Assign button.

Kaspersky Security Center Cloud Console is available in My Apps and Office 365 Launcher for the selected users. The users can open Kaspersky Security Center Cloud Console by clicking its name in the list, without entering the login URL.

Page top
[Topic 273318]