Context
Follow these steps to configure OAuth credentials that the Zip Console will use to manage your AzureAD users, groups, and sessions. Then, grant permissions for the Zip application to reset Entra account passwords.
Zip now supports connecting AzureAD using OAuth! If you previously connected AzureAD by creating an app registration, it’s easy to migrate to the new setup by going to the provider in Zip, clicking ‘edit’, and proceeding with the new Quick connect option. If you’d prefer to follow the original steps, they are still included below for reference.
[New] Connect AzureAD from the Zip Console
Prerequisites
- An account with the
Global Administratorrole in Azure AD
- Navigate to the Zip Console > Providers. Click Add > AzureAD > Quick connect.
- Fill in the provider’s name, then click “Sign in with Microsoft”. You’ll be redirected to log in with Microsoft and consent to all of the application permissions that Zip needs to manage AzureAD. Note that only admins will be able to consent.
- After consenting, you’ll be redirected back to the Zip Console
For organizations connecting to a GCC High Tenant
- Expand the “Advanced Configuration” toggle at the bottom of the form
- Change the Address field to
https://graph.microsoft.us
- Change the Authority Host field to
https://login.microsoftonline.us
Otherwise, leave these fields as the default values.
Grant Permission to Reset Account Passwords
Complete the following steps to grant the Zip Security application permission to reset user account passwords. Passwords will only be reset when someone in your organization clicks to do so from the Zip console, and when Entra synced accounts get created for the first time.
- Go to the Microsoft Entra admin center
- Click on “Groups” → “New group”
- Configure the group as follows:
- Group type: Security
- Group name: Zip Security: User Password Reset
- Group description: blank
- Microsoft Entra roles can be assigned: YES
- Membership type: Assigned
- Owners: No owners selected
- Members: Select “Zip Security: Entra Integration” if you used OAuth to connect to Entra, or “Zip Security: AzureAD” for the legacy set up.
- Roles: User Administrator
- Click “Create” to create the group
[Legacy] Create an Application Registration for the Zip Console
Prerequisites
- An account with at least the
Application Administratorroles assignment in Azure AD
- Someone from the customer with the
Global Administratorrole assignment in Azure AD
We use separate credentials for AzureAD and Intune to allow for maximum flexibility and security.
Create the Application Registration
- Navigate to the App registrations in Azure
- Select “New registration” from the page menu and fill out the form as follows:
- Name: “Zip Security: AzureAD”
- Supported account types: “Accounts in this organizational directory only (Zip Security only - Single tenant)”
- Redirect URI: leave blank
- Select “Register” at the bottom of the page
- From the following page, record the following values (they are not sensitive):
- Application (client) ID
- Directory (tenant) ID
- From the left hand menu, select “Certificates & secrets”
- Select “New client secret” and fill out the form as follows:
- Description: “Zip Security Service Account Secret”
- Expires: “730 days (24 months)”
- Select “Add”
- Be sure to record the Secret “Value” from the next page in a secure place, as it will never be displayed again. It is sensitive!
- From the left hand menu, select “API permissions”.
- Select “Add a permission”
- Search for and select “Microsoft Graph”
- Select “Application Permissions”
- Select “expand all”
- Select the following permissions:
- Application.ReadWrite.All
- AuditLog.Read.All
- Directory.ReadWrite.All
- Group.ReadWrite.All
- GroupMember.ReadWrite.All
- LicenseAssignment.ReadWrite.All
- RoleManagement.ReadWrite.Directory
- User.EnableDisableAccount.All
- User.ManageIdentities.All
- User.ReadWrite.All
- Select “Add permissions”
- Make sure you approve the permissions you’ve set by clicking ‘grant admin consent for Zip Security’:
- And then confirming the permissions can be granted:
Some times this can fail the first time. If it does, wait for 5-10 minutes then log out and log back into the Microsoft partner portal, and attempt to grant permissions again - that usually fixes the problem!
- You should see the green check mark that each permission has been granted for Zip Security, and you’re all set!
- Once you have added the permissions, navigate back to the Zip Console > Providers. Add a new AzureAD Provider with the ClientID (”Application (client) ID”), Client Secret (”Value”), and Tenant ID you jotted down in steps 3 and 4.
- Expand the “Advanced Configuration” toggle at the bottom of the form
- Change the Address field to
https://graph.microsoft.us - Change the Authority Host field to
https://login.microsoftonline.us
For organizations connecting to a GCC High Tenant
Otherwise, leave these fields as the default values.
Click Save to finish.
- To check that you’ve got all the right permissions, you can click into the new Provider you’ve created in the Providers Table (clicking on the name) to make sure all the health checks pass!
If all goes well, you should see a green check mark under health like here:
Please contact info@zipsecinc.cc if you experience issues.