Entra ID authentication

Entra ID authentication is ideal for DeployR servers deployed in the cloud, i.e. those that are accessible from anywhere on the internet. All task sequences and content are protected; only those who properly authenticate are able to access the DeployR server. An audit trail is available showing who logged in.

In order to authenticate using Entra ID, it is necessary to:

1. Create an Entra ID application that allows authentication of users in your Entra ID tenant.

2. Configure DeployR with the details for your Entra ID tenant and application.

See the Microsoft documentation for more information on this authentication mechanism.

Configure Entra ID

To create an Entra ID application, log into Entra ID as a global administrator or other user with sufficient permissions, then click "New registration" from the "App registrations" page.

On the subsequent page, specify the user-facing name (e.g. "Contoso DeployR authentication") which will be shown to the user when they attempt to log in; the remaining settings can be left as defaults.

Click "Register" to create the application. On the application's "Authentication (preview)" page, click the link to "switch to the old experience" (the new experience does not presently enable you to save changes). Set the "Allow public client flows" setting to "Yes" and save the changes.

On the "API permissions" page, add "User.ReadBasic.All" to the permissions for this app, then grant admin consent.

On the "Expose an API" page, click the "Add" link next to the "Application ID URL" text. Keep the default value, then click "Save".

On the "App roles" page, click to "Create an app role". Fill in the values as indicated and then click "Apply" to create the role:

Switch to the "Enterprise applications" node in the Entra portal and find the application that you just created and configured. Click on the "Users and Groups" node, then click to "Add user/group" and specify the user or group that should be granted access. (Since there is only one role defined, that will be pre-selected.)

Configure DeployR

With the Entra app created and configured, you can now configure DeployR to use this. Open the "Configure DeployR" shortcut from the Start menu, then select "Show advanced." Scroll down to the "Security Settings" section. You can copy the "Entra ID authenticaiton tenant ID" and "Entra ID authentication application ID" values from the app registration in Entra:

Once configured, click "Verify" and then "Save" to save the configuration, then ensure that the DeployR service starts as expected.

Validation

To ensure everything is configured and working, boot into Windows PE (using an ISO, PXE, etc.). You should be challenged to complete the sign-in process:

From a browser, you should see a generic prompt asking for the code specified:

Once you type in the code (it cannot be automatically populated), you should see a company-branded page to either sign in or to select an already signed-in account:

After a final confirmation, the sign-in is completed:

And the DeployR client will then continue automatically.