On the Entra ID side #
You need to create and configure an application through which the SecureAnyBox5 and KeyShield SSO connectors will connect.
-
-
Go to Microsoft Entra Admin Center.
-
Navigate to:
Identities > Applications > App registrations
-
Click New registration.
-
Fill in:
-
Name – e.g., SecureAnyBox5 / KeyShieldSSO (both products can share the same application in Entra ID for their connectors).
-
Supported account types – choose as needed (typically “Accounts in this organizational directory only”).
-
Redirect URI (optional).
-
-
Click Register.
-
-
-
In the registered application's details, go to Certificates & secrets.
-
In the Client secrets section, click New client secret.
-
Enter a description and expiration period, then click Add.
-
Immediately copy the generated value – it must be entered into the connector settings in both SecureAnyBox5 and KeyShield. It will not be possible to view it later! However, client secrets can be recreated at any time, so you can generate separate ones for SecureAnyBox5 and KeyShield SSO if desired.
-
-
-
In the application details, go to API permissions.
-
Click Add a permission.
-
Select Microsoft Graph API.
-
Choose the type of permission:
-
Delegated – for apps acting on behalf of a signed-in user.
-
Application – for apps running without a signed-in user.
-
Add all permissions of the corresponding type from the following list:
Application.ReadWrite.All (Delegated)
Application.ReadWrite.All (Application)
Directory.ReadWrite.All (Delegated)
Directory.ReadWrite.All (Application)
Group.Read.All (Application)
User.Read (Delegated)
User.Read.All (Application)
User.ReadWrite.All (Delegated)
User.ReadWrite.All (Application) -
Click Add permissions.
-
Click Grant admin consent to approve the permissions.
-
SecureAnyBox5 Configuration #
In the SecureAnyBox5 admin section, go to Configuration → Connectors.
Click 
Add Entra ID (Azure AD) Connector.
Fill in:
-
Connector ID – e.g., EntraID.
-
Tenant ID – copy the value from the Entra ID app: Directory (tenant) ID.
-
Domain – enter the domain name (primary or verified custom domain in Entra ID).
This domain defines which users are synchronized. For example, if Entra ID has keyshield.com and secureanybox5.com, only users from the configured domain will be synchronized. So if you set keyshield.com, a user jdoe@keyshield.com will be synchronized, but msmith@secureanybox5.com will not.
-
Client ID – copy the value from Entra ID: Application (client) ID.
-
Client secret – paste the secret value created earlier in Entra ID.
-
UUID attribute – keep the default value id, or optionally customize attribute mapping (see SecureAnyBox5 documentation).
-
Target Domain – choose the target domain for synchronized Entra ID users and adjust the synchronization interval if needed.
Confirm the configuration by clicking OK, then Apply to load the new configuration and start user synchronization from Entra ID.
KeyShield SSO Configuration #
In the KeyShield SSO interface, go to Configuration → Connectors.
Click
Add Microsoft Entra ID Connector.Fill in:
-
Connector ID – e.g., EntraID. Optionally, set Display Name and Description for easier identification (Display Name can include spaces and special characters not allowed in ID).
-
Tenant ID – copy the value from Entra ID: Directory (tenant) ID.
-
Domain – enter the domain name (primary or verified custom domain). This domain is used to build the userPrincipalName of logging-in users.
For example, if a user signs in as jdoe and the domain is keyshield.com, the Entra ID username will be jdoe@keyshield.com.
-
Client ID – copy the value from Entra ID: Application (client) ID.
-
Client secret – paste the value created earlier in Entra ID.
-
Authentication section – keep the default Manual authentication option enabled.
-
Azure Attributes section – set:
-
User ID attribute → userPrincipalName
-
GUID attribute → id
-
Confirm the configuration by clicking OK, then Apply to activate and apply the new connector configuration.
