Appearance

Public Cloud Integration

This chapter covers a few Mobile ID integration scenario examples with popular public cloud services.

Microsoft Entra ID

MobileID integrates with Microsoft Entra ID as an external authentication method, enabling Multi-Factor-Authentication (MFA) for Entra ID logon. MobileID provides seamless inline user enrolment, self-service device management, and supports a range of authentication methods, including highly secure crypto-SIM tokens and app-based push authentication for iOS and Android, with advanced options such as Number Matching and Geofencing.

In 2020, Microsoft announced plans to replace custom controls with a new method for integrating third-party authentication. MobileID has been working closely with Microsoft to deliver an authentication solution for their new Microsoft External Authentication Methods (EAM) framework, available from May 2024.

MobileID via EAM is fully recognized as a multifactor authentication method within Entra ID, meeting MFA policy requirements. Once MobileID is defined as an EAM provider, you can create Entra ID conditional access policies with MFA using MobileID and assign these to specific users, groups, or applications.

INFO

For more information, check out the EAM public preview on the Microsoft blog. Mobile ID for Entra ID External Authentication Methods is a Microsoft Early Access feature.

Sign-in Flow

entraid-sign-in-flow

Known Limitations

  • Users must specifically select the MobileID EAM option during authentication. If they have other MFA methods configured besides MobileID, they may need to click "Other options" on the Microsoft "Verify your identity" prompt in order to choose MobileID. Microsoft plans to introduce system-preferred defaults for EAM in the future, which will automatically prioritize the default method displayed during authentication.
  • EAM currently does not support logins for external guest users.
  • Cross-tenant user authentication with the MobileID EAM has limitations. It will only work if:
    • The external Microsoft Entra organization trusts MFA claims from the user's home tenant.
    • The user has already established a valid MFA claim by authenticating to an application within their home tenant before accessing the cross-tenant application.
  • Azure Government does not yet support Entra ID external authentication methods. Be sure to review Microsoft Entra feature availability for Azure Government. The "Microsoft Entra ID: External Authentication Methods" application is not accessible under MobileID Federal plans.

Prerequisites

To use MobileID MFA with Microsoft Entra ID, you'll need the following:

  • Before you can integrate and use MobileID EAM, the client onboarding process must have been completed by Swisscom. You will need the following information from Swisscom to be able to create an EAM:
    • An Application ID is generally a multitenant application from your provider, which is used as part of the integration. You need to provide admin consent for this application in your tenant.
    • A Client ID is an identifier from your provider used as part of the authentication integration to identify Microsoft Entra ID requesting authentication.
    • A Discovery URL is the OpenID Connect (OIDC) discovery endpoint for the external authentication provider.

TIP

If you did not receive this information, it means that your onboarding process is not finished yet. Please check the state with your commercial contact or via Backoffice.Security@swisscom.com.

  • An active Entra ID P1 or P2 subscription with Conditional Access enabled, and P1/P2 licenses assigned to each user who will log in using MobileID MFA. Plans like Microsoft 365 E3, E5, and F3, as well as Enterprise Mobility + Security E3 and E5, and Microsoft Business Premium, all include Entra ID Premium.
  • A designated Entra ID admin service account to authorize the MobileID application access. This account requires the Entra ID Global Administrator or Privileged Role Administrator role during the MobileID setup process, though you can reduce the service account's role privileges afterward.

Configure Entra ID

Follow these steps to configure MobileID as an external authentication method in Microsoft Entra ID:

StepDescription
1Log in to Entra ID

Go to the Microsoft Entra admin center and log in to your Entra ID tenant as a global administrator.

If you're using the Azure portal, the navigation will differ slightly.
2Navigate to Policies

In the Entra Admin Center, go to Protection → Authentication Methods → Policies.

If you're logged into the Azure portal instead, first select Microsoft Entra ID, then go to Security → Authentication Methods → Policies.
3Add External Method

Click + Add External Method.

entraid-add-external-method
4Configure the External Method

On the "Add external method" page, enter a descriptive name for the MobileID method. The default name might be "Mobile ID" but you can choose a name that will make sense to your users since they'll see this during authentication.

Note: You cannot change the name after creation.

Enter the information you have received from Swisscom in the corresponding field: Client ID, Discovery Endpoint, App ID.

entraid-configure-external-method
5Enable the Method

If you want to enable MobileID MFA right away, toggle Enable from "Off" to "On".
6Specify Users

Before saving the new MobileID external method, decide which users should have access to it.

By default, it will apply to all users, meaning any Entra ID user with a Conditional Access Policy requiring multifactor authentication (MFA) will see MobileID as an option.

To apply it to specific users, click + Add Target under the "Include" tab and choose Select Targets. On the "Add directory members" page, select one or more Entra ID directory groups that contain the users you want to target for MobileID authentication, then click Select.
7Save the Configuration

After entering all the required details, click Save to create the new MobileID external method.
8Grant Admin Consent

If the "Request admin consent" information shows a Request permission button instead of saying "Admin consent granted", click the Request permission button to authorize the MobileID Authentication Method application, making sure to check the box next to Consent on behalf of your organization before clicking Accept.

entraid-grant-admin-consent

You can verify the permissions if you go to Identity → Applications → Enterprise applications and select the MobileID Application, then select Permissions. The list of permissions that have been granted for your organization should be shown and it should look similar to this example below:

entraid-admin-consent-permissions

Create and Apply a Conditional Access Policy

StepDescription
1Log in to Entra ID

Go to the Microsoft Entra admin center and log in to your Entra ID tenant as a global administrator.

If you're using the Azure portal, the navigation will differ slightly.
2Navigate to Conditional Access

Click on Conditional Access in the left-hand menu, then click + Create New Policy.

If you are in the Azure portal, navigate to Security → Conditional Access → Policies.

entraid-conditional-access
3Name the Policy

Enter a descriptive name for the new policy, such as "MobileID MFA for Acme Users".
4Assign the Policy

You can assign this policy to specific users or groups, Entra ID cloud apps, or other conditions like client platforms or networks.

Example for assigning to users: Click Users under "Assignments", then select Users and groups on the "Include" tab. Choose Users and groups and click 0 users and groups selected to locate the users or Entra ID security groups for whom you want to enforce MobileID MFA. Select the users or groups, then click Select to apply your choices.

If you targeted specific groups when creating the MobileID external method, ensure that you apply this new policy to the same groups.

Example for assigning to resources: Click Target resources. On the "Include" tab, select Apps, and choose the Entra ID applications where you want MobileID MFA to be applied.
5Configure Access Controls

Click Grant under "Access controls", select Grant access, and check the box for Require multifactor authentication. Click Select when done.

entraid-access-controls
6Enable the Policy

The final step is to enable the new MobileID conditional access policy. Click the "On" toggle switch under "Enable policy", then click Create. The policy will be created and applied to your selected groups or users, enforcing MFA via MobileID.

WARNING

Avoid assigning the MobileID policy to all users or all cloud apps at the start, especially for tenant administrators, to prevent potential admin lockouts. Always test the policy with selected users first. Additionally, ensure you create a fail-safe Entra ID administrator account that is excluded from MobileID MFA policies to maintain uninterrupted access. Secure this account with a strong password and a different access condition, such as one based on a trusted network.

Additional Configuration to Prioritize MobileID MFA

If you want users to exclusively use MobileID instead of the Microsoft Authenticator app, follow these steps:

StepDescription
1Disable the Microsoft Authenticator Registration Campaign

In the Entra ID admin center, go to Protection → Authentication Methods → Registration Campaign.

Click Edit, change the State to Disabled, and click Save.

Alternatively, you can leave the registration campaign enabled and exclude the groups of users who are covered by the MobileID conditional access policy.
2Disable System Preferred MFA for Microsoft Authenticator

Go to Protection → Authentication Methods → Settings → System Preferred Multifactor Authentication.

Click Edit, change the State to Disabled, and click Save.
3Turn Off Microsoft Authenticator

Navigate to Protection → Policies, click Microsoft Authenticator.

On the "Enable and Target" tab, toggle the Enable switch to Off and click Save.

Test Your Setup

Log in to Entra ID using a user account that has been assigned the Conditional Access policy requiring MFA and is a target for the newly created MobileID external method.

If you applied the MobileID Conditional Access policy to "All cloud apps", when you log into the Office portal (e.g., https://office.com) and submit your primary Entra ID credentials, you'll see your MobileID external authentication method as an option for identity verification. The name displayed will be the one you entered when setting up the MobileID external method in Entra ID.

entraid-verify-identity

Choose the "Mobile ID" method to begin MobileID MFA authentication.

If you have multiple Entra ID authentication methods enabled, you may need to click "Other options" to view and select the MobileID method.

entraid-other-options

You will be redirected to the MobileID prompt or user enrolment, depending on your configuration.

Once you complete the MobileID authentication, you'll return to Entra ID to finish logging in to the application.

entraid-authentication-complete

If your Conditional Access policy requiring MFA is only applied to specific applications, the initial login to the Office portal will not prompt for MobileID MFA. However, accessing the protected application within the Office portal or directly will trigger the MobileID MFA prompt.

WARNING

If you encounter the "Looks like something went wrong" error from Microsoft, the new EAM settings might need additional time to propagate. If the error persists, you may request support from Swisscom.

Troubleshooting

Need some help? Please ask your commercial contact or get in touch with Backoffice.Security@swisscom.com to ask for support.

Microsoft Azure AD B2C

Azure Active Directory B2C is a Single-Sign-On (SSO) solution for any API, web, or mobile application. It enables any organization to provide their users with access using identities they already have, such as Mobile ID.

INFO

Mobile ID is officially supported by Microsoft Azure and the setup is described on their official article.

Microsoft will act as the secure front door to any of these applications and they will worry about the safety and scalability of the authentication platform. Azure will handle things like denial of service or brute force attacks, so that organizations can focus on their core business and stay out of the identity business.

Amazon Cognito

Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.

TIP

This article explains how to integrate user sign-in with an OpenID Connect IdP such as Mobile ID.

amazon-cognito-config