How-To: Register the EZRADIUS App in Your Azure Tenant

Register the EZRADIUS application in your Azure tenant and modernize your networking infrastructure and get easy EAP-TLS authentication with EZRADIUS.

How to Register the Keytos Applications for EZRADIUS

EZRADIUS uses a set of Entra ID Applications to authenticate you to our services and manage your RADIUS infrastructure. To register these applications in your tenant, use your Global Administrator account and follow these steps:

Register the Keytos Applications in Your Entra Tenant

The Keytos and Keytos Client Entra ID applications are used by Keytos services including EZRADIUS to sign you in and manage your EZRADIUS, EZCA, and other Keytos services. This step must be done first before registering the EZRADIUS applications.

The easiest way to register the applications is to click the button below while logged in with your Global Administrator account:

Register Keytos Applications

Alternately, you can copy & paste the following URL into your browser. Make sure you are logged in with your Global Administrator account before accessing the link.

https://login.microsoftonline.com/common/oauth2/authorize?client_id=eddb4ead-89dd-4da8-9196-09c7ea82d724&prompt=admin_consent&response_type=code&redirect_uri=https%3A%2F%2Fportal.ezca.io%2FWelcome

Register the EZRADIUS Applications in Your Entra Tenant

After registering the Keytos applications, you can now register the EZRADIUS and EZRADIUS Client applications in your tenant. These application are used by EZRADIUS to manage your RADIUS infrastructure.

The easiest way to register the applications is to click the button below while logged in with your Global Administrator account:

Register EZRADIUS Applications

Alternately, you can copy & paste the following URLs into your browser:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=d212033b-7fb6-43ee-ac3a-2dcd606a5797&prompt=admin_consent&response_type=code&redirect_uri=https%3A%2F%2Fportal.ezradius.io%2FWelcome

Consent Page for registering EZRADIUS in Azure and creating a RADIUS as a service in Azure

Next Step - Select an EZRADIUS Plan

Once you have registered the Keytos and EZRADIUS applications, you are ready to select an EZRADIUS Plan and start using EZRADIUS!

Select an EZRADIUS Plan →

Additional Information

If you would like to learn more about the Keytos and EZRADIUS applications and the permissions they require, please read the sections below.

How Do I Verify that the Applications are Registered?

If you are having issues with EZRADIUS and it says that your application is not registered, you can validate that the 4 applications are registered in your tenant by going to the Azure Portal -> Entra ID -> Enterprise Applications and search for EZRADIUS and you should see the following 2 applications:

EZRADIUS Applications in Azure Portal

and then search for Keytos and you should see the following 2 applications:

Keytos Azure PKI Applications in Azure Portal

What Permissions Am I Granting the Keytos Applications?

When you register the Keytos application in your tenant you are granting it the following permissions:

Permissions Granted to the Keytos Client Application

The Keytos Client application (Application ID eddb4ead-89dd-4da8-9196-09c7ea82d724) is the front-end application that runs in your browser when you access the EZCA Portal. It requires the following permissions:

Description Name Type Why is this needed?
Sign in and read user profile User.Read Delegated This permission allows EZCA to read your basic profile information such as your name and email address to create your account in our system.
Read directory data Directory.Read.All Delegated This permission allows EZCA to read information about your organization’s directory, such as users and groups, which is necessary for managing access to your domains and certificates.
Access Azure Resource Manager as organization users user_impersonation Delegated This permission allows EZCA to manage Azure resources on behalf of the signed-in user, which is used for creating and rotating certificates stored in Azure Key Vault and Azure IoT Hub. Can optionally be removed/revoked if you are not using these features.

Keytos Client also has the API.Access permission on the Keytos application to allow it to call the back-end APIs using delegated permissions.

Permissions Granted to the Keytos Application

The Keytos application (Application ID 68554b48-233f-42b4-9aa7-2eadca4d7727) is the back-end application that runs the EZCA services. It requires the following permissions:

Description Name Type Why is this needed?
Sign in and read user profile Directory.Read.All Application This permission allows EZCA to read information about your organization’s directory, such as users and groups. This is used to check group permissions for users when providing access to your domains and certificates.

Permissions Granted to the EZRADIUS Client Application

The EZRADIUS Client application (Application ID d212033b-7fb6-43ee-ac3a-2dcd606a5797) is the front-end application that runs in your browser when you access the EZRADIUS Portal. It requires the following permissions:

Description Name Type Why is this needed?
Read directory data Directory.Read.All Delegated This permission allows EZRADIUS to read information about your organization’s directory, such as users and groups, which is necessary for signing you in and managing access to your RADIUS infrastructure.

EZRADIUS Client also has the API.Access permission on the EZRADIUS and Keytos applications to allow it to call the back-end APIs using delegated permissions.

Permissions Granted to the EZRADIUS Application

The EZRADIUS application (Application ID 5c0e7b30-d0aa-456a-befb-df8c75e8467b) is the back-end application that runs the EZRADIUS services. It requires the following permissions:

Description Name Type Why is this needed?
Read directory data Directory.Read.All Application This permission allows EZRADIUS to read information about your organization’s directory, such as users and groups. This is used to check group permissions for users when providing access to your RADIUS infrastructure.
Manage apps that this app creates or owns Application.ReadWrite.OwnedBy Application Allows EZRADIUS to rotate secrets for the EZRADIUS Entra application. Does not give access to any other applications in your tenant.
Read Microsoft Intune devices DeviceManagementManagedDevices.Read.All Application Allows EZRADIUS to read device information from Intune when checking device compliance or other device-based policies.

Do I Need to Grant Access to My Azure Resources?

Azure Resource Manager delegated permissions is included by default so Azure Key Vault and IoT Hub integration works out of the box within EZCA. While it only has access to the resources accessible by the signed-in user, you can choose to remove or revoke this permission if you do not plan to use EZCA or any of the EZCA features which interact with your Azure resources. Other EZRADIUS and Keytos features will continue to work without this permission, but you will no longer be able to create or rotate certificates stored in Azure Key Vault or Azure IoT Hub within EZCA.

To remove or revoke access to your Azure resources, follow these steps:

  1. Navigate to the Azure Portal and sign in with your Global Administrator account.

  2. Go to Entra ID -> Enterprise Applications.

    Enterprise Applications in Azure Portal

  3. Search for and select the Keytos Client application.

    Keytos Client Application in Azure Portal

  4. Go to the Permissions section.

    Keytos Client Application Permissions in Azure Portal

  5. Find the Azure Resource Manager permission and click on and then Revoke permission.

    Revoke Azure Resource Manager Permission in Azure Portal

  6. Done. The Keytos Client application will no longer have access to Azure Resource Manager.

Registering the EZRADIUS Application if You are Using Your Account in Multiple Tenants

In the case that you are using your account in multiple tenants and Azure is not selecting the correct tenant to register the application under you can use the following link (where $yourorganization$ is the name of your organization) to register the application in the correct tenant:

  • Keytos: 
    https://login.microsoftonline.com/$yourorganization$.onmicrosoft.com/oauth2/v2.0/authorize?client_id=eddb4ead-89dd-4da8-9196-09c7ea82d724&response_type=code&redirect_uri=https%3A%2F%2Fportal.ezca.io%2FWelcome&scope=openid
  • EZRADIUS: 
    https://login.microsoftonline.com/$yourorganization$.onmicrosoft.com/oauth2/v2.0/authorize?client_id=d212033b-7fb6-43ee-ac3a-2dcd606a5797&response_type=code&redirect_uri=https%3A%2F%2Fportal.ezradius.io%2FWelcome&scope=openid

How Do I Unregister the Applications?

If you need to unregister the Keytos or EZRADIUS applications from your tenant, you can do so by following these steps:

  1. Navigate to the Azure Portal and sign in with your Global Administrator account.

  2. Go to Entra ID -> Enterprise Applications.

    Enterprise Applications in Azure Portal

  3. Search for and select the Keytos Client application.

    Keytos Client Application in Azure Portal

  4. Navigate to the Properties section.

    Keytos Client Application Properties in Azure Portal

  5. Click on the Delete button at the top of the page to unregister the application.

    Delete Keytos Client Application in Azure Portal

  6. Repeat the previous steps for the Keytos, EZRADIUS Client, and EZRADIUS applications.