Skip to content

Management Console Entra ID integration: Authentication Security Overview

This guide explains how Resilio Active Everywhere integrates securely with Microsoft Entra ID to support user authentication, session management, and service-to-service access. It also provides answers to common security and identity management questions.

Authentication Overview

Resilio Active Everywhere uses Microsoft Authentication Library (MSAL) and follows Microsoft's recommended Authorization Code Flow with PKCE for user authentication. This ensures secure, standards-based integration with Microsoft Entra ID.

Key Points

Credentials never pass through Management Console or other Resilio AE components. Authentication happens directly against Microsoft Entra ID.

Conditional Access, MFA, and compliance policies are controlled by the Entra ID admin and are enforced on the Entra ID side.

Tokens returned by Entra ID are validated by Resilio (signature, claims, expiry).

Flows used: Authorization Code Flow with PKCE (user authentication) and OAuth 2.0 Client Credentials Flow (service-to-service integration).

Interactive sign-ins are supported when required.

User and API authentication flow

For end-users Resilio relies on OpenID Connect with the Authorization Code Flow and PKCE, mediated by the MSAL. The sequence is:

  1. User clicks Log in with Microsoft Entra ID and an interactive session starts.
  2. User is redirected to the Entra ID login page and authenticates under its security policies (password, MFA). Conditional Access, MFA, and device-compliance rules should be configured on the Entra side and remain under the Entra ID admin's control.
  3. On successful login Entra ID returns an authorization code to the registered redirect URL.
  4. MSAL exchanges that code for an ID token, access token and refresh token. Resilio relies on ID token, it is validated (signature, claims, etc. for more information, see ID tokens in the Microsoft identity platform - Validate tokens).
  5. MSAL exchanges the refresh token for new tokens before expiry, keeping the user signed in without prompts. If silent refresh fails (e.g., token expired, revoked, or a new policy applied), the session is ended and the user is redirected to Entra ID for an interactive re-authentication.

For service-to-service scenarios Resilio's public API accepts access tokens obtained through the OAuth 2.0 Client Credentials flow. The token is validated before a request is processed.

Tokens used

  • ID Token - Establishes the user's identity after successful login.
  • Refresh Token - Enables silent token renewal without requiring the user to re-authenticate frequently.
  • Access Token (Service-to-Service) - Used in machine-to-machine scenarios, such as when calling Resilio public API with the Client Credentials Flow.

Resilio does not consume authorization codes beyond the exchange step.