The shape
Each EAP-TLS Group on an EntryPoint Context has an Entra Group selector on its Dot1x settings card. When you pick an Entra group, the platform stores that group’s Entra object ID on the EntryPoint Group. From that point, every authentication to this EntryPoint Group asks Entra whether the cert’s bearer belongs to that Entra group.- Pick one Entra group per EntryPoint Group. There’s one selector. One-to-one.
- The Entra group ID is what’s stored. Renaming the Entra group in Entra doesn’t break the mapping (it’s tied to the ID, not the name).
- Mutating the Entra group’s membership is an Entra-side action. The EntryPoint admin doesn’t invite or revoke users — that’s a role Entra’s admin already holds.
| EntryPoint Group (type) | Entra group you map to |
|---|---|
| Corporate Staff (User Cert) | corporate-staff-wifi (Security group, members = all employees) |
| Finance (User Cert) | finance-team (Security group scoped to Finance) |
| Engineering (User Cert) | engineering-team |
| Managed Laptops (Device Cert) | managed-laptops-compliant (Device-group populated by Intune) |
| Reception Kiosks (Device Cert) | reception-kiosks (static device group) |
| Factory Workstations (Device Cert) | factory-workstations |
How authentication resolves the mapping
On every 802.1X-TLS authentication against this Group:EntryPoint validates the chain
Against the Trusted CAs on the Context. Invalid chain → Access-Reject
with no Entra call.
EntryPoint reads the principal from the cert
For user certs, this is a subject attribute that names the user
(typically the UPN). For device certs, it’s the bearer identifier
you’ve agreed with your PKI — see
User certificates
and
Device certificates and Intune.
EntryPoint asks Entra Graph API
Using the credentials on the Identity Store (Application (client) ID +
Client Secret), the platform queries Entra for the principal’s
group memberships.
Match against the Group's stored Entra group ID
The principal must be a member of the Entra group the EntryPoint
Group is mapped to. Hit → Access-Accept with the Group’s Attribute
Profile. Miss → Access-Reject.
If Device Compliance Check is on
A second Entra call checks the device’s compliance posture. Failing
compliance rejects the authentication, even if the group membership
would have accepted it. See
Device certificates and Intune.
Creating a mapped Group
Pick the Group type
From the Select Group Type dropdown, choose
802.1X-TLS with User Certificate or 802.1X-TLS with Device Certificate depending on
the audience.Name the Group
Pick a name that reads cleanly in UI and audit entries —
Corporate Staff, Reception Kiosks, Factory Workstations.
Typically matches or parallels the Entra group’s name.
Pick the Entra Group
The Create Group form shows an Entra Group selector. It’s
populated live from the Entra tenant connected on the Identity
Store. Find the Entra group you want and select it.
Enter a Description
Worth spending a sentence on — this is the audit-side hint for
future-you. Employees on MDM-enrolled laptops; mapped to Entra
group
corporate-staff-wifi.Changing which Entra group a Group points at
Mergers, re-orgs, tenant-side consolidation — sometimes an Entra group changes. Two approaches:- Rename-in-place on the Entra side. The Entra group’s ID doesn’t change, so the EntryPoint mapping keeps working untouched.
- Different Entra group entirely. Open the EntryPoint Group’s Group Settings tab, re-pick the Entra Group in the selector, and save. Next authentication resolves against the new Entra group.
What happens when the Entra group is deleted
The EntryPoint Group keeps its stored Entra group ID, but every authentication’s Entra Graph lookup returns “no such group” and the match fails. Net effect: every device in the (now-gone) Entra group drops off on next re-auth. To recover:- Recreate or rename the Entra group (if the deletion was accidental), then no further action is needed if the group object ID is the same; otherwise, re-pick the new group in the EntryPoint Group’s Group Settings.
- Permanently retire the EntryPoint Group — delete it from the admin UI. The Attribute Profile stays on the Context and can be detached / deleted separately.
Day-to-day maintenance
Once Groups are mapped, the admin-side workload on the EntryPoint side is minimal:- Adding audiences. A new business function gets onboarded — create the Entra group, then create the matching EntryPoint Group mapped to it, attach the right Attribute Profile. Five minutes.
- Decommissioning audiences. Delete the EntryPoint Group (or, gently, detach the Attribute Profile first). The Entra group itself is managed separately by the Entra admin.
- Changing policy for one audience. Swap the Group’s Attribute Profile; VLAN / SGT changes are immediate on next auth.
- Auditing who had access when. The Entra side carries the authoritative membership log. The EntryPoint side has the authentication log plus configuration audits.
Operational tips
- Keep EntryPoint Group names close to Entra group names. Reduces mis-mappings and makes audit rows read naturally.
- Document the mapping in the Group’s Description. Future admins will read the Description first.
- Use Entra dynamic groups (rule-based) if Entra-admin team prefers to drive membership by attribute rather than by explicit add / remove. EntryPoint doesn’t care how the Entra group is populated.
- Don’t map one Entra group to two EntryPoint Groups. That’s legal, but confusing — two Groups authenticating the same Entra population with potentially different Attribute Profiles produces surprising RADIUS responses.
Related
User certificates
Where the cert identifies a user.
Device certificates & Intune
Where the cert identifies a device; Device Compliance Check.
Entra connection
The Context-level wiring to the Entra tenant.
Attribute Profiles
The RADIUS response attached per Group.