Help Center/ Migration Center/ MgC Agent Usage Guide/ Best Practices/ Configuring Federated Authentication Between Huawei Cloud MgC Agent and Azure Entra ID
Updated on 2025-08-25 GMT+08:00

Configuring Federated Authentication Between Huawei Cloud MgC Agent and Azure Entra ID

To use the MgC Agent to discover and migrate your resources on Azure, you must connect the MgC Agent to MgC through federated authentication. This section describes the federated authentication process and the method to obtain the required credentials.

Configuration Process

Figure 1 shows the process of configuring federated authentication between Huawei Cloud MgC Agent and Azure Entra ID.

Figure 1 Configuration Process

Step 1: Create an Identity Provider on Huawei Cloud

  1. Create custom policies. If you use a Huawei Cloud account (administrator), skip steps 1 and 2 and go to create an identity provider.

    1. Sign in to the IAM console using your Huawei Cloud account (administrator).
    2. In the navigation pane on the left, choose Permissions > Policies/Roles.
    3. Click Create Custom Policy in the upper right corner.
    4. Enter a policy name and select JSON for Policy View.

    5. Copy the following content to the policy input box. This policy defines the permissions required to create an identity provider. If you need more permissions, add actions.
      {
        "Version": "1.1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "iam:identityProviders:getIdentityProvider",
              "iam:identityProviders:deleteIdentityProvider",
              "iam:identityProviders:updateIdentityProvider",
              "iam:identityProviders:createMapping",
              "iam:identityProviders:updateMapping",
              "iam:identityProviders:createIDPMetadata",
              "iam:identityProviders:createIdentityProvider",
              "iam:identityProviders:createProtocol"
            ]
          }
        ]
      }
    6. Click OK.
    7. Repeat 1.c to 1.f to create another two custom policies.
      • The following policy defines the SMS permissions required by MgC migration workflows.
        {
          "Version": "1.1",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "sms:server:migrationServer",
                "sms:server:registerServer",
                "sms:server:queryServer"
              ]
            }
          ]
        }
      • The following policy defines the permissions required by MgC migration workflows to access resources.
        {
          "Version": "1.1",
          "Statement": [
            {
              "Action": [
                "ecs:cloudServers:attach",
                "ecs:cloudServers:detachVolume",
                "ecs:cloudServers:start",
                "ecs:cloudServers:stop",
                "ecs:cloudServers:reboot",
                "ecs:cloudServers:updateMetadata",
                "ecs:servers:unlock",
                "ecs:servers:lock",
                "evs:volumes:create",
                "evs:volumes:delete",
                "evs:volumes:use",
                "evs:snapshots:create",
                "evs:snapshots:delete",
                "evs:snapshots:rollback",
                "ecs:*:get*",
                "ecs:*:list*",
                "evs:*:get*",
                "evs:*:list*",
                "vpc:*:list*",
                "vpc:*:get*",
                "ims:*:get*",
                "ims:*:list*"
              ],
              "Effect": "Allow"
            }
          ]
        }

  2. Assign permissions to the user group that the IAM user belongs to.

    1. On the IAM console, choose User Groups from the navigation pane.
    2. In the user group list, locate the user group that the IAM user belongs to and click Authorize in the Operation column.

    3. On the Select Policy/Role page, select the three custom policies created in Step 1 and the MgC MigrateAccess system policy, and click Next.
    4. Set Scope to All resources. Click OK.

  3. Create an identity provider. To create an identity provider as an IAM user, you must perform Step 1 and Step 2 first.

    1. Sign in to the IAM console.
    2. In the navigation pane on the left, choose Identity Providers. On the displayed page, click Create Identity Provider.

    3. Enter a name (for example, Azure-Entral-ID-IdP) and set Protocol to SAML, SSO Type to Virtual user, and Status to Enabled.

    4. Click OK.
    5. In the identity provider list, locate the created provider and click View in the Operation column.

    6. Record Domain_ID and IdP ID in the basic information for future use.

Step 2: Create a SAML Application on Azure

Perform the following operations based on the actual situation:

If your Azure environment already has a SAML application with an identifier (entity ID) configured, perform the following steps:

  1. Configure authentication for the SAML application.

    1. Log in to the Azure portal, search for Microsoft Entra ID in the upper part of the page, and click it.
    2. In the navigation pane on the left, choose Manage > Enterprise applications to open the All Applications page.
    3. In the application list, click the name of the existing SAML application.
    4. In the navigation pane, choose Manage > Single sign-on.
    5. In the Basic SAML Configuration area, click Edit.

    6. Click Add reply URL, copy the following reply URL to the text box, and assign it an index higher than all current entries. This prioritizes the reply URL above others and prevents authentication failures caused by selecting the wrong URL.
      https://iam.myhuaweicloud.com/v3-ext/auth/OS-FEDERATION/SSO/SAML2/POST

    7. Click Save in the upper part of the window to save the configuration. In the Basic SAML Configuration area, note the identifier (entity ID) of the SAML application for modifying the MgC Agent configuration file.
    8. Click Edit in the Attributes & Claims area.

    9. Click Add new claim to open the Manage claim page.
      • Set Name to IAM_SAML_Attributes_identityProviders.
      • Set Source attribute to the domain ID and IdP ID of the identity provider created on Huawei Cloud. The input format is iam::{domain_ID}:identityProvider:{IdP_ID}. If multiple Huawei Cloud accounts and identity providers (IdPs) need to use the same SAML application for federated authentication, separate the accounts and IdPs with semicolons (;), so the MgC Agent can correctly identify them.

        Examples:

        • Huawei Cloud account 1: domain_ID: 657ba0e ***************** 19fd684d8758c, IdP_ID: SAML-IAM-IDP1
        • Huawei Cloud account 2: domain_ID: 657ba0e************19fd684d8758c, IdP_ID: SAML-IAM-IDP2

        The source attribute is as follows:

        "iam::657ba0e*****************19fd684d8758c:identityProvider:SAML-IAM-IDP1;657ba0e************19fd684d8758c:identityProvider:SAML-IAM-IDP2"
    10. Click Save to save the new claim.
    11. After the preceding configurations are complete, click Download next to Federation Metadata XML in the SAML Certificates area to save the Azure metadata file in XML format.

      This file needs to be uploaded when you configure an identity provider on Huawei Cloud.

  2. Configure an open API for the SAML application.

    1. On the Azure portal, search for App registrations and click it.
    2. On the App registrations page, click All applications and click the SAML application for which identity authentication has been configured in Step 1.
    3. In the navigation pane of the application, choose Manage > Expose an API.
    4. Click Add a scope. In the displayed dialog box, enter huaweicloud_iam_saml in the Scope name text box and click Add scope. The scope name must be huaweicloud_iam_saml, and there can be only one scope.

      The scope name huaweicloud_iam_saml must be unique within Azure Entra ID.

  3. Assign users to the SAML application.

    1. On the Azure portal, search for Microsoft Entra ID and click it.
    2. In the navigation pane on the left, choose Manage > Enterprise applications to open the All Applications page.
    3. Click the name of the SAML application for which identity authentication has been configured in Step 1. In the navigation pane of the application, choose Manage > Users and groups.
    4. Click Add user/group to open the Add Assignment page.
    5. Click None selected under Users. In the Users window that is displayed on the right, select the users to be assigned and click Select.

      The users assigned here are used for Azure login to generate temporary access keys for Huawei Cloud when you connect the MgC Agent to MgC.

    6. Click Assign in the lower left corner of the Add Assignment page.

If there are no SAML applications in your Azure environment, perform the following steps to create one.

  1. Create a SAML application.

    1. Log in to the Azure portal, search for Microsoft Entra ID in the upper part of the page, and click it.
    2. In the navigation pane on the left, choose Manage > Enterprise applications to open the All Applications page.
    3. Click New application to open the Browse Microsoft Entra Gallery page.
    4. Click Create your own application. In the dialog box displayed on the right, enter an application name, select Integrate any other application you don't find in the gallery (Non-gallery), and click Create.

  2. Obtain the Huawei Cloud metadata file.

    1. Use a browser to access https://iam.myhuaweicloud.com/v3-ext/auth/OS-FEDERATION/SSO/metadata to obtain the metadata in XML format.
    2. Press Ctrl+S to save the metadata as a metadata.xml file.

  3. Configure authentication for the SAML application.

    1. In the navigation pane of the SAML application created in Step 1, choose Manage > Single sign-on.
    2. Select SAML as the single sign-on (SSO) method.

    3. Click Upload metadata file, select the metadata.xml file saved in Step 2, and click Add. After the upload is successful, the values of Identifier and Reply URL in the Basic SAML Configuration area are automatically populated. Then click Save to save the basic SAML configuration.

    4. Click Edit in the Attributes & Claims area.

    5. Click Add new claim to open the Manage claim page.
      • Set Name to IAM_SAML_Attributes_identityProviders.
      • Set Source attribute to the domain ID and IdP ID of the identity provider created on Huawei Cloud. The input format is iam::{domain_ID}:identityProvider:{IdP_ID}. If multiple Huawei Cloud accounts and identity providers (IdPs) need to use the same SAML application for federated authentication, separate the accounts and IdPs with semicolons (;), so the MgC Agent can correctly identify them.

        Examples:

        • Huawei Cloud account 1: domain_ID: 657ba0e ***************** 19fd684d8758c, IdP_ID: SAML-IAM-IDP1
        • Huawei Cloud account 2: domain_ID: 657ba0e************19fd684d8758c, IdP_ID: SAML-IAM-IDP2

        The source attribute is as follows:

        "iam::657ba0e*****************19fd684d8758c:identityProvider:SAML-IAM-IDP1;657ba0e************19fd684d8758c:identityProvider:SAML-IAM-IDP2"
    6. Click Save to save the new claim.
    7. After the preceding configurations are complete, click Download next to Federation Metadata XML in the SAML Certificates area to save the Azure metadata file in XML format.

      This file needs to be uploaded when you configure an identity provider on Huawei Cloud.

  4. Configure an open API for the SAML application.

    1. On the Azure portal, search for App registrations and click it.
    2. On the App registrations page, click All applications and click the SAML application for which identity authentication has been configured in Step 3.
    3. In the navigation pane of the application, choose Manage > Expose an API.
    4. Click Add a scope. In the displayed dialog box, enter huaweicloud_iam_saml in the Scope name text box and click Add scope. The scope name must be huaweicloud_iam_saml, and there can be only one scope.

      The scope name huaweicloud_iam_saml must be unique within Azure Entra ID.

  5. Assign users to the SAML application.

    1. On the Azure portal, search for Microsoft Entra ID and click it.
    2. In the navigation pane on the left, choose Manage > Enterprise applications to open the All Applications page.
    3. Click the name of the SAML application for which identity authentication has been configured in Step 3. In the navigation pane of the application, choose Manage > Users and groups.
    4. Click Add user/group to open the Add Assignment page.
    5. Click None selected under Users. In the Users window that is displayed on the right, select the users to be assigned and click Select.

      The users assigned here are used for Azure login to generate temporary access keys for Huawei Cloud when you connect the MgC Agent to MgC.

    6. Click Assign in the lower left corner of the Add Assignment page.

Step 3: Create an OAuth 2.0 Application on Azure

Perform the following operations based on the actual situation:

If there is already an OAuth 2.0 application in your Azure environment, perform the following steps:

  1. Configure a redirect URI for the OAuth 2.0 application.

    1. On the Azure portal, search for App registrations and click it.
    2. On the App registrations page, click the All applications tab and click the desired OAuth 2.0 application.
    3. In the navigation pane of the application, choose Manage > Authentication.
    4. If no web platform has been added, click Add a platform. In the dialog box displayed on the right, select Web, enter the URI below in the text box under Redirect URIs, and click Configure.

      If a web platform has been added, click Add URI. Enter the URI below.

      Redirect URIs:
      • If you are using the MgC Agent for Windows, enter the following information:
        https://127.0.0.1:27080/v1/edge/auth/saml/redirect/azure
      • If you are using the MgC Agent for Linux, enter the following information:
        https://<EIP-of-the-Linux-server>:27080/v1/edge/auth/saml/redirect/azure

        <EIP-of-the-Linux-server> indicates the EIP of the Linux server where the MgC Agent is installed. You can view the IP address by searching for address in the /opt/cloud/MgC-Agent/config/application.yml file.

  2. Configure an open API for the OAuth 2.0 application.

    1. In the navigation pane of the OAuth 2.0 application configured in the previous step, choose Manage > Expose an API.
    2. Click Add a scope. In the displayed dialog box, enter huaweicloud_iam_oauth2 in the Scope name text box and click Add scope. The scope name must be huaweicloud_iam_oauth2, and there can be only one scope.

  3. Configure API permissions for the OAuth 2.0 application.

    1. In the navigation pane of the OAuth 2.0 application configured in Step 1, choose Manage > API permissions.
    2. Click Add a permission to open the Request API permissions dialog box on the right.
    3. Choose Microsoft Graph > Application permissions, search for Application in the search box, select Application.Read.All, and click Add permissions.

    4. Choose Microsoft Graph > Delegated permissions, search for User.Read in the search box, select User.Read, and click Add permissions.

    5. Choose Microsoft Graph > Delegated permissions, search for offline_access in the search box, select offline_access, and click Add permissions.

    6. Click Add a permission again. In the Request API permissions dialog box, click the APIs my organization uses tab, search for the SAML application configured in Step 2 in the search box, click the SAML application name, select huaweicloud_iam_saml, and click Add permissions.

    7. After the permissions are added, click Grant admin consent for default. In the displayed dialog box, click Yes.

  4. (Optional) Configure a client secret for the OAuth 2.0 application. If there is already a client secret for the OAuth 2.0 application, skip this step.

    1. In the navigation pane of the OAuth 2.0 application configured in Step 1, choose Manage > Certificates & secrets.
    2. On the Client secrets tab, click New client secret to open the Add a client secret dialog box on the right.
    3. Enter a secret description, select the expiration date, and click Add. Then copy and save the generated client secret.

      Client secret values cannot be viewed, except for immediately after creation.

If there are no OAuth 2.0 applications in your Azure environment, perform the following steps to create one.

  1. Create an OAuth 2.0 application.

    1. On the Azure portal, search for App registrations and click it.
    2. On the App registrations page, click New registration to open the Register an application page.
    3. Set the parameters according to Table 1.
      Table 1 Parameters for registering an application

      Parameter

      Configuration

      Name

      User-defined

      Supported account types

      Select Accounts in this organizational directory only (default only - Single tenant).

      Redirect URL

      From the platform drop-down list, select Web.

      In the redirect URL box, enter:

      • If you are using the MgC Agent for Windows, enter the following information:
        https://127.0.0.1:27080/v1/edge/auth/saml/redirect/azure
      • If you are using the MgC Agent for Linux, enter the following information:
        https://<EIP-of-the-Linux-server>:27080/v1/edge/auth/saml/redirect/azure

        <EIP-of-the-Linux-server> indicates the EIP of the Linux server where the MgC Agent is installed. You can view the IP address by searching for address in the /opt/cloud/MgC-Agent/config/application.yml file.

    4. After the configuration is complete, click Register.

  2. Configure an open API for the OAuth 2.0 application.

    1. In the navigation pane of the OAuth 2.0 application created in Step 1, choose Manage > Expose an API.
    2. Click Add a scope. In the displayed dialog box, enter huaweicloud_iam_oauth2 in the Scope name text box and click Add scope. The scope name must be huaweicloud_iam_oauth2, and there can be only one scope.

  3. Configure API permissions for the OAuth 2.0 application.

    1. In the navigation pane of the OAuth 2.0 application created in Step 1, choose Manage > API permissions.
    2. Click Add a permission to open the Request API permissions dialog box on the right.
    3. Choose Microsoft Graph > Application permissions, search for Application in the search box, select Application.Read.All, and click Add permissions.

    4. Choose Microsoft Graph > Delegated permissions, search for User.Read in the search box, select User.Read, and click Add permissions.

    5. Choose Microsoft Graph > Delegated permissions, search for offline_access in the search box, select offline_access, and click Add permissions.

    6. Click Add a permission again. In the Request API permissions dialog box, click the APIs my organization uses tab, search for the SAML application configured in Step 2 in the search box, click the SAML application name, select huaweicloud_iam_saml, and click Add permissions.

    7. After the permissions are added, click Grant admin consent for default. In the displayed dialog box, click Yes.

  4. Configure a client secret for the OAuth 2.0 application.

    1. In the navigation pane of the OAuth 2.0 application created in Step 1, choose Manage > Certificates & secrets.
    2. On the Client secrets tab, click New client secret to open the Add a client secret dialog box on the right.
    3. Enter a secret description, select the expiration date, and click Add. Then copy and save the generated client secret.

      Client secret values cannot be viewed, except for immediately after creation.

Step 4: Configure the Identity Provider

  1. Sign in to the IAM console.
  2. In the navigation pane on the left, choose Identity Providers.
  3. In the identity provider list, locate the identity provider created in Step 1 and click Modify in the Operation column.
  4. In the Metadata Configuration area, click Add and upload the Azure federation metadata file (XML) obtained when you configure SSO for the SAML application in Step 2.
  5. In the Identity Conversion Rules area, click Edit Rule. In the Edit Rule dialog box that is displayed, copy the string below to the box. Replace the value of "group":"name" with the name of the user group that the Huawei Cloud MgC migration account belongs to.

    • "remote":"type" is the claim in the Azure SAML 2.0 token. For details, see SAML Token Claims Reference.
    • "local":"user"/"group" indicates the corresponding IAM user and user group on Huawei Cloud. For details about the configuration syntax, see Syntax of Identity Conversion Rules.
    • The following JSON content indicates that the Azure user who accesses Huawei Cloud through the MgC Agent has the permissions of the Huawei Cloud IAM user group.
    [
              {
                        "remote": [
                                  {
                                            "type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
                                  }
                        ],
                        "local": [
                                  {
                                            "user": {
                                                      "name": "{0}"
                                            }
                                  },
                                  {
                                            "group": {
                                                      "name": "Name of the user group that the MgC migration account belongs to"
                                            }
                                  }
                        ]
              }
    ]

  6. Click Validate in the Edit Rule dialog box. After the verification is successful, click OK to save the rule.
  7. After the configuration is complete, click OK to save the identity provider configuration.

Step 5: Register the MgC Agent Through Enterprise Federation

  1. Download and install the MgC Agent. Prepare a Windows server for installing the MgC Agent. For details about the requirements for the Windows server, see Preparations.

    1. Sign in to the MgC console from the Windows server you prepared.
    2. On the top menu bar, select the region where you want to use MgC.

    3. In the navigation pane, choose MgC Agent.
    4. In the Windows area, click Download Installation Package to download the MgC Agent installation package to the Windows server you prepared.
    5. Decompress the downloaded MgC Agent installation package and double-click the installation program to start the installation. If the installation program cannot be launched, try to run it in compatibility mode. For details, see How Do I Run the MgC Agent in Compatibility Mode? The default installation directory is C:\ and cannot be changed.
    6. Click Finish to complete the installation and open the MgC Agent console.

  2. Modify the MgC Agent configuration file. This step is mandatory if you used an existing SAML application in step 2. If you created a SAML application, skip this step.

    1. Go to the MgC Agent installation directory C:\MgC-Agent\config\ and open the application.yml file.
    2. Search for the saml-app-default-scope parameter and change the parameter value to https://{entity_ID}/.default. Replace {entity_ID} with the identifier (entity ID) noted when you configured an existing SAML application.
    3. Save the configuration file.
    4. Open the Task Manager on the server where the MgC Agent is installed.
    5. On the Details tab, right-click MgC-Agent and choose Restart from the shortcut menu.
    6. After the MgC Agent is restarted, go to the login page.

  3. Log in to the MgC Agent using a local account

    1. On the login page, select Local Account.
    2. On the Register page, set a username and password, confirm the password, and click Privacy Statement.
    3. Read the privacy statement carefully before selecting I have read and agree to the Privacy Statement, and click Register.

      You are advised to change your password every three to six months.

    4. After the registration is successful, enter the registered username and password, and click Log In to open the Overview page of the MgC Agent console.

  4. Connect to MgC through enterprise federation.

    1. On the Overview page, click Connect to MgC in the upper right corner.
    2. In the Step 1: Select Connection Method area, select Enterprise Federation. Set the parameters based on Table 2.
      Table 2 Parameters for configuring federated authentication

      Parameter

      How to Obtain

      Huawei Cloud IdP ID

      Enter the name of the Huawei Cloud IdP created in Step 1. To obtain the name:

      Log in to the IAM console, choose Identity Providers from the navigation pane. Locate the desired identity provider and click View in the Operation column. The Name in the basic information area is the IdP ID.

      Enterprise IdP

      Select Azure Entra ID from the drop-down list.

      Tenant ID

      1. Access the Azure portal.
      2. On the home page, click App registrations. If it is not displayed on the home page, search for it in the search box in the upper part of the page.
      3. On the All applications tab, click the OAuth 2.0 application configured in step 3 to open the Overview page of the application. In the Essentials area, you can obtain the Directory (tenant) ID and Application (client) ID.

      Application ID

      Application Password

      Enter the client secret configured for the OAuth 2.0 application in step 3.

      If the client secret is lost, perform the following steps to create a new one:

      1. In the navigation pane of the OAuth 2.0 application, choose Manage > Certificates & secrets.
      2. On the Client secrets tab, click New client secret to open the Add a client secret dialog box on the right.
      3. Enter a secret description, select the expiration date, and click Add. Then copy and save the generated client secret. Client secret values cannot be viewed, except for immediately after creation.
    3. Click Obtain Access Key. The Azure login page is displayed. After you log in to Azure using an Azure account and permanent password, the information shown in the figure below is displayed, indicating that the temporary access key for Huawei Cloud is obtained.

      Do not log in Azure using a temporary password. Otherwise, the temporary access key for Huawei Cloud cannot be updated after the temporary password expires.

    4. In the Step 2: Select MgC Migration Project area, click List Migration Projects. In the Migration Project drop-down list, select the migration project created on the MgC console. The MgC Agent will report the collected data to the project. For details about how to create a migration project, see Managing Projects.
    5. In Step 3: Preset MgC Agent Name, specify a name for the MgC Agent, which will be displayed on the MgC console, and click Connect. Confirm the connection to MgC, and click OK.

      After the MgC Agent is connected to MgC, the name you specified here cannot be modified.

    6. If Connected shows up on the overview page, the connection to MgC is successful.