Enable authentication with EntraID for Modernisation Platform users

[davidkelliott]

User Story

As a Modernisation Platform user
I want to be able to authenticate to the platform using my primary MoJ identity
So that I have less identities to manage

Value / Purpose

The Microsoft Justice identity is the primary identity at the MoJ, we currently use GitHub as our identity provider for the platform via Auth0 and AWS Identity center.

We want to use a single identity at the MoJ, this will improve security and make things easier for our users.

Useful Contacts

@davidkelliott, @julialawrence

Additional Information

We have already done some prerequisite work for this -
#7446
https://github.com/ministryofjustice/aws-root-account/pulls?q=is%3Apr+entraid+is%3Aclosed
https://github.com/ministryofjustice/moj-terraform-scim-entra-id
Architectural diagram - https://excalidraw.com/#room=7a92c22883538a55ab6d,lDJG1lgQlHO6OHnZxUepvA

The following is still needed:

• Create user guidance on how to create a EntraID team (or link to existing guidance if it exists, possibly tech services already have this)
• Publish comms explaining that this is currently optional, and both EntraID and Github will be fine, no action is required at this point in time but eventually we will completely move to EntraID
• Enable authentication with EntraID (the majority of this work has been done, speak with @davidkelliott and @julialawrence for more information)

Definition of Done

• Create user guidance on how to create a EntraID team
• Publish comms
• Enable authentication with EntraID

[ASTRobinson]

Documentation update PR #8489

[ASTRobinson]

Draft comms to be sent out....

Subject: Upcoming SSO Update: Entra ID Enablement
When: 25th November

We’re reaching out to inform you of an upcoming update to our Single Sign-On (SSO) options. On the 25th of November, Entra ID will be enabled as a new authentication option for our platform, in addition to the current GitHub SSO.

Why This Change?
Our goal at the Ministry of Justice is to improve security and simplify access by unifying services under a single identity. The Microsoft Justice identity, managed through Entra ID, is the primary identity at the MoJ. Transitioning to a single identity will strengthen security and make access easier and more efficient for users.

What This Means for You:
For now, you don’t need to take any action. Both GitHub and Entra ID options will be available, so you can continue using GitHub SSO as usual.

However, when logging in after the change, you will be prompted to select between GitHub and Entra ID as your authentication method. Simply choose the option you prefer—your access and permissions will remain unaffected.

At a later stage, we plan to transition fully to Entra ID, but we will give plenty of notice and guidance to make that move smooth and easy.

If you have any questions, please don’t hesitate to contact #ask-modernisation-platform on Slack.

Best regards,
The Modernisation Team

[ASTRobinson]

Documentation updated:
https://user-guide.modernisation-platform.service.justice.gov.uk/concepts/environments/single-sign-on.html

Comms sent out to the update and ask channels:
https://mojdt.slack.com/archives/C02L5MCJ12N/p1731924757094079
https://mojdt.slack.com/archives/C01A7QK5VM1/p1731924796122619

[ASTRobinson]

Update:

• Created a client_secret in Azure and securely stored it in AWS Secrets Manager in preparation for the switch on Monday.
• Currently reviewing the SCIM job configuration and ensuring the documentation is up to date to support the transition.

[ASTRobinson]

Secret rotation documentation: #8582

[ASTRobinson]

need to investigate https://github.com/ministryofjustice/modernisation-platform/actions/runs/12014613968/job/33490815130 - GitHub script failing to find team in GitHub as it's an Azure group

[ASTRobinson]

Progress:

• Entra ID has been successfully enabled and tested for the Modernisation Platform team’s access to the Sprinkler environment.
• Authentication via Entra ID is functioning as expected without any impact on existing workflows.

Issues Identified:

• While testing, errors were observed in the git-create-environments script.sh. A ticket (#8623) has been raised to investigate these errors. Importantly, these do not affect deployment functionality, and deployments continue to operate as expected.

Next Steps:

1. Create a ticket for the Modernisation Platform team to be set up with Auth0 integration.
2. Create a ticket to review and document the post-login script for better understanding and future maintenance.
3. Finalize and update the documentation for the relevant secret, ensuring the rotation and usage details are accurately captured.

[ASTRobinson]

follow up comms have put on the update channel - https://mojdt.slack.com/archives/C02L5MCJ12N/p1733246456630949

[ASTRobinson]

Ticket raised for access to Auth0 for Modernisation-Plattform team #8667

Ticket raised to review and document the Auth0 post-login script #8668

[ASTRobinson]

Documentation dump collated by Ewa (Thank you!) - https://docs.google.com/document/d/1-oZsTD_dYj6gLOIldm_r2KHPr2eR2CZ0UetiQhiix-g/

[ASTRobinson]

I'm moving this ticket for review as the work has been completed, Entra ID is enabled and working, and the definition of done is completed plus a couple of follow-on tickets have been raised to wrap up some additional findings from the switch on.

[markgov]

Looks good and everything is complete