Breadcrumbs

Microsoft Entra ID (formerly Azure AD) configuration

Prerequisites

This procedure assumes an existing Microsoft Entra ID tenant to which you have at least the right to register a new application (Application Administrator role for example).

Regarding DNS records for Metavault and States in this document, we will use respectivelymodeler.bevault.yourdomain.com & orchestrator.bevault.yourdomain.com

Step-by-step procedure

  1. Sign in to the Microsoft Entra ID admin center

  2. Browse to Identity > Applications > App registrations and select New registration

  3. Enter a display Name for your application and in the Redirect URI section, select the Single-page application (SPA) option and enter the public domain of the metavault (modelling part of beVault)

  4. image-20251121-144120.png

    Take note of the Application (client) ID and the Directory (tenant) ID

  5. Browse to Authentication > Platform configurations > Single-page application and add the base url of States (orchestration part of beVault)

    image-20251121-144217.png

  6. Browse to Expose an API > Scopes defined by this API, create a new scope and let the default Application ID URI

    image-20251121-144307.png

  7. Complete the scope form

    1. Scope name → api

    2. Who can consent ? → Admins and users

    3. Admin consent display name → Access beVault

    4. Admin consent description → Allow access to beVault application

    5. User consent display name → Access beVault

    6. User consent description → Allow access to beVault application

    7. State → Enabled

      image-20251121-144347.png

  8. Browse to API permissions > Configured permissions, add a new permission, search for the application name you just created and select it

    image-20251121-144656.png

  9. In the permissions section, ensure to check the api checkbox

    image-20251121-144746.png

  10. Browse to Token configuration > Optional claims and add an optional claim. Select Access as Token type and enabled email, family_name and given_name claims

    image-20251121-144824.png

  11. Accept to turn on the additional permissions proposed in the popup

    image-20240712-125926.png

  12. Browse to Manifest (Microsoft Graph App Manifest (New)) and change the value for requestedAccessTokenVersion to 2 (instead of null) in api attribute then click on Save button

    image-20251121-145929.png

  13. Optional: If you want to grant consent for all users to the application, browse to API permissions > Configured permissions and click on the Grant admin consent for dFakto button

    image-20251121-145504.png

  14. Adapt metavault and states components configuration, see Metavault Configuration | Authentication& States Configuration | Authentication (see step 4 of this procedure for <Directory (tenant) ID> & <Application (client) ID>)

    • Authority → https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0

    • ClientId<Application (client) ID>

    • Audience<Application (client) ID>

    • Scope → api://<Application (client) ID>/api profile email openid

Go further