Breadcrumbs

Microsoft Entra (ex Azure Active Directory) configuration

Prerequisites

This procedure assumes an existing Microsoft Entra tenant to which you have at least the right to register a new application (Application Administrator role for example).

Regarding DNS records for Metavault and States in this document, we will use respectivelybevault.yourdomain.com & orchestrator.yourdomain.com

Step-by-step procedure

  1. Sign in to the Microsoft Entra admin center

  2. Browse to Identity > Applications > App registrations and select New registration

  3. Enter a display Name for your application and in the Redirect URI section, select the Single-page application (SPA) option and enter the public domain of the metavault

    image-20240712-110830.png

  4. Take note of the Application (client) ID and the Directory (tenant) ID

  5. Browse to Authentication > Platform configurations > Single-page application and add the base url of States

    image-20240712-124008.png

  6. Browse to Expose an API > Scopes defined by this API, create a new scope and let the default Application ID URI

    image-20240712-124203.png

  7. Complete the scope form

    1. Scope name → api

    2. Who can consent ? → Admins and users

    3. Admin consent display name → Access beVault

    4. Admin consent description → Allow access to beVault application

    5. User consent display name → Access beVault

    6. User consent description → Allow access to beVault application

    7. State → Enabled

      image-20240712-124814.png

  8. Browse to API permissions > Configured permissions, add a new permission, search for the application name you just created and select it

    image-20240712-125253.png

  9. In the permissions section, ensure to check the api checkbox

    image-20240712-125411.png

  10. Browse to Token configuration > Optional claims and add an optional claim. Select Access as Token type and enabled email, family_name and given_name claims

    image-20240712-125741.png

  11. Accept to turn on the additional permissions proposed in the popup

    image-20240712-125926.png

  12. Browse to Manifest and change the value for accessTokenAcceptedVersion to 2 (instead of null)

    image-20240712-130431.png

  13. Optional: If you want to grant consent for all users to the application, browse to API permissions > Configured permissions and click on the Grant admin consent for dFakto button

    image-20240712-131903.png

  14. Adapt metavault and states components configuration, see Metavault Configuration& States Configuration (see step 4 of this procedure for <Directory (tenant) ID> & <Application (client) ID>)

    • Authority → https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0

    • ClientId<Application (client) ID>

    • Audience<Application (client) ID>

    • Scope → api://<Application (client) ID>/api profile email openid

Go further