Skip to main content
Skip table of contents

Microsoft Entra (ex Azure Active Directory) configuration

Prerequisites

This procedure assumes an existing Microsoft Entra tenant to which you have at least the right to register a new application (Application Administrator role for example).

Regarding DNS records for Metavault and States in this document, we will use respectivelybevault.yourdomain.com & orchestrator.yourdomain.com

Step-by-step procedure

  1. Sign in to the Microsoft Entra admin center

  2. Browse to Identity > Applications > App registrations and select New registration

  3. Enter a display Name for your application and in the Redirect URI section, select the Single-page application (SPA) option and enter the public domain of the metavault

    image-20240712-110830.png

  4. Take note of the Application (client) ID and the Directory (tenant) ID

  5. Browse to Authentication > Platform configurations > Single-page application and add the base url of States

    image-20240712-124008.png

  6. Browse to Expose an API > Scopes defined by this API, create a new scope and let the default Application ID URI

    image-20240712-124203.png

  7. Complete the scope form

    1. Scope name → api

    2. Who can consent ? → Admins and users

    3. Admin consent display name → Access beVault

    4. Admin consent description → Allow access to beVault application

    5. User consent display name → Access beVault

    6. User consent description → Allow access to beVault application

    7. State → Enabled

      image-20240712-124814.png

  8. Browse to API permissions > Configured permissions, add a new permission, search for the application name you just created and select it

    image-20240712-125253.png

  9. In the permissions section, ensure to check the api checkbox

    image-20240712-125411.png

  10. Browse to Token configuration > Optional claims and add an optional claim. Select Access as Token type and enabled email, family_name and given_name claims

    image-20240712-125741.png

  11. Accept to turn on the additional permissions proposed in the popup

    image-20240712-125926.png

  12. Browse to Manifest and change the value for accessTokenAcceptedVersion to 2 (instead of null)

    image-20240712-130431.png

  13. Optional: If you want to grant consent for all users to the application, browse to API permissions > Configured permissions and click on the Grant admin consent for dFakto button

    image-20240712-131903.png

  14. Adapt metavault and states components configuration, see Metavault Configuration | Authentication& States Configuration | Authentication (see step 4 of this procedure for <Directory (tenant) ID> & <Application (client) ID>)

    • Authority → https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0

    • ClientId<Application (client) ID>

    • Audience<Application (client) ID>

    • Scope → api://<Application (client) ID>/api profile email openid

Go further

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close