Microsoft Entra ID (Formerly Azure AD)

Client App Instructions
Create an App Registration for the Cloud SSO. Navigate to the Entra admin center and go to Identity > Applications > App registrations.
Configure an app registration with the following information:
Authentication:
Account types: Accounts in this organizational directory only
Web Redirect URI: Enter the value from the Cloud SSO form under Redirect URL.
Certificates & secrets > Client secrets:
Credentials: Generate a Client Secret value and set the expiration time to the maximum (currently 24 months).
Note that you will need to refresh this secret value and update the Cloud SSO configuration when the old secret value expires - be sure to set a calendar reminder before the expiration date to complete this task.
All other settings can be left at their defaults or ignored.
Feel free to customize the Branding & properties to your liking. Your users will see this information during sign-in.
Configuration Values
Obtain configuration values for Cloud SSO from the following places:
On the Overview tab of the app registration record in Entra (ensure that the Essentials section at the top of the screen is expanded/visible):
Discovery Domain: At the top, click Endpoints, and copy the OpenID Connect metadata document field. Then press “Discover…”
Authorization URL: Should be auto-populated from the discovery document. Or, at the top, click Endpoints, and copy the OAuth 2.0 authorization endpoint (v2) field.
Token URL: Should be auto-populated from the discovery document. Or, at the top, click Endpoints, and copy the OAuth 2.0 token endpoint (v2) field.
Userinfo URL: Enter this value exactly:
https://graph.microsoft.com/oidc/userinfo
Issuer: Should be auto-populated from the discovery document. Or, at the top, click Endpoints, and copy the Authority URL (Accounts in this organizational directory only) field, THEN append
/v2.0
to the end of the URL. Your URL should look something like this:https://login.microsoftonline.com/00000000-1234-1234-000000000000/v2.0
Scopes: Enter this value exactly:
openid profile email
Client ID: Copy the Application (client) ID value.
Client Secret: Copy the client secret value that was generated for you from the Certificates & secrets tab. If you lost the secret value, delete the old one and generate a new secret value.
Enable PKCE: On
Enable Response Mode Form Post: Off
Enable Token Endpoint Basic Auth: Off
Claims Mapping
Map the following claims:
Field | Claim Name | Location |
---|---|---|
External ID |
| ID Token |
Username |
| Access Token |
| Access Token | |
First Name |
| User Info |
Last Name |
| User Info |