Skip to main content
Skip table of contents

Microsoft Entra ID (Formerly Azure AD)

entra-id-logo_orig-1.png

Client App Instructions

Create an App Registration for the Cloud SSO. Navigate to the Entra admin center and go to Identity > Applications > App registrations.

Configure an app registration with the following information:

  • Authentication:

    • Account types: Accounts in this organizational directory only

    • Web Redirect URI: Enter the value from the Cloud SSO form under Redirect URL.

  • Certificates & secrets > Client secrets:

    • Credentials: Generate a Client Secret value and set the expiration time to the maximum (currently 24 months).
      (warning) Note that you will need to refresh this secret value and update the Cloud SSO configuration when the old secret value expires - be sure to set a calendar reminder before the expiration date to complete this task.

All other settings can be left at their defaults or ignored.

Feel free to customize the Branding & properties to your liking. Your users will see this information during sign-in.

Configuration Values

Obtain configuration values for Cloud SSO from the following places:

On the Overview tab of the app registration record in Entra (ensure that the Essentials section at the top of the screen is expanded/visible):

  • Discovery Domain: At the top, click Endpoints, and copy the OpenID Connect metadata document field. Then press “Discover…”

  • Authorization URL: Should be auto-populated from the discovery document. Or, at the top, click Endpoints, and copy the OAuth 2.0 authorization endpoint (v2) field.

  • Token URL: Should be auto-populated from the discovery document. Or, at the top, click Endpoints, and copy the OAuth 2.0 token endpoint (v2) field.

  • Userinfo URL: Enter this value exactly: https://graph.microsoft.com/oidc/userinfo

  • Issuer: Should be auto-populated from the discovery document. Or, at the top, click Endpoints, and copy the Authority URL (Accounts in this organizational directory only) field, THEN append /v2.0 to the end of the URL. Your URL should look something like this: https://login.microsoftonline.com/00000000-1234-1234-000000000000/v2.0

  • Scopes: Enter this value exactly: openid profile email

  • Client ID: Copy the Application (client) ID value.

  • Client Secret: Copy the client secret value that was generated for you from the Certificates & secrets tab. If you lost the secret value, delete the old one and generate a new secret value.

  • Enable PKCE: On

  • Enable Response Mode Form Post: Off

  • Enable Token Endpoint Basic Auth: Off

Claims Mapping

Map the following claims:

Field

Claim Name

Location

External ID

oid

ID Token

Username

preferred_username

Access Token

Email

preferred_username

Access Token

First Name

given_name

User Info

Last Name

family_name

User Info

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.