Microsoft Entra ID

• Open and login to https://portal.azure.com

Application

• Go to Microsoft Entra ID > Manage > App registrations > New registration

• Give your app a name, e.g., flexAI or flexAIcloud

• For Supported account types, choose Single tenant (default for most customers) or Multi tenant

• Select Register

Redirect URI

• Go to Microsoft Entra ID > Manage > App registrations > All applications and open the created application

• Go to Manage > Authentication

• Select Add Redirect URI > Web

• Enter the redirect URLs:

  • Redirect URI: https://<FQDN or hostname>/oauth2/callback

  • Front Channel Logout: https://<FQDN or hostname>/oauth2/signout

• Select Configure

• Select Add Redirect URI and add:

  • Redirect URI: https://<FQDN or hostname>/oauth2/signout

• Select Configure.

Client Secret

• Go to Microsoft Entra ID > Manage > App registrations > All applications and open the created application

• Go to Manage > Certificates & secrets > Client secrets

• Select New client secret

• Enter a description and choose when the secret expires

• Select Add

• Copy the secret value for later use

API permission

• Go to Microsoft Entra ID > Manage > App registrations > All applications and open the created application

• Go to Manage > API permissions

• Select Add a permission > Microsoft APIs > Microsoft Graph > Delegated permissions.

• Add the following API permissions and apply with Add permissions:

  • email

  • openid

  • profile

  • User.Read

• Select Grant admin consent for <your_tenant name> for the added permissions and ensure the status for all permissions is marked Granted for <your_tenant name>.

Token Configuration

• Go to Microsoft Entra ID > Manage > App registrations > All applications and open the created application

• Go to Manage > Token configuration

• Select Add optional claim

• Select ID > preferred_username

• Select Add

Roles

• Go to Microsoft Entra ID > Manage > App registrations > All applications and open the created application

• Go to Manage > App roles

• Select Create app role

• Create three different app roles with the following values:

  • Add a human readable display name for the app role

  • Select in allowed member type: Users/Groups

  • Define for each role one of those mandatory Value:

    • flexai-manager

    • flexai-editor

    • flexai-user

  • Add a Description

• Activate Enable this app role

• Apply

Roles

• Go to Microsoft Entra ID > Manage > Enterprise application

• Go to Manage > All applications

• Open the new created application

• Go to Manage > Users and groups

• Select Add user/group

• Select and define a user or group and select one of the flexai roles from above and assign

URLs and IDs

• Go to Microsoft Entra ID > Manage > App registrations > All applications and open the created application

• Go to Overview

• Copy and save the Application (client) ID for later use.

• Open Endpoints

• Copy and open the OpenID Connect metadata document URL

• Copy the following URLs for later use:

  • token_endpoint, looks like https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token

  • authorization_endpoint, looks like https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize

  • end_session_endpoint, looks like https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/logout

  • jwks_uri, looks like https://login.microsoftonline.com/<TENANT_ID>/discovery/v2.0/keys

• Open the jwks_uri URL and copy the issuer URL (looks like https://login.microsoftonline.com/<TENANT_ID>/v2.0) for later use