SSO with Microsoft Azure Entra ID (Azure AD)

setting up deploynow sso (single sign on) with azure entra id formerly known as azure active directory (azure ad) involves several steps deploynow has an openid connect (oidc) provider below is a comprehensive guide to configure sso with entra id entra id app registration auth using oidc create entra id groups for deploynow the creation of groups is essential for ensuring role based access control (rbac) for the users in the organization navigate to microsoft entra id > groups in azure click on + new group button to add a new group select the group type as security , the names can be deploynow admin , deploynow deployer , deploynow viewer , etc depending on the target user group select the membership type as assigned assign owners for the group add all the relevant users/members for the group for instance, all the admin users should be added to deploynow admin group similarly, add the relevant users for the other groups the recommended groups are 1\ deploynow admin a group that has all the users who will have admin privileges in deploynow 2\ deploynow deployer a group that has all the users who will have deploy privileges ( deploy an application, check the status of the deployed app ) in deploynow 3\ deploynow viewer a group that has all the users who will have only viewer privileges in deploynow note please copy the group ids for all the created groups these ids should be sent to opsverse poc configure a new entra id app registration step 1 navigate to microsoft entra id > app registrations in azure click on + new registration button to add a new app step 2 enter a name for the application fill out the name as per the internal organization semantics specify who can use the application (for instance, accounts in this organizational directory only (\<org name> only single tenant) would be a good starting point) enter the redirect url ( optional ) as follows (replacing \<deploynow url> with your deploynow url), then click on add platform web redirect url https //\<deploynow url>/api/dex/callback step 3 the azure portal displays the app registration's overview details when registration finishes app details ( applicationid / clientid , objectid , tenantid , etc) step 4 configure additional platform settings in the azure portal, navigate to microsoft entra id > app registrations , search for the newly created app and select your application step 5 under manage, select authentication under platform configurations, select add a platform under configure platforms, select the mobile and desktop applications tile use the below value platform mobile and desktop applications redirect uri http //localhost 8085/auth/callback set advanced settings > allow public client flows > enable the following mobile and desktop flows flag to true will enable the save button step 6 create a clientsecret credentials for the entra id app registration navigate to microsoft entra id > app registrations > certificates & secrets under client secrets , click + new client secret button enter a name for the secret (e g deploynow sso) and create a secret make sure to copy and save the generated value this is a value for the client secret step 7 setup permissions for entra id application navigate to microsoft entra id > app registrations > api permission click on + add permission find user read permission ( under microsoft graph > delegated permission ) and grant it to the created application navigate to token configuration menu, choose + add groups claim select the type of application as a non gallery application once the details are filled out, click on create button step 8 create entra id roles for deploynow navigate to microsoft entra id > app registrations in azure search for the newly created application navigate to \<newly created app name> > app roles and click on + create app role 3 roles can be created that can be mapped to the newly created 3 groups the recommended roles are admin , deployer , and viewer allowed member types should be users/groups , and value should be admin , editor , and viewer respectively the value should be admin , deployer , and viewer respectively the recommended groups are 1\ deploynow admin a group that has all the users who will have admin privileges in deploynow 2\ deploynow deployer a group that has all the users who will have privilege to deploy an application, check the status of the deployment in deploynow 3\ deploynow viewer a group that has all the users who will have only viewer privileges in deploynow step 9 go to the created application ( microsoft entra id > enterprise applications ) and navigate to users and groups section add all the created groups your entra app is ready to be integrated with deploynow! please send the following details to the opsverse poc client id client secret tenant id group names and ids for deploynow admin , deploynow deployer and deploynow viewer for more information, please refer to this doc https //argo cd readthedocs io/en/stable/operator manual/user management/microsoft/ https //argo cd readthedocs io/en/stable/operator manual/user management/microsoft/

User management

RBAC configuration