SSO with Microsoft Azure Entra ID (Azure AD)

setting up opsverse one sso (single sign on) with azure entra id formerly known as azure active directory (azure ad) involves several steps below is a comprehensive guide to configure sso with entra id entra id app registration auth using oidc create entra id groups for opsverse one the creation of groups is essential for ensuring role based access control (rbac) for the users in the organization navigate to microsoft entra id > groups in azure click on + new group button to add a new group select the group type as security , the names can be admin and viewer depending on the target user group select the membership type as assigned assign owners for the group add all the relevant users/members for the group for instance, all the admin users should be added to admin group similarly, add the relevant users for the other groups the recommended groups are 1\ admin a group that has all the users who will have admin privileges in opsverse one 2\ viewer a group that has all the users who will have only viewer privileges in opsverse one note please copy the group ids for all the created groups these ids should be sent to opsverse poc currently, all the users will have the admin access configure a new entra id app registration step 1 navigate to microsoft entra id > app registrations in azure click on + new registration button to add a new app step 2 enter a name for the application fill out the name as per the internal organization semantics specify who can use the application (for instance, accounts in this organizational directory only (\<org name> only single tenant) would be a good starting point) enter the redirect url ( optional ) as follows (replacing \<opsverse one url> with your opsverse one url), then click on add platform web redirect url https //\<opsverse one url>/api/auth/microsoft/handler/frame step 3 the azure portal displays the app registration's overview details when registration finishes app details ( applicationid / clientid , objectid , tenantid , etc) step 4 configure additional platform settings in the azure portal, navigate to microsoft entra id > app registrations , search for the newly created app and select your application step 5 under manage, select authentication under platform configurations, select add a platform under configure platforms, select the web tile use the below values for redirect uris https //your backstage com/api/auth/microsoft/handler/frame http //localhost 7007/api/auth/microsoft/handler/frame set advanced settings > allow public client flows > enable the following mobile and desktop flows flag to true will enable the save button step 6 create a clientsecret credentials for the entra id app registration navigate to microsoft entra id > app registrations > certificates & secrets under client secrets , click + new client secret button enter a name for the secret (e g one sso) and create a secret make sure to copy and save the generated value this is a value for the client secret step 7 setup permissions for entra id application navigate to microsoft entra id > app registrations > api permission click on + add permission find the following permissions ( under microsoft graph > delegated permission ) and grant it to the created application user read email offline access openid profile your company may require you to grant admin consent for these permissions even if your company doesn't require admin consent, you may wish to do so as it means users don't need to individually consent the first time they access backstage to grant admin consent, a directory admin will need to come to this page and click on the grant admin consent for \<company name> button navigate to token configuration menu, choose + add groups claim step 8 create entra id roles for opsverse one navigate to microsoft entra id > app registrations in azure search for the newly created application navigate to \<newly created app name> > app roles and click on + create app role 2 roles can be created that can be mapped to the newly created 2 groups the recommended roles are admin and viewer allowed member types should be users/groups , and value should be admin , editor , and viewer respectively the value should be admin and viewer respectively the recommended groups are 1\ admin a group that has all the users who will have admin privileges in opsverse one 2\ viewer a group that has all the users who will have only viewer privileges in opsverse one step 9 go to the created application ( microsoft entra id > enterprise applications ) and navigate to users and groups section add all the created groups your entra app is ready to be integrated with opsverse one! please send the following details to the opsverse poc client id client secret tenant id group names and ids for admin and viewer