SSO with Microsoft Azure Entra ID (Azure AD)
Setting up DeployNow SSO (Single Sign-On) with Azure Entra ID formerly known as Azure Active Directory (Azure AD) involves several steps. DeployNow has an OpenID Connect (OIDC) provider. Below is a comprehensive guide to configure SSO with Entra ID.
The creation of groups is essential for ensuring Role-based access control (RBAC) for the users in the organization.
Navigate to Microsoft Entra ID > Groups in Azure. Click on + New group button to add a new group. Select the group type as Security, the names can be DeployNow Admin, DeployNow Deployer, DeployNow Viewer, etc. depending on the target user group. Select the membership type as Assigned.
Assign owners for the group.
Add all the relevant users/members for the group. For instance, all the admin users should be added to DeployNow Admin group. Similarly, add the relevant users for the other groups.
The recommended groups are: 1. DeployNow Admin - A group that has all the users who will have admin privileges in DeployNow 2. DeployNow Deployer - A group that has all the users who will have deploy privileges (deploy an application, check the status of the deployed app) in DeployNow 3. DeployNow Viewer - A group that has all the users who will have only viewer privileges in DeployNow
NOTE: Please copy the Group IDs for all the created groups. These IDs should be sent to OpsVerse POC.
Step 1: Navigate to Microsoft Entra ID > App registrations in Azure. Click on + New registration button to add a new app.
Step 2: Enter a name for the application. Fill out the name as per the internal organization semantics.
Specify who can use the application (For instance, Accounts in this organizational directory only (<org_name> only - Single tenant)would be a good starting point)
Enter the Redirect URL (optional) as follows (replacing <deploynow_url> with your DeployNow URL), then click on Add.
- Platform: Web
- Redirect URL: https://<deploynow_url>/api/dex/callback
Step 3: The Azure portal displays the app registration's overview details when registration finishes. App details (applicationId /clientId, objectId, tenantId, etc)
Step 4: Configure additional platform settings. In the Azure portal, navigate to Microsoft Entra ID > App registrations, search for the newly created app and select your application.
Step 5: Under Manage, select Authentication. Under Platform configurations, select Add a platform.
Under Configure platforms, select the Mobile and desktop applications tile. Use the below value.
- Platform: Mobile and desktop applications
- Redirect URI: http://localhost:8085/auth/callback
Set Advanced settings > Allow public client flows > Enable the following mobile and desktop flows flag to true will enable the Save button.

Step 6: Create a clientSecret credentials for the Entra ID app registration. Navigate to Microsoft Entra ID > App registrations > Certificates & secrets. Under Client secrets, click + New client secret button. Enter a Name for the secret (e.g. DeployNow-SSO) and create a secret.
Make sure to copy and save the generated value. This is a value for the client_secret.
Step 7: Setup permissions for Entra ID Application. Navigate to Microsoft Entra ID > App registrations > API permission. Click on + Add permission
Find User.Read permission (under Microsoft Graph > Delegated permission) and grant it to the created application:
Navigate to Token Configuration menu, choose + Add groups claim
Select the type of application as a Non-gallery application. Once the details are filled out, click on Create button.
Step 8: Create Entra ID roles for DeployNow. Navigate to Microsoft Entra ID > App registrations in Azure. Search for the newly created application.
Navigate to <Newly Created App Name> > App roles and click on + Create app role.
3 roles can be created that can be mapped to the newly created 3 groups.
The recommended roles are Admin, Deployer, and Viewer.
Allowed member types should be Users/Groups, and value should be Admin, Editor, and Viewer respectively. The value should be Admin, Deployer, and Viewer respectively.
The recommended groups are: 1. DeployNow Admin - A group that has all the users who will have admin privileges in DeployNow 2. DeployNow Deployer - A group that has all the users who will have privilege to deploy an application, check the status of the deployment in DeployNow 3. DeployNow Viewer - A group that has all the users who will have only viewer privileges in DeployNow
Step 9: Go to the created application (Microsoft Entra ID > Enterprise applications) and navigate to Users and groups section.
Add all the created groups.
Your Entra App is ready to be integrated with DeployNow!
Please send the following details to the OpsVerse POC:
- Client ID
- Client Secret
- Tenant ID
- Group names and IDs for DeployNow Admin, DeployNow Deployer and DeployNow Viewer
For more information, please refer to this doc: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/microsoft/