Entra ID

overview your tenant can be configured to allow users to authenticate using their corporate microsoft entra id credentials this page will walk you through the configuration process create an authorization source create app registration log in to your microsoft entra admin portal from the left menu, click app registrations on the top menu, click ➕ new registration create a name for your application (e g korgrid sso) select accounts in this organizational directory only set the redirect uri to web set the url to your ui login url click register create app registration create client secret from the left menu of the app registration you just created, click certificates & secrets on the top menu, click ➕ new client secret set description (e g korgrid secret) set expires to your desired expiration date click add create client secret save the following information from microsoft entra tenant id overview > basic information > tenant id client id app registrations > all applications > korgrid sso > application (client) id client secret app registrations > all applications > korgrid sso > certificates & secrets > client secrets > korgrid secret > value configure ui from the top menu , click system > auth sources on the left menu, click new enter a name for the source (e g entra id) this name will appear on the sign in button on the login page in the driver field, select entra id enter the tenant id obtained from the previous section the redirect uri should be the url of your management ui (e g https //contoso korgrid com) enter endpoint url for user to logout session token set to none to disable redirecting for logout otherwise, set to the entra logout url (e g https //login microsoft com/ tenantid /oauth2/v2 0/logout) scope should typically be left at the default value (openid profile email) group scope should be set to groups if you wish to auto create users based on group membership enter the client id obtained from the previous section enter the client secret obtained from the previous section remote user fields defines the list of fields used to initially find the entra id user this field is auto populated with (sub,preferred username,email nickname) this default list is typically sufficient for most implementations to carry over group membership from entra id to korgrid, check the update group membership checkbox groups can be created manually using instructions in the next section user auto creation features (optional) user auto creation features (optional) users can be auto created upon initial login to the ui this can be enabled for all entra id users or limited to users in a specified microsoft 365 group auto create users if all users should be auto created, enter auto create users in group to only auto create users that are members of a specified group enter the groups object id microsoft 365 groups must first be created in the ui prior to users being auto created multiple group object id's can be entered using the format (objectid)|(objectid)|(objectid) options (recommended) options (recommended) update remote user once the user is located in entra id, update the korgrid user remote username field to the corresponding entra unique id enabling the update remote user option will allow the system to store the user's unique object id in the ui's user record so the unique identifier can subsequently be used for finding the entra id user; this is typically recommended since fields such as email address can sometimes change update user email address update user email address to match email address within entra id update user display name update user display name to match display name within entra id update group membership update the groups that a user is a member of (a group scope is required for this to function ) create authorization source add microsoft 365 groups to ui interfacing with microsoft 365 groups requires a token on the entra id app registration and creation of groups within the ui set up a token configuration in entra id navigate to the app registration page for the application created in the previous section click on token configuration on the left menu click ➕ add groups claim select all the group types boxes set the id , access , and saml tokens properties to samaccountname add microsoft 365 groups from the ui's main dashboard, click system from the left menu from the left menu, click groups from the left menu, click new enter the group name to match the group name from microsoft 365 optionally , you can specify an email for the group this email address will be used for sending subscription alerts and/or reports assigned to the group set the identifier to the object id of the microsoft 365 group click submit edit groups claim manually add users from entra id from the top menu , click system > users from the left menu, click new authorization source select entra id as the source from the dropdown list username unique name; typically it is recommended to use the entra id user principal name remote username recommended to use the user's entra id object id display name (optional) if update user display name is enabled on the entra id auth source, the display name will automatically synchronize from entra id email address (optional) if update user email address is enabled on the entra id auth source, the email address will automatically synchronize from entra id click submit