-
Notifications
You must be signed in to change notification settings - Fork 15
Entra App registration
This page contains information for IT to set up an App Registration in Microsoft Azure, configure it and give certain users access. This is a prerequisite for Single Sign On to work.
By default, all member accounts within an Entra ID tenant are allowed to create application registrations and consent to them. It is common practice however to restrict this within a tenant.
If you're not the tenant administrator, contact the administrator to obtain the appropriate permissions, or ask the administrator to follow the steps below.
- Go to your Azure Portal and sign in with your account
- Navigate to App registrations
- Click on 'New registration'
- Give the application registration a name, e.g. '121-platform'
- Under 'Supported account types', select 'Accounts in this organizational directory only'
- Under redirect URL, put:
- Under 'platform', select 'Single-page Application (SPA)'
- For the redirect URL put:
https://portal.*yourSubDomain*.121.global/en-GB/auth-callback. Your subdomain is the text in your url between portal. and .121.global
- Click 'Register'
- Navigate to the 'Branding & properties' blade in the 'Manage' category.
- For the Home page URL, put:
https://portal.*yourSubDomain*.121.global/login. Your subdomain is the text in your url between portal. and .121.global - Navigate to the 'Overview' blade.
- Copy and store the value of the field 'Application (client) ID' and share this with the 121 team.
To configure and consent to the appropiate application permissions, make sure your account has the appropiate permissions, and follow these steps:
- Navigate in your browser to
https://portal.*yourSubDomain*.121.global/loginand sign in with your Entra account. Your subdomain is the text in your url between portal. and .121.global - Review the required permissions for the application
- Check the box for 'Consent on behalf of your organization'
- Click 'Accept'.
It is not a problem if you cannot sign in in 121 itself at this point. The aim here is to configure and consent to the application permissions. You can check these permissions in the app registration, under Manage > API permissions.
Once the app registration is configured, a corresponding 'Enterprise application' is also created. Here access to the application may be restricted to a subset of users within you're organization, and users and security groups may be assigned to the application here as well.
Assigning an Entra security group requires at least a P1 Entra license for your tenant. Nesting for groups does not work, only direct assignments.
- Navigate to the Enterprise applications blade in the Entra ID portal, under 'Manage'.
- Search for the name of your application registration, e.g. '121-platform', and open it.
- Navigate to the 'Properties' blade under 'Manage'
- Set 'Assignment required' to 'Yes'
- Navigate to the 'Users and groups' blade
- Click on 'Add user/group'
- Select the users or group that you want to give access to 121
- Click 'Assign'
- Repeat these steps for any other users or groups that you wish to assign.
The account you have used to set up the application registration is automatically assigned. You may remove this assignment at this point if it is not required.
Note: These users also need to be added with the same user principal name to 121 separately before they can sign in, see here on how to do that.