Skip to main content

Microsoft EntraID: How can I set up EntraID SSO

Frank
Updated

To use authentication via EntraID with SIGNL4, you must enable certain scopes for the use of our EntraID Enterprise Application.

First, it is important to note that we use “Modern Authentication / OpenID Connect” for SSO authentication, not SAML.

Required Scopes:

The following scopes are requested by SIGNL4 from EntraID as part of user authentication and must be approved by the EntraID administrator for SIGNL4:

- openId

- email

- profile

- offline_access

- User.Read

These scopes can be divided into two different types of areas.

openId, email, offline_access und profile are standard scopes of OpenID Connect, while User.Read is used for the Microsoft Graph API.

OpenID Scopes:

  1. openID

    This scope is mandatory in every OIDC flow and signals that the application wants to perform authentication. It ensures that an ID token is issued that contains information about the user's identity.

  2. Email

    This scope allows the application to access the user's email address. The ID token then contains the email claim and possibly an email verification flag.

  3. Profile

    This scope grants access to basic profile information such as first name, last name, username, or even the URL of the profile picture. It contains the most important attributes needed to display or personalize the user in the app.

  4. offline_access

    This scope allows the application to request a refresh token. This allows the app to retrieve new access tokens in the background without the user having to log in again.

User.Read

User.Read is mandatory, as otherwise SIGNL4 cannot perform token validation using the Graph API.

Together with the OID standard scopes, User.Read also forms the basis for the correct application of any conditional access policies that may be present in EntraID as part of the user login process.

Grant administrator consent

Please follow these steps in Azure AD to grant admin consent for SIGNL4 to request new API scopes:

Sign in to the Azure portal and open Active Directory.

Select “Business Applications” from the left-hand menu.

Enter “SIGNL4” in the search field and open the application details with the application ID starting with 16b5.

Click on “Permissions” in the app's details menu.

Click the Grant Administrator Consent button and allow SIGNL4 to request the scopes described above.

After that, these 4 scopes of the Microsoft Graph API should show up in the list of admin consents you've given:

Please note that EntraID cannot grant separate permission for email scope; instead, it is always permitted by default.

 

 

 

 

 

 

 

 

Related to

Related articles

Comments

0 comments

Please sign in to leave a comment.