Authenticating with Entra ID via OpenID Connect

Setting up App Registration in Azure Portal

• This part is required and must be completed.

Granting GraphAPI access for the app registration to users and groups

• This part is required if the syncing of groups or users is required.

  • If this is not completed:

    • All permissions must be manually managed within the application and existing Entra ID groups cannot be used.

    • A user must log into the application before they can be assigned any permissions.

Navigate to the Azure Portal and select App registrations.

Click the New registration button in the top menu.

Enter the following details and then click the Register button:

On the left menu click on the Authentication option.

Set the following options and then click Save:

Navigate to Token configuration and click Add optional claim

Select the Token Type: ID, then tick the options to enable email, upn, family_name and given_name.

Click the Add button.

If asked then tick the "Turn on the Microsoft Graph email, profile permissions" option and click Add.

On the left menu select the API Permissions option.

Click Grant admin consent for [Organisation Name here] link.

Click Yes on the confirmation window.

Confirm the consent has now been granted.

On the left menu select the Overview option.

Take note of the Application (client) ID and the Directory (tenant) ID by mousing over then clicking the copy to clipboard button and saving them somewhere safe for later use.

Click on the Endpoints option in the upper menu.

Take note of the Authority URL (Accounts in this organizational directory only) by clicking the copy to clipboard button and saving it somewhere safe for later use.

You should now have the 3 respective values saved out ready to send to our team.

Send these 3 values to our team via a secure method of your choice.

For example:

• Encrypted email or sharing an entry in a password manager.

• Secure self-destructing message service (https://secret.ezescan.com.au/ )

• Other method that adhears to your organisations policies for sharing sensitive information.

In the Azure Portal navigate to App Registrations and select the Application that EWA is using. (You can check the application Id to confirm)

1. Click API permissions on the left menu.

   

Click the Add a permission link.

Select the Microsoft Graph option.

Select Application permissions.

Find and then tick the Group.Read.All permission.

Find and then tick the User.Read.All permission and then click the Add Permission button.

Notice that the newly added permissions have not been granted consent yet.

Click the Grant admin consent for COMPANY NAME option.

Select the Yes, add other granted permissions to the configured permissions option and click Save and Continue.

Click the Grant admin consent button.

Click Yes on the confirmation.

Confirm that the consent has been added for the Group.Read.All and User.Read.All permissions.

On the left menu select the Overview option.

Click Add a certificate or secret.

Click New client secret.

Set the following values and click Add.

Take note of the Value of the client secret by clicking the copy to clipboard button and saving it somewhere safe for later use.

Client secret values cannot be viewed, except for immediately after creation. Be sure to save the secret when created before leaving the page.

Send the client secret value to our team via a secure method of your choice.

For example:

1. Encrypted email or sharing an entry in a password manager.

2. Secure self-destructing message service (https://secret.ezescan.com.au/ )

3. Other method that adhears to your organisations policies for sharing sensitive information.