EzeScan Cloud
EzeScan Cloud
Breadcrumbs

Authenticating with Entra ID via OpenID Connect

There are two parts to the configuration below:

Setting up App Registration in Azure Portal

  • This part is required and must be completed.

Granting GraphAPI access for the app registration to users and groups

  • This part is required if the syncing of groups or users is required.

    • If this is not completed:

      • All permissions must be manually managed within the application and existing Entra ID groups cannot be used.

      • A user must log into the application before they can be assigned any permissions.

Setting up App Registration in Azure Portal

1

Navigate to the Azure Portal and select App registrations.

image2025-6-19_11-49-50.png

2

Click the New registration button in the top menu.

image2025-6-19_11-51-23.png

3

Enter the following details and then click the Register button:

Option

Value

Name

EzeScan WebApps

Supported account types

Accounts in this organizational directory only ([Your tenant name here] only - Single tenant)

Redirect URI

Web - https://customer.ezescan.cloud/eim/signin-oidc (Replace "customer" with your deployed dns name).
image2025-6-19_11-53-32.png

4

On the left menu click on the Authentication option.

image2022-5-4_9-23-4-.png

5

Set the following options and then click Save:

Option

Value

Logout Url

https://customer.ezescan.cloud/eim/signout-oidc (Replace "customer" with your deployed dns name).

Implicit Grant

ID tokens

Supported Account Types > Who can use this application or access this API?

Accounts in this organizational directory only ([Your tenant name here] only - Single tenant)

Advanced Settings > Allow public client flows

No
image2025-6-19_11-55-19.png

6

Navigate to Token configuration and click Add optional claim

image2022-5-4_12-9-42-.png

7

Select the Token Type: ID, then tick the options to enable email, upn, family_name and given_name.

Click the Add button.

image2022-5-4_12-11-30-.png

8

If asked then tick the "Turn on the Microsoft Graph email, profile permissions" option and click Add.

image2022-5-4_12-13-41-.png

9

On the left menu select the API Permissions option.

image2025-6-19_11-59-3.png

10

Click Grant admin consent for [Organisation Name here] link.

image2025-6-19_12-3-24.png

11

Click Yes on the confirmation window.

image2025-6-19_12-4-6.png

12

Confirm the consent has now been granted.

image2025-6-19_12-4-55.png

13

On the left menu select the Overview option.

image2022-5-4_11-52-32-.png

14

Take note of the Application (client) ID and the Directory (tenant) ID by mousing over then clicking the copy to clipboard button and saving them somewhere safe for later use.

image2022-5-4_11-57-2-.png

15

Click on the Endpoints option in the upper menu.

image2022-5-4_11-57-43-.png

16

Take note of the Authority URL (Accounts in this organizational directory only) by clicking the copy to clipboard button and saving it somewhere safe for later use.

image2025-6-19_12-15-59.png

17

You should now have the 3 respective values saved out ready to send to our team.

image2025-6-19_12-23-23.png

18

Send these 3 values to our team via a secure method of your choice.

For example:

  • Encrypted email or sharing an entry in a password manager.

  • Secure self-destructing message service (https://secret.ezescan.com.au/ )

  • Other method that adhears to your organisations policies for sharing sensitive information.

Granting GraphAPI access to users and groups

1

In the Azure Portal navigate to App Registrations and select the Application that EWA is using. (You can check the application Id to confirm)

2

  1. Click API permissions on the left menu.

    image2022-5-4_13-3-8-.png

3

Click the Add a permission link.

image2022-5-4_13-2-12-.png

4

Select the Microsoft Graph option.

image2022-5-4_13-3-59-.png

5

Select Application permissions.

image2022-5-4_13-4-56-.png

6

Find and then tick the Group.Read.All permission.

image2022-5-4_13-7-15-.png

7

Find and then tick the User.Read.All permission and then click the Add Permission button.

image2022-5-4_13-8-54-.png

8

Notice that the newly added permissions have not been granted consent yet.

Click the Grant admin consent for COMPANY NAME option.

image2022-5-4_13-11-5-.png

9

Select the Yes, add other granted permissions to the configured permissions option and click Save and Continue.

image2022-5-4_13-14-9-.png

10

Click the Grant admin consent button.

image2022-5-4_13-15-5-.png

11

Click Yes on the confirmation.

image2022-5-4_13-16-56-.png

12

Confirm that the consent has been added for the Group.Read.All and User.Read.All permissions.

image2022-5-4_13-18-51-.png

13

On the left menu select the Overview option.

image2022-5-4_11-52-32-.png

14

Click Add a certificate or secret.
image2022-5-4_12-45-23-.png

15

Click New client secret.

image2022-5-4_12-46-14-.png

16

Set the following values and click Add.

Option

Value

Description

EzeScan WebApps

Expires

24 Months
image2022-5-4_12-48-22-.png

17

Take note of the Value of the client secret by clicking the copy to clipboard button and saving it somewhere safe for later use.
image2022-5-4_12-52-14-.png

Client secret values cannot be viewed, except for immediately after creation. Be sure to save the secret when created before leaving the page.

18

Send the client secret value to our team via a secure method of your choice.

For example:

  1. Encrypted email or sharing an entry in a password manager.

  2. Secure self-destructing message service (https://secret.ezescan.com.au/ )

  3. Other method that adhears to your organisations policies for sharing sensitive information.