1 Entra ID App Creation
2 Entra ID App DataSourceAdminApp creation
- 2.1 App Registration
- 2.2 Enterprise Application - User Assignment

“CUSTOMER.com” must be replaced with your own URL and is only an example of a domain.

An application must be registered in the Entra ID (formerly: Azure AD). A "Single tenant" registration is usually sufficient, only if the installation is to be accessible for several Entra IDs, "Multitenant" must be activated.

ACHTUNG
Personal Microsoft accounts are not supported.

Entra ID App Creation

For the redirect URI, select "Web" as the platform and choose such a URL:

https://CUSTOMER.com/ids/oidc-signin-office365auth

“http://CUSTOMER.com” stands for the destination address at which primedocs will later be accessible.

Entra ID App Authentication

After creation, add the following configuration:

The following must be listed in Redirect URIs:

https://CUSTOMER.com/ids/oidc-signin-office365auth
https://CUSTOMER.com/datasourceadminapp/office365adminconsent

In Front-channel logout URL:

https://CUSTOMER.com/ids/

Activate in “Implicit grant and hybrid flows”:

Access tokens

ID tokens

Entra ID Certifications and secret

Then create a client secret and save it. Select a sufficient validity - this secret will later be stored in primedocs.config and must be kept up to date.

Entra ID API Permissions

Give the application the following "Delegated permissions" in "Microsoft Graph":

email
offline_access
openid
profile
User.Read

The following "Application permissions" are also required:

Directory.Read.All: This authorization allows primedocs to determine a user's group memberships. Templates, text modules, profiles etc. can be authorized to Entra ID groups in primedocs. This authorization is required to find out whether a user is in a specific group.
User.Read.All: This authorization enables user synchronization via the Microsoft Graph.

Grant "Consent" for this application.

Optional “Delegated permissions”:

Files.ReadWrite.All & Sites.Read.All s required for integration in Microsoft SharePoint and Microsoft Teams (Web-Integration).

Entra ID App DataSourceAdminApp creation

App Registration

The DataSourceAdminApp is not connected to the permissions and roles concept, but has been designed as an application to support initial configuration and operation.

In a classic OnPrem environment, for example, only the administrators would be authorized to access this application via Windows groups. In the Azure environment, we use another Entra App Registration to map this.

To do this, you register another application and enter the following as the redirect URI:

Also define a client secret for this application.

Then also grant "Consent" for this application in the API permissions.

Enterprise Application - User Assignment

Access to the DataSourceAdminApp should be severely restricted. To do this, use the "User Assignments" option in the Enterprise Application.

Search for the app registration of the DataSourceAdminApp that you have just created and activate "Assignment required" and select the users who should have access (usually only technical persons and administrators who need to export/import packages to ensure operation).

primedocs: technical documentation

Entra ID Apps