Entra ID Apps
- Dinah Bolli (Unlicensed)
“CUSTOMER.com” must be replaced with your own URL and is only an example of a domain.
An application must be registered in the Entra ID (formerly: Azure AD). A "Single tenant" registration is usually sufficient, only if the installation is to be accessible for several Entra IDs, "Multitenant" must be activated.
ACHTUNG
Personal Microsoft accounts are not supported.
Entra ID App Creation
For the redirect URI, select "Web" as the platform and choose such a URL:
https://CUSTOMER.com/ids/oidc-signin-office365auth“http://CUSTOMER.com” stands for the destination address at which primedocs will later be accessible.
Entra ID App Authentication
After creation, add the following configuration:
The following must be listed in Redirect URIs:
https://CUSTOMER.com/ids/oidc-signin-office365auth
https://CUSTOMER.com/datasourceadminapp/office365adminconsentIn Front-channel logout URL:
https://CUSTOMER.com/ids/Activate in “Implicit grant and hybrid flows”:
Entra ID Certifications and secret
Then create a client secret and save it. Select a sufficient validity - this secret will later be stored in primedocs.config and must be kept up to date.
Entra ID API Permissions
Give the application the following "Delegated permissions" in "Microsoft Graph":
emailoffline_accessopenidprofileUser.Read
The following "Application permissions" are also required:
Directory.Read.All: This authorization allows primedocs to determine a user's group memberships. Templates, text modules, profiles etc. can be authorized to Entra ID groups in primedocs. This authorization is required to find out whether a user is in a specific group.User.Read.All:This authorization enables user synchronization via the Microsoft Graph.
Grant "Consent" for this application.
Optional “Delegated permissions”:
Files.ReadWrite.All&Sites.Read.Alls required for integration in Microsoft SharePoint and Microsoft Teams (Web-Integration).
Entra ID App DataSourceAdminApp creation
App Registration
The DataSourceAdminApp is not connected to the permissions and roles concept, but has been designed as an application to support initial configuration and operation.
In a classic OnPrem environment, for example, only the administrators would be authorized to access this application via Windows groups. In the Azure environment, we use another Entra App Registration to map this.
To do this, you register another application and enter the following as the redirect URI:
Also define a client secret for this application.
Then also grant "Consent" for this application in the API permissions.
Enterprise Application - User Assignment
Access to the DataSourceAdminApp should be severely restricted. To do this, use the "User Assignments" option in the Enterprise Application.
Search for the app registration of the DataSourceAdminApp that you have just created and activate "Assignment required" and select the users who should have access (usually only technical persons and administrators who need to export/import packages to ensure operation).
PrimeSoft AG, Bahnhofstrasse 4, 8360 Eschlikon, Switzerland