# MS Entra ID (OIDC)

## Prerequisites

<details>

<summary>Permissions required for registering and configuring an app in Microsoft Entra ID.</summary>

The account must have permission to manage applications in Microsoft Entra ID. Ideally the account should be in the Global Admin role to grant admin consent.

</details>

## Implement Single Sign-On (SSO)

It is recommended to use two separate browser tabs for the Azure (A) and Keycloak (K) portals to make it easier to apply the settings.

1. (A) In the first tab sign in to the [Azure Portal](https://portal.azure.com/).
2. (A) Search for *Microsoft Entra ID*. Expand *Manage* in the left pane and click **App registrations**.
3. (A) Select **Endpoints**.
4. (A) Copy the value from the *OpenID Connect metadata document* field.
5. (K) Open a new tab in your browser and login to the target Spark tenant. Access the *Keycloak console* from the [Navigation menu](/navigation/navigation-menu.md#user-menu).
6. (K) Login to the Keycloak Admin Console using your admin credentials.
7. (K) Select *Identity Providers* from the left pane.
8. (K) Expand the *Add Provider* dropdown and choose *OpenID Connect v1.0*.
9. (K) Find the *Discovery Endpoint* field and paste the *OpenID Connect metadata document*.
10. (K) Click on the *Show metadata* link. You'll notice that some metadata fields are automatically filled in.
11. (K) Fill in values for the *Alias* and *Display Name* fields. The *Alias* should be a lowercase name without special symbols. Please note this *Display Name* will appear in the button on the Spark login page.
12. (K) Copy the *Redirect URI* value.
13. (A) Switch to Microsoft Entra ID. Select *App registrations*, then select *New registration*.
14. (A) Enter a name for the application, e.g. `Coherent Spark UAT`.
15. (A) Select the supported account type that is appropriate for your organization.
16. (A) Under *Redirect URI*, copy the edited Redirect URI value from before.
17. (A) Select **Register**.
18. (A) Copy the *Application (Client) ID* from the Overview page.
19. (K) Return to Keycloak. In the *Client ID* field, paste the value copied in the previous step.
20. (A) Switch to Microsoft Entra ID. Go to *Certificates & secrets*.
21. (A) Select *New Client Secret* and fill out the *Description and Expiration* fields.
22. (A) Select **Add** and copy the value.
23. (K) Return to Keycloak. In the *Client Secret* field, paste the value copied in the previous step.
24. (K) Scroll to the bottom of the page and click **Save**.
25. (A) Switch to Microsoft Entra ID. Go to *API permissions*.
26. (A) Select *Grant admin consent for {your Microsoft Entra ID}* to grant permissions to the application.
27. Navigate to your Spark tenant and sign in using the newly created provider. There will be a button on the Keycloak login page with the display name defined earlier.

## Configure app roles to Spark user groups

{% hint style="info" %}
Do not configure a mapper for the `user:pf` group. This is the default minimal Spark group that users must belong to in order to sign in to Spark. Configuring a mapper for this group unnecessarily duplicates sign-in permission management already controlled by your Identity Provider.
{% endhint %}

It is recommended to use two separate browser tabs for the Azure (A) and Keycloak (K) portals to make it easier to apply the settings. In this guide, we will setup the automatic roles for the `tenant-admin` role.

1. (A) In the first tab sign in to the [Azure Portal](https://portal.azure.com/).
2. (A) Search for and select *Microsoft Entra ID.*
3. Select *App registrations*, then select the application you previously created and click *App roles*.
4. (A) Select *Create app role*.
5. (A) Provide the following values then select **Apply**.

   | Key                                    | Value                     |
   | -------------------------------------- | ------------------------- |
   | *Allowed member types*                 | `User/Groups`             |
   | *Display name*                         | `tenant-admin`            |
   | *Value*                                | `tenant-admin`            |
   | *Description*                          | Your app role description |
   | *Do you want to enable this app role?* | `True`                    |
6. (A) Click *Overview* in the left pane and then on your application in *Managed application in local directory*.
7. (A) Select *Properties* from the left pane.
8. (A) Set *Assignment required?* to `True` and select **Save**.
9. (A) Select *Users and Groups* from the left pane and then *Add user/group*.
10. (A) Assign your test account to the `tenant-admin` role.
11. (K) Open a new tab in your browser and login to the target Spark tenant. Access the *Keycloak console* from the [Navigation menu](/navigation/navigation-menu.md#user-menu).
12. (K) Login to the Keycloak Admin Console using your admin credentials.
13. (K) Select *Identity Providers* from the left pane and then the identity provider you configured in the previous section.
14. (K) Select the *Mappers* tab and then **Add mapper**.
15. (K) Provide the following values.

    | Name                 | Value                     |
    | -------------------- | ------------------------- |
    | *Name*               | `tenant-admin`            |
    | *Sync mode override* | `force`                   |
    | *Mapper type*        | `Advanced Claim to Group` |
16. (K) Click *Add Claims*.
17. (K) Provide the following values:

    | Key     | Value          |
    | ------- | -------------- |
    | `roles` | `tenant-admin` |
18. (K) Leave *Regex Claim Values* as *Off* (which is the default).
19. (K) Click *Select Group,* choose `tenant-admin` , then click **Select**.
20. (K) Click **Save**.
21. Sign in into Coherent Spark with your test account. Click on your initials and hover over the groups icon to confirm your membership in `tenant-admin`.
22. We highly recommend creating at least a few additional app groups relevant for [Private tenant](https://docs.coherent.global/tenant-administration/private-tenant)s:
    * Group for `supervisor:pf` user accounts. In Spark, `supervisor:pf` members can manage permissions across all folders.
    * Groups for "standard" user accounts, e.g. `user:teamA`, `user:teamB`. These groups can be assigned to the users in your organization not responsible for tenant administration. Creating multiple roles for "standard" user accounts can be useful to separate access between teams.

## Enable Privileged Identity Management (PIM)

See [MS Entra ID Privileged Identity Management (PIM)](/identity-and-access-management/single-sign-on/ms-entra-id-privileged-identity-management-pim.md).

## Create an enterprise application for Coherent Spark

See [Microsoft Apps](/identity-and-access-management/single-sign-on/microsoft-apps.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.coherent.global/identity-and-access-management/single-sign-on/ms-entra-id-oidc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.