MS Azure AD OIDC

this feature is available to enterprise customers the following manual configuration creates an oidc sso configuration for your enterprise organization prerequisites owner or admin role in an enterprise organization administrative access to your organization's microsoft azure ad portal supported features this configuration supports the following service provider initiated sso single log out \[optional] configuration steps before configuring sso, you need to assign a namespace and make files of your service provider certificate and private key these steps provide the information you need to enter later create your namespace in make click organization in the left sidebar click the sso tab under namespace , enter the namespace you want for your organization for example, acmecorp your organization members enter this namespace when they log in via sso under sso type , select saml 2 0 copy the redirect url and save it in a safe place you will use this later when you create your saml integration in the microsoft azure ad portal create an oidc application in the ms azure portal log in to the microsoft azure portal and navigate to the azure active directory ms azure portal in the left navigation, click enterprise applications click + new application click + create your own application enter a name for your app and select register an application to integrate with azure ad (app your're developing) click create enter and select the following field on the register an application page required information name enter a name for your oidc sso app supported account types select the optoin that is best for your user case for example, use accounts in this organizational directory only if your application is only for internal use within your organization redirect uri (optional) although microsoft marks this field as optional, successful implementation with {{product name}} requires the following select a platform web https //next integromat com/sso/login click register create your client credentials in the ms azure portal in the microsoft azure ad portal go to home > enterprise applications > {your oidc app} > single sign on and click go to application under essentials , find application (client) id copy this value and save it in a secure place this is the required information for the client id field in your make sso configuration in the left navigation under manage , click certificates & secrets click + new client secret in the new dialog box, enter a short description and click add find the new client secret on the list copy the value and save it in a secure place this is the required information for the client secret field in your make sso configuration configure tokens and optional claims in the ms azure portal in the left navigation under manage , click token configuration click + optional claim in the new dialog box, select id a list appears select email add api permissions in the ms azure portal in the left navigation under manage , click api permissions click + add permission in the new dialog box, click microsoft graph click application permissions use the search bar to find user read all select user read all and click add permissions add users to your application in the ms azure portal to provide access to your organization members, you need to add these users to your app in the ms azure portal in the microsoft azure ad portal go to home > enterprise applications > {your oidc app} click users and groups click + add user/group to add the users you want to access your {{product name}} organization update the sso in make click organization in the left sidebar click the sso tab enter the following information field value user information url https //graph microsoft com/v1 0/me client id enter the application (client) id you copied in step 2 of ms azure ad oidc docid\ vh6038lspdoxxxc u4vmg token url https //login microsoftonline com/1234etc/oauth2/v2 0/token login scopes user read all scopes separator enter a single space authorize url to find your authorize url in the ms azure portal, go to home > enterprise applications > {your oidc app} > single sign on and click go to application click endpoints a window appears find oauth 2 0 authorization endpoint (v1) copy and paste this url into your {{product name}} configuration client secret enter the value you copied in step 6 of ms azure ad oidc docid\ vh6038lspdoxxxc u4vmg user infomration iml resolve {"id" "{{id}}","email" "{{mail}}","name" "{{givenname}}"} redirect url no action required team provisioning for new users select an option based on your needs click save you will receive an email with the subject "activation complete sso ready for your organization" upon successful activation if you encounter any issues while logging in using sso, disable sso using the "one time link" (valid for 24 hours) service provider initiated sso go to make com click sign in with sso enter the namespace you chose for your organization log in using your microsoft credentials and consent to {{product name}} 's access to your user data