Install and Configure ControlSuiteToken Vault integrationToken Vault configuration settingsAuthentication settingsAllow Microsoft Entra ID users to log in to Token VaultRegister an application in Microsoft Entra ID

Register an application in Microsoft Entra ID

To register an application for Token Vault to allow Microsoft Entra ID users to log in, you need to specify certain properties of this Microsoft Entra ID application (Application (client ID), Client secret, and Redirect URI). To perform this, do the following.

  1. Navigate to https://portal.azure.com.
    Your organization may use a national cloud because of data residency or compliance requirements. In this case, navigate to the corresponding national cloud Microsoft Entra ID portal endpoint instead.
  2. Log in with an existing Microsoft 365 account.
  3. Select Microsoft Entra ID in the left navigation pane.
  4. Under Manage, select App registrations.
  5. Select the New registration tab and fill out the registration information of the application:

    • Enter a Name for the application. This is a user-facing name and can be changed at any time.

    • Under Supported account types, select an account type.

      While configuring Microsoft Entra ID settings in Token Vault, Directory (tenant) ID must be configured according to this application property.

    • From the Redirect URI (optional) list, select Web type, and then enter the URI corresponding to your Token Vault configuration in the following format:

      https://<FQDN>:<port>/callback

      where:

      • FQDN is the fully qualified domain name of the Token Vault machine.
      • port is the value of the HTTPS Port setting on the Token Vault Server Settings page in case of https usage.

      For example, https://tokenvaultmachine.testdomain.com:8381/callback.

      Token Vault must be configured with HTTPS for Microsoft Entra ID-based authentication. Otherwise, an error occurs when the user tries to sign in with Microsoft.
  6. Click Register.
    The new application is created with the specified name and a generated Application (client) ID, but the application does not have any certificate or secret yet.
  7. Copy the Application (client) ID and the Directory (tenant) ID for later use.
    These are required for the configuration of Microsoft Entra ID settings in Token Vault.
  8. Select Authentication in the left menu.
  9. Click Add URI in the Redirect URIs on the right to configure the second Redirect URI for the application. Enter the URI corresponding to your Token Vault configuration in the following format:

    https://<FQDN>:<port>/signin-oidc

    where:

    • FQDN is the fully qualified domain name of the Token Vault machine.
    • port is the value of the HTTPS Port setting on the Token Vault Server Settings page in case of https usage.

    For example, https://tokenvaultmachine.testdomain.com:8381/signin-oidc.

    Token Vault must be configured with HTTPS for Microsoft Entra ID-based authentication. Otherwise, an error occurs when the user tries to sign in with Microsoft.
  10. Under Implicit grant and hybrid flows, select Access tokens (used for implicit flows) and ID tokens (used for implicit and hybrid flows).
  11. Click Save.
  12. Select Certificates & secrets in the left menu.
  13. Click New client secret in the right panel to generate a new client secret for the application.
  14. Specify a Description, and then select the expiry option according to your policy requirements.
  15. Click Add.
  16. Copy the newly generated client secret value for later use.
    This is another required application property for configuring Microsoft Entra ID settings in Token Vault.
    You can only copy the client secret at this point in the workflow. After you leave or refresh this page, you are not able to retrieve it. If you leave this page without copying the client secret value, you must repeat the corresponding steps above and create a new one.
  17. Select API permissions in the left menu, and click Add a permission on the API permissions page.
  18. Under the Commonly used Microsoft APIs group on the Request API permissions page, locate Microsoft Graph, and select it.
    The Microsoft Graph API is displayed on the Request API permissions page.
  19. Select Delegated permissions.
  20. Locate the User permission group, and select the User.ReadBasic.All check box to allow login to Token Vault and search for Microsoft Entra ID users to add them as Token Vault administrator.
  21. Locate the Group permission group, and select GroupMember.Read.All check box to allow search for Microsoft Entra ID groups to add them as Token Vault administrator groups.
    For this permission, admin consent is required.
  22. Click Add permissions.
    There might be a delay between permissions being configured and when they appear on the consent prompt.
  23. If permissions are configured and displayed on the consent prompt, click Grant admin consent for... to allow this app to search for Microsoft Entra ID groups so that no consent screen appears at the Microsoft Entra ID user logins.
The application is now configured and has permissions to access Microsoft Entra ID users and groups.