About configuring servicesAbout device servicesSession Logon and Microsoft Entra IDRegister an application at the Microsoft Identity Platform (Microsoft Entra ID) admin center

Register an application at the Microsoft Identity Platform (Microsoft Entra ID) admin center

To register an application for Token Vault to allow Microsoft Entra users to log in on eCopy ShareScan Session Logon form, you need to specify certain properties of this Microsoft Entra ID application (Application (client ID), Client secret and Redirect URI). To perform this, do the following.

  1. Navigate to https://portal.azure.com.

    Your organization may use a national cloud because of data residency or compliance requirements. In this case, navigate to the corresponding national cloud Microsoft Entra portal endpoint instead.

  2. Log in with an existing Microsoft 365 account.
  3. Select Microsoft Entra ID in the left navigation pane.
  4. Select App registrations.

    The App registrations page appears.

  5. Click the New registration button to register a new application. The Register an application page opens.
  6. Fill out the registration information of the application:
    1. Specify a Name for the application.
    2. Under Supported account types, select an account type.

      While configuring a Microsoft 365 Authorization provider in Token Vault to be used by Session logon service, the Supported account types and Tenant name must be configured according to this application property.

    3. From the Redirect URI (optional) list, select Web type, and then enter the URI corresponding to your Token Vault configuration in the following format: https://<FQDN>:<port>/callback

      where:

      • FQDN is the fully qualified domain name of the Token Vault machine.
      • port is the value of the HTTPS Port setting on the Token Vault Server Settings page in case of https usage.

      For example: https://tokenvaultmachine.testdomain.com:8381/callback.

  7. Click Register.

    The new application is created with the specified name and a generated Application (client) ID, but the application does not have any certificate or secret yet.

  8. Copy the Application (client) ID for later use.

    This is required for the configuration of a new Microsoft 365 Authorization Provider in Token Vault.

  9. Select Certificates & secrets in the left menu.
  10. Click New client secret in the right panel to generate a new client secret for the application.
  11. Specify a Description, and then select the expiry option according to your policy requirements.
  12. Click the Add button.
  13. Copy the newly generated client secret value for later use.

    This is another required application property for registering a Microsoft 365 Authorization Provider in Token Vault.

    You can only copy the client secret at this point in the workflow. After you leave or refresh this page, you are not able to retrieve it. If you leave this page without copying the client secret value, you must repeat the corresponding steps above and create a new one.

  14. Select API permissions in the left menu and click Add a permission on the API permissions page.
  15. Under the Commonly used Microsoft APIs group on the Request API permissions page, locate Microsoft Graph, and select it.

    The Microsoft Graph API is displayed on the Request API permissions page.

  16. Select Delegated permissions.
  17. Locate the Domain permission group, and select the Domain.Read.All check box to allow retrieving data of Microsoft Entra domains.
  18. Locate the User permission group, and select the User.ReadBasic.All check box to allow retrieving data of Microsoft Entra users.
  19. Locate the Group permission group, and select GroupMember.Read.All check box to allow retrieving data of Microsoft Entra groups. For this permission, admin consent is required.
  20. Click Add permissions.

    There might be a delay between permissions being configured and when they appear on the consent prompt.

  21. If permissions are configured and displayed on the consent prompt, click Grant admin consent for... to allow this app to retrieve user and group data from Microsoft Entra ID.