TeC Registration in Azure AD

Create the App Registration

1. In the Azure Portal, go to Azure Active Directory > App registrations > New registration.

2. Enter a recognizable name, for example: TeC SSO.

3. Select the option appropriate for your organization. For a single Azure AD tenant, select Accounts in this organizational directory only (Single tenant).

4. Under Redirect URI, select Web as the platform and enter the URI provided by your TeC administrator. This URI must match exactly what is configured in TeC.

5. Azure AD will create the application and display the Application (Client) ID and Directory (Tenant) ID. Copy and save these values: you will need them when configuring TeC.

Add a Client Secret

1. In your app registration, select Certificates & secrets > New client secret.

2. Enter a description (for example: TeC SSO Secret) and choose an expiry period according to your organization's policy.

3. After the secret is created, copy the Value field. This is the Client Secret. It is only shown once and cannot be retrieved later.

Configure Post Logout Redirect URI

In your app registration, go to Authentication. Under the Redirect URIs section, add the Post Logout Redirect URI provided by your TeC administrator. This is where users are redirected after logging out of TeC via SSO.

Configure Optional Claims (Required for Azure AD)

By default, Azure AD may not include the email claim in the ID token. You must explicitly enable it.

1. In your app registration, select Token configuration > Add optional claim.

2. Choose the ID token type.

3. Select email from the list and click Add. If prompted, also enable the Microsoft Graph email permission.

4. Consider enabling preferred_username. TeC uses this as a fallback if the email claim is absent.