Microsoft Entra ID
Microsoft Entra ID can be set up as an external user directory. Using Microsoft Entra ID as an external user directory requires configuration in Microsoft Entra ID. The exact process and UI options are managed by Microsoft and can be subject to change from their side at any time.
Functionality
If this functionality is set up, Therefore™ takes the users and groups defined in Microsoft Entra ID and authenticates the user in Microsoft Entra ID only. It then logs them into Therefore™ using OpenId Connect tokens. For that reason, usernames and passwords do not need to be created Therefore™ when using Microsoft Entra ID as a cloud based user directory.
Settings and Recommendations
Setup in Microsoft Entra ID
To increase security, it is recommended to configure two applications in Microsoft Entra ID for Therefore™ Client login and Therefore™ Server login.
Both applications need the following setting to be active:
-
Under Implicit grant and hybrid flows, select 'ID tokens (used for implicit and hybrid flows)'
-
The applications are native applications
The application configured for Therefore™ Server login requires the following API permissions to function:
-
Domain.Read.All
-
Group.Read.All
-
User.Read.All
Redirect URIs
For configuration in Microsoft Entra ID, redirect URIs for Therefore™ applications are necessary. They can be found here:
Configuration in Therefore™
To configure Microsoft Entra ID as an external login provider, select the option 'Azure Active Directory' under 'External User Directories'.
Enter the following values into the respective fields in the dialog of the Therefore™ Solution Designer:
| Entra ID Label | Therefore™ Setting | Description |
|---|---|---|
| Application (client) ID | Therefore™ Client ID | The ID of the Microsoft Entra ID application used for Therefore™ client login |
| Tenant ID | Azure tenant name |
The name of the Microsoft Entra ID tenant the applications are run on: <company>.onmicrosoft.com |
| Application (client) ID | Application client ID | The ID of the Microsoft Entra ID application used for Therefore™ server login |
| Client secret | Application secret | The value of a client secret for the application used for Therefore™ server login |