Welcome to the guide on registering your application for Microsoft Single Sign-On (SSO) authentication with Ejento AI. This guide will help you register and configure your Microsoft Azure AD application, set up SSO authentication, and implement the SSO login scripts required for your Ejento AI deployment.

💡 Note: The following steps are to be completed after deployment is initiated — please finish the deployment process before proceeding.

What’s Inside this guide

Manual App Registration

Automated Script Registration (For Developers)

Limit Sign-ins to Specific People (Microsoft SSO)

Manual App Registration

Follow the steps below to manually register your app for Microsoft SSO Authentication:

Head over to: Microsoft Azure portal (PWA)

1. Search "App Registrations" in the search bar

2. Click on New registration

3. Type the Application Name

4. Select the second option from this list

5. Select Web, Put this url in this field and click on Register

6. Go to Authentication (Sidebar), Select both of the checkboxes here (on the right)

7. Click on Save

Generating Client Secret

1. Click on New client secret

2. Create a client secret by filling these fields and click on Add

3. Copy the secret value and ID, make sure to save the secret before leaving the page.

Token Configuration

1. Click on Token configuration

2. Click on Add optional claim and Select Access

3. Check these claims from the list and click on Add

4. Go to Overview and copy clientID and TenantID

We will need:

Application (client) ID and Directory (tenant) ID from last step.

Secret Value from Step#10.

API Permissions

1. Click on API permissions

2. Click on Add a permission

3. Click on Microsoft Graph

4. Click on Application permissions.

5. Type "user "

6. Expand User group

7. Select User.Read.All

8. Click on Add permissions

9. User.Read.All permission is assigned to your Application

10. Click the three dots next to each permission and grant the required access for both of them

Automated Script Registration (For Developers)

These scripts are intended for developer and admin use during setup or environment provisioning.
They automate the registration process to ensure consistency across environments.

This script automates the creation of the Ejento MS SSO Azure AD app registration using only the Azure CLI. It handles login, app creation, service principal creation, permission setup, and client secret generation automatically.

Common Requirements

Dependencies

Azure CLI installed and added to PATH

Windows installer: https://aka.ms/installazurecli

Verify installation:

az --version

Sign in to the correct Azure tenant:

az login --use-device-code

Verify current tenant:

az account show -o table

Tenant setting:
Ensure that App registrations are allowed in your tenant:

Go to: Entra ID → User settings → “Users can register applications” → Set to Yes

Role Requirements (Minimum)

Action	Required Role
Create app registrations, service principals, and client secrets	Application Administrator, Cloud Application Administrator, or Global Administrator
Grant tenant-wide admin consent	Global Administrator or Privileged Role Administrator

Note:

The SSO script attempts to grant admin consent automatically.

If your account lacks the required role, a warning is logged.

You can manually approve it later:

Entra ID → Enterprise Applications → [App Name] → Permissions → Grant admin consent

How to Run the Scripts

Open any text editor and paste the script below.

Save the file with a meaningful name: sso_app.ps1

Open PowerShell in the same directory as the script.

Run the script:

.\sso_app.ps1

The script will:

Log you into Azure (if not already logged in)

Create the application and service principal

Generate and display the client secret

Save details (Tenant ID, Client ID, Secret, etc.) into a JSON file in the same directory

Important Notes:

The redirect URI will be updated later and provided by the Ejento team.

Admin consent must be granted if not already done.

SSO Registration Script: `sso_app.ps1`

# Register-MsSso-AzCli.ps1
$ErrorActionPreference = "Stop"

# --- Check Azure CLI ---------------------------------------------------------
if (-not (Get-Command az -ErrorAction SilentlyContinue)) {
  Write-Error "Azure CLI (az) not found. Install from https://aka.ms/installazurecli and re-run."
  exit 1
}

# --- Login if needed ---------------------------------------------------------
try {
  $account = az account show --only-show-errors | ConvertFrom-Json
} catch {
  az login --use-device-code | Out-Null
  $account = az account show --only-show-errors | ConvertFrom-Json
}
$tenantId = $account.tenantId

# --- Defaults ----------------------------------------------------------------
$displayName = "ejento-ms-sso-$((Get-Random -Minimum 1000 -Maximum 9999))"
$redirectUri = "http://localhost:8000/oauth2/callback"
$graphAppId  = "00000003-0000-0000-c000-000000000000"
$userReadAllRoleId = "df021288-bdef-4463-88db-98f22de89214" # Microsoft Graph 'User.Read.All' (Application)

# --- Build requiredResourceAccess + optionalClaims ---------------------------
$reqRes = @{
  requiredResourceAccess = @(
    @{
      resourceAppId = $graphAppId
      resourceAccess = @(
        @{ id = $userReadAllRoleId; type = "Role" }
      )
    }
  )
} | ConvertTo-Json -Depth 5

$optClaims = @{
  accessToken = @(
    @{ name = "email" },
    @{ name = "family_name" },
    @{ name = "given_name" }
  )
} | ConvertTo-Json -Depth 5

$reqResFile = New-TemporaryFile
$optClaimsFile = New-TemporaryFile
Set-Content -Path $reqResFile -Value $reqRes -Encoding UTF8
Set-Content -Path $optClaimsFile -Value $optClaims -Encoding UTF8

# --- Create Application ------------------------------------------------------
Write-Host "`nCreating MS SSO App Registration..." -ForegroundColor Cyan
$appRaw = az ad app create `
  --display-name $displayName `
  --sign-in-audience AzureADMultipleOrgs `
  --web-redirect-uris $redirectUri `
  --enable-id-token-issuance true `
  --enable-access-token-issuance true `
  --required-resource-accesses "@$reqResFile" `
  --optional-claims "@$optClaimsFile" `
  --only-show-errors

$app = $appRaw | ConvertFrom-Json
$appId = $app.appId
$appObjectId = $app.id

# --- Create Service Principal ------------------------------------------------
Write-Host "Creating Service Principal..." -ForegroundColor Cyan
$spRaw = az ad sp create --id $appId --only-show-errors
$sp = $spRaw | ConvertFrom-Json

# --- Grant Admin Consent -----------------------------------------------------
Write-Host "Granting Admin Consent (if permissions allow)..." -ForegroundColor Cyan
try {
  az ad app permission admin-consent --id $appId --only-show-errors | Out-Null
} catch {
  Write-Warning "Admin consent failed or requires Global Admin. You can grant later in Entra ID > Enterprise Applications > $displayName > Permissions."
}

# --- Create Client Secret ----------------------------------------------------
Write-Host "Creating 1-year client secret..." -ForegroundColor Cyan
$credRaw = az ad app credential reset `
  --id $appId `
  --display-name "ms-sso-secret" `
  --years 1 `
  --only-show-errors
$cred = $credRaw | ConvertFrom-Json
$clientSecret = $cred.password

# --- Output summary ----------------------------------------------------------
$result = [pscustomobject]@{
  ApplicationName          = $displayName
  TenantId                 = $tenantId
  ClientId                 = $appId
  ClientObjectId           = $appObjectId
  ServicePrincipalObjectId = $sp.id
  RedirectUri              = $redirectUri
  GrantedAppPermission     = "Microsoft Graph: User.Read.All (Application)"
  ClientSecret             = $clientSecret
  SecretExpiresOn          = $cred.endDate
}

Write-Host "`n=== MS SSO App Created ===" -ForegroundColor Green
$result | Format-List

# --- Save JSON summary -------------------------------------------------------
$outFile = "ms-sso-output.json"
$result | ConvertTo-Json -Depth 5 | Set-Content -Path $outFile -Encoding UTF8
Write-Host "`nSaved credentials summary to $outFile" -ForegroundColor Yellow
Write-Host "IMPORTANT: Store the ClientSecret securely. It cannot be retrieved later." -ForegroundColor Red

Script Output

The script produces a summary JSON file ms-sso-output.json in the current directory containing:

Application Name

Tenant ID

Client ID

Service Principal Object ID

Redirect URI

Client Secret

Secret Expiry Date

You can safely share these credentials with the Ejento team for integration.

Security Considerations

Store client secrets securely. Once generated, the ClientSecret cannot be retrieved later.

Limit access to the JSON output files to only authorized personnel.

Ensure that proper admin consent is granted for required permissions.

Limit Sign-ins to Specific People (Microsoft SSO)

You can restrict Microsoft SSO access so that only specific individuals or groups in your organization are allowed to sign in.
This helps enhance security by preventing unauthorized access to your application.

What You Need

Admin access to Microsoft Entra ID (formerly Azure Active Directory)

Steps

1. Create a Security Group and Add Members (Group-only Access)

Navigate to Groups → New group.

Set:

Group type: Security

Membership type: Assigned

Enter a name for the group (for example, SSO-Allowed).

Create the group.

Open the newly created group and go to Members → Add members.

Add the people who should have access to sign in.

Click Save.

2. Open the Enterprise Application

In the Microsoft Entra admin center, go to Enterprise applications.

Search for your application by name and open it.

3. Turn On “User Assignment Required”

Go to the application’s Properties section.

Locate User assignment required? and set it to Yes.

Click Save.

💡

Enabling this ensures only assigned users or groups can access the application.

4. Assign the Security Group to the Application

Open the Users and groups section of the application.

Select Add user/group.

Choose the SSO-Allowed group created earlier.

Click Assign to grant access.

How to Verify It Worked

A user in the “SSO-Allowed” group should be able to sign in successfully.

A user not in the group should be blocked from signing in.

Summary

By limiting sign-ins to specific people or groups, you:

Strengthen your organization’s security posture.

Ensure only authorized users can access your application.

Maintain tighter control over Microsoft SSO authentication.

Microsoft SSO Authentication

What’s Inside this guide#

Manual App Registration#

1. Search "App Registrations" in the search bar#

2. Click on New registration#

3. Type the Application Name#

4. Select the second option from this list#

5. Select Web, Put this url in this field and click on Register#

6. Go to Authentication (Sidebar), Select both of the checkboxes here (on the right)#

7. Click on Save#

Generating Client Secret#

1. Click on New client secret#

2. Create a client secret by filling these fields and click on Add#

3. Copy the secret value and ID, make sure to save the secret before leaving the page.#

Token Configuration#

1. Click on Token configuration#

2. Click on Add optional claim and Select Access#

3. Check these claims from the list and click on Add#

4. Go to Overview and copy clientID and TenantID#

API Permissions#

1. Click on API permissions#

2. Click on Add a permission#

3. Click on Microsoft Graph#

4. Click on Application permissions.#

5. Type "user "#

6. Expand User group#

7. Select User.Read.All#

8. Click on Add permissions#

9. User.Read.All permission is assigned to your Application#

10. Click the three dots next to each permission and grant the required access for both of them#

Automated Script Registration (For Developers)#

Common Requirements#

Dependencies#

Role Requirements (Minimum)#

How to Run the Scripts#

Important Notes:#

SSO Registration Script: sso_app.ps1#

Script Output#

Security Considerations#

Limit Sign-ins to Specific People (Microsoft SSO)#

What You Need#

Steps#

1. Create a Security Group and Add Members (Group-only Access)#

2. Open the Enterprise Application#

3. Turn On “User Assignment Required”#

4. Assign the Security Group to the Application#

How to Verify It Worked#

Summary#

What’s Inside this guide

Manual App Registration

1. Search "App Registrations" in the search bar

2. Click on New registration

3. Type the Application Name

4. Select the second option from this list

5. Select Web, Put this url in this field and click on Register

6. Go to Authentication (Sidebar), Select both of the checkboxes here (on the right)

7. Click on Save

Generating Client Secret

1. Click on New client secret

2. Create a client secret by filling these fields and click on Add

3. Copy the secret value and ID, make sure to save the secret before leaving the page.

Token Configuration

1. Click on Token configuration

2. Click on Add optional claim and Select Access

3. Check these claims from the list and click on Add

4. Go to Overview and copy clientID and TenantID

API Permissions

1. Click on API permissions

2. Click on Add a permission

3. Click on Microsoft Graph

4. Click on Application permissions.

5. Type "user "

6. Expand User group

7. Select User.Read.All

8. Click on Add permissions

9. User.Read.All permission is assigned to your Application

10. Click the three dots next to each permission and grant the required access for both of them

Automated Script Registration (For Developers)

Common Requirements

Dependencies

Role Requirements (Minimum)

How to Run the Scripts

Important Notes:

SSO Registration Script: `sso_app.ps1`

Script Output

Security Considerations

Limit Sign-ins to Specific People (Microsoft SSO)

What You Need

Steps

1. Create a Security Group and Add Members (Group-only Access)

2. Open the Enterprise Application

3. Turn On “User Assignment Required”

4. Assign the Security Group to the Application

How to Verify It Worked

Summary