Ejento AI
GuidesQuickstartRecipesREST APIsRelease NotesFAQs
GuidesQuickstartRecipesREST APIsRelease NotesFAQs
Ejento AI
  1. Setup After Deployment
  • How to Setup Ejento on Azure
  • Prerequisites
  • Deployment on Azure
  • Setup After Deployment
    • Custom Domain Set Up
    • Microsoft SSO Authentication
    • Okta SSO Authentication
    • SharePoint Connection Set Up
    • Developer API Set Up
    • SSO and SharePoint App Set Up (for Developers)
  • MCP Tools Setup
    • Slack
    • Jira
  • Overview
    • Azure Resources
  1. Setup After Deployment

SSO and SharePoint App Set Up (for Developers)

These scripts are intended for developer and admin use during setup or environment provisioning.
They automate the registration process to ensure consistency across environments.
These scripts automate the creation of Ejento MS SSO and SharePoint Connection Azure AD app registrations using only the Azure CLI. They handle login, app creation, service principal creation, permission setup, and client secret generation automatically.
Developers can run the scripts below to register the applications in their Azure tenant:
Microsoft Single Sign-On
SharePoint integration

Common Requirements#

Dependencies#

Azure CLI installed and added to PATH
Windows installer: https://aka.ms/installazurecli
Verify installation:
az --version
Sign in to the correct Azure tenant:
az login --use-device-code
Verify current tenant:
az account show -o table
Tenant setting:
Ensure that App registrations are allowed in your tenant:
Go to: Entra ID → User settings → “Users can register applications” → Set to Yes

Role Requirements (Minimum)#

ActionRequired Role
Create app registrations, service principals, and client secretsApplication Administrator, Cloud Application Administrator, or Global Administrator
Grant tenant-wide admin consentGlobal Administrator or Privileged Role Administrator
Note:
The SSO script attempts to grant admin consent automatically.
If your account lacks the required role, a warning is logged.
You can manually approve it later:
Entra ID → Enterprise Applications → [App Name] → Permissions → Grant admin consent

How to Run the Scripts#

1.
Open any text editor and paste the desired script (SSO or SharePoint).
2.
Save the file with a meaningful name:
sso_app.ps1 → SSO script
sharepoint_app.ps1 → SharePoint script
3.
Open PowerShell in the same directory as the script.
4.
Run the script:
.\sso_app.ps1
or
.\sharepoint_app.ps1
The script will:
Log you into Azure (if not already logged in)
Create the application and service principal
Generate and display the client secret
Save details (Tenant ID, Client ID, Secret, etc.) into a JSON file in the same directory

Register SSO Application#

Important Notes:#

The redirect URI will be updated later and provided by the Ejento team.
Admin consent must be granted if not already done.
SSO.png

Script: sso_app.ps1#

# Register-MsSso-AzCli.ps1
$ErrorActionPreference = "Stop"

# --- Check Azure CLI ---------------------------------------------------------
if (-not (Get-Command az -ErrorAction SilentlyContinue)) {
  Write-Error "Azure CLI (az) not found. Install from https://aka.ms/installazurecli and re-run."
  exit 1
}

# --- Login if needed ---------------------------------------------------------
try {
  $account = az account show --only-show-errors | ConvertFrom-Json
} catch {
  az login --use-device-code | Out-Null
  $account = az account show --only-show-errors | ConvertFrom-Json
}
$tenantId = $account.tenantId

# --- Defaults ----------------------------------------------------------------
$displayName = "ejento-ms-sso-$((Get-Random -Minimum 1000 -Maximum 9999))"
$redirectUri = "http://localhost:8000/oauth2/callback"
$graphAppId  = "00000003-0000-0000-c000-000000000000"
$userReadAllRoleId = "df021288-bdef-4463-88db-98f22de89214" # Microsoft Graph 'User.Read.All' (Application)

# --- Build requiredResourceAccess + optionalClaims ---------------------------
$reqRes = @{
  requiredResourceAccess = @(
    @{
      resourceAppId = $graphAppId
      resourceAccess = @(
        @{ id = $userReadAllRoleId; type = "Role" }
      )
    }
  )
} | ConvertTo-Json -Depth 5

$optClaims = @{
  accessToken = @(
    @{ name = "email" },
    @{ name = "family_name" },
    @{ name = "given_name" }
  )
} | ConvertTo-Json -Depth 5

$reqResFile = New-TemporaryFile
$optClaimsFile = New-TemporaryFile
Set-Content -Path $reqResFile -Value $reqRes -Encoding UTF8
Set-Content -Path $optClaimsFile -Value $optClaims -Encoding UTF8

# --- Create Application ------------------------------------------------------
Write-Host "`nCreating MS SSO App Registration..." -ForegroundColor Cyan
$appRaw = az ad app create `
  --display-name $displayName `
  --sign-in-audience AzureADMultipleOrgs `
  --web-redirect-uris $redirectUri `
  --enable-id-token-issuance true `
  --enable-access-token-issuance true `
  --required-resource-accesses "@$reqResFile" `
  --optional-claims "@$optClaimsFile" `
  --only-show-errors

$app = $appRaw | ConvertFrom-Json
$appId = $app.appId
$appObjectId = $app.id

# --- Create Service Principal ------------------------------------------------
Write-Host "Creating Service Principal..." -ForegroundColor Cyan
$spRaw = az ad sp create --id $appId --only-show-errors
$sp = $spRaw | ConvertFrom-Json

# --- Grant Admin Consent -----------------------------------------------------
Write-Host "Granting Admin Consent (if permissions allow)..." -ForegroundColor Cyan
try {
  az ad app permission admin-consent --id $appId --only-show-errors | Out-Null
} catch {
  Write-Warning "Admin consent failed or requires Global Admin. You can grant later in Entra ID > Enterprise Applications > $displayName > Permissions."
}

# --- Create Client Secret ----------------------------------------------------
Write-Host "Creating 1-year client secret..." -ForegroundColor Cyan
$credRaw = az ad app credential reset `
  --id $appId `
  --display-name "ms-sso-secret" `
  --years 1 `
  --only-show-errors
$cred = $credRaw | ConvertFrom-Json
$clientSecret = $cred.password

# --- Output summary ----------------------------------------------------------
$result = [pscustomobject]@{
  ApplicationName          = $displayName
  TenantId                 = $tenantId
  ClientId                 = $appId
  ClientObjectId           = $appObjectId
  ServicePrincipalObjectId = $sp.id
  RedirectUri              = $redirectUri
  GrantedAppPermission     = "Microsoft Graph: User.Read.All (Application)"
  ClientSecret             = $clientSecret
  SecretExpiresOn          = $cred.endDate
}

Write-Host "`n=== MS SSO App Created ===" -ForegroundColor Green
$result | Format-List

# --- Save JSON summary -------------------------------------------------------
$outFile = "ms-sso-output.json"
$result | ConvertTo-Json -Depth 5 | Set-Content -Path $outFile -Encoding UTF8
Write-Host "`nSaved credentials summary to $outFile" -ForegroundColor Yellow
Write-Host "IMPORTANT: Store the ClientSecret securely. It cannot be retrieved later." -ForegroundColor Red

Register SharePoint Connection Application#

Important Notes:#

The redirect URI will be updated later and provided by the Ejento team.
Admin consent must be granted if not already done.
Sharepoint.png

Script: sharepoint_app.ps1#

# Register-SharePoint-Connection.ps1
$ErrorActionPreference = "Stop"

# --- Check Azure CLI ---------------------------------------------------------
if (-not (Get-Command az -ErrorAction SilentlyContinue)) {
  Write-Error "Azure CLI not found. Install from https://aka.ms/installazurecli"
  exit 1
}

# --- Login if needed ---------------------------------------------------------
try {
  $account = az account show --only-show-errors | ConvertFrom-Json
} catch {
  az login --use-device-code | Out-Null
  $account = az account show --only-show-errors | ConvertFrom-Json
}
$tenantId = $account.tenantId

# --- Configuration -----------------------------------------------------------
$displayName = "sharepointapp-$((Get-Random -Minimum 1000 -Maximum 9999))"
$redirectUri = "http://localhost:8000/oauth2/callback"
$graphAppId  = "00000003-0000-0000-c000-000000000000"

# Microsoft Graph Delegated Scope IDs
$scopes = @{
  "Files.ReadWrite.All" = "863451e7-0667-486c-a5d6-d135439485f0"
  "Sites.ReadWrite.All" = "89fe6a52-be36-487e-b7d8-d061c450a026"
  "offline_access"      = "7427e0e9-2fba-42fe-b0c0-848c9e6a8182"
  "User.Read"           = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
}

# --- Build requiredResourceAccess JSON ---------------------------------------
$tmpReq = New-TemporaryFile
$reqObj = @{
  requiredResourceAccess = @(
    @{
      resourceAppId = $graphAppId
      resourceAccess = @(
        foreach ($id in $scopes.Values) {
          @{ id = $id; type = "Scope" }
        }
      )
    }
  )
}
$reqObj | ConvertTo-Json -Depth 5 | Set-Content -Path $tmpReq -Encoding UTF8

# --- Create Application (NO implicit grant) ----------------------------------
Write-Host "`nCreating SharePoint Connection App Registration..." -ForegroundColor Cyan
$appRaw = az ad app create `
  --display-name $displayName `
  --sign-in-audience AzureADMultipleOrgs `
  --web-redirect-uris $redirectUri `
  --enable-id-token-issuance false `
  --enable-access-token-issuance false `
  --required-resource-accesses "@$tmpReq" `
  --only-show-errors

$app = $appRaw | ConvertFrom-Json
$appId = $app.appId
$appObjectId = $app.id

# --- Create Service Principal ------------------------------------------------
Write-Host "Creating Service Principal..." -ForegroundColor Cyan
$spRaw = az ad sp create --id $appId --only-show-errors
$sp = $spRaw | ConvertFrom-Json

# --- Create 2-year client secret --------------------------------------------
Write-Host "Creating 2-year client secret..." -ForegroundColor Cyan
$credRaw = az ad app credential reset `
  --id $appId `
  --display-name "sharepoint-secret" `
  --years 2 `
  --only-show-errors
$cred = $credRaw | ConvertFrom-Json
$clientSecret = $cred.password

# --- Output summary ----------------------------------------------------------
$result = [pscustomobject]@{
  ApplicationName          = $displayName
  TenantId                 = $tenantId
  ClientId                 = $appId
  ClientObjectId           = $appObjectId
  ServicePrincipalObjectId = $sp.id
  RedirectUri              = $redirectUri
  DelegatedPermissions     = $scopes.Keys -join ", "
  ImplicitGrantEnabled     = $false
  ClientSecret             = $clientSecret
  SecretExpiresOn          = $cred.endDate
}

Write-Host "`n=== SharePoint Connection App Created ===" -ForegroundColor Green
$result | Format-List

# --- Save JSON ---------------------------------------------------------------
$outFile = "sharepoint-connection-output.json"
$result | ConvertTo-Json -Depth 5 | Set-Content -Path $outFile -Encoding UTF8
Write-Host "`nSaved output to $outFile" -ForegroundColor Yellow
Write-Host "IMPORTANT: Store the ClientSecret securely. It cannot be retrieved later." -ForegroundColor Red

Script Summaries#

Both scripts produce a summary JSON file in the current directory containing:
Application Name
Tenant ID
Client ID
Service Principal Object ID
Redirect URI
Client Secret
Secret Expiry Date
You can safely share these credentials with the Ejento team for integration.

Security Considerations#

Store client secrets securely. Once generated, the ClientSecret cannot be retrieved later.
Limit access to the JSON output files to only authorized personnel.
Ensure that proper admin consent is granted for required permissions.
Previous
Developer API Set Up
Next
MCP Tools Setup