Submit a ticket My Tickets
Welcome
Login  Sign up

Setup a application in Azure AD Portal and grant permissions

Introduction

This page guides you through the steps to set up an application in Azure AD Portal and grant the permissions to facilitate user sync

Requirements

  • An account on Azure AD Portal with enough permissions to register applications

Setup

Register an application in the Azure AD portal

#1 - Sign in to the Azure AD portal

#2 - Select App registrations > New registration.
Register a new application

#3 Enter your Spencer registration information and click Register:

  1. Name: Enter a meaningful application name
  2. Supported account types: Select Accounts in this organizational directory only
  3. Redirect URI: Select Web - and fill in the redirect URI:
    https://spencerlogin.b2clogin.com/spencerlogin.onmicrosoft.com/oauth2/authresp

#4 Share Directory ID (orange) & Application ID (yellow) with Spencer


Add a certificate

#1  Spencer will generate and share a certificate for the customer to install in the Azure AD portal.
Generating the certificate is done by Spencer, not by the Customer. These serve to illustrate in transparency how we generate the certificates.

  1. Generate certificate
    openssl req -nodes -new -x509 -keyout {client}-{environment}.key -out {client}-{environment}.pem -days 365


  2. Generate fingerprint
    openssl x509 -fingerprint -in {client}-{environment}.pem


      1. Remove the ':' characters from the fingerprint and convert the hexadecimal bytes to Base64 using https://cryptii.com/base64-to-hex, using “Base64 (RFC 3548, RFC 4648)”.

      2. The output of this conversion provides you with a Base64 certificate thumbprint that needs to be configured in the back-office

#2  Customer uploads the certificate provided by Spencer 

Note, Spencer will provide certificates for each required environment (staging, demo, production) – named {client}-{environment}.cert. Make sure you add the staging certificate to the staging Spencer Azure AD application and the production certificate to the production Azure AD application

Create a client secret

From the app's Overview page, select the Certificates & secrets section.

Click New client secret. Add a description. Select expires Never and click Add.

Copy the client secret and share it with Spencer
(Note, you won’t be able to copy the secret anymore after initial creation)

Grant Permissions

Grant the following API permissions to the Spencer Azure AD application to sync users.

Feature
API
Permissions type
Permissions

Users (who’s who)

Microsoft Graph API

Application

User.Read.All

Users (edit profile)

Microsoft Graph API

Delegated

User.ReadWrite


Make sure all Spencer test accounts are included in your Azure AD directory. Share a list of these test accounts with Spencer.
(At minimum Spencer requires 1 test account. We prefer two or more accounts for efficient development & testing. In case Spencer end-users come in different types/roles, like employee/manager, please make sure to share at least 1 account per type/role


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.