Initial Configuration Required

Application failed to start. Notice that initial configuration is required for the application to function.

To get values for secrets Application Registration is required. The application registration can be implemented either to default Microsoft Entra Tenant (tenant), Workforce Tenant (workforce) or Microsoft External Configuration Tenant (external). If you are planning to allow external users to access application then external might be better match. Other justification to use the external or workforce is that required access rights are not allowed to be implemented on the tenant side.

See more information: Workforce and external tenant configurations in Microsoft Entra External ID

Microsoft External Configuration Tenant

This section is applicable only if application registration is done with Microsoft External Configuration Tenant instead of Microsoft Tenant.

Navigate to "External Identities | User Flows" and create a new user flow. It is recommended to use Identity Provider 'Email One Time Passcode'. Notice that you must bind the user flow to application registration that is to be created on next chapter.

Application Registration

Create a new application registration and collect values into corresponding Azure Key Vault secrets mentioned on "Secrets" chapter. Notice that some of the secrets such as 'defaultUnauthorizedRoleId' is only available after configuration below.

See more information: Register an application in Microsoft Entra ID

Use Microsoft External Configuration Tenant or workforce Tenant if 'API permissions' list below contains permissions that are not allowed to be used with Microsoft Tenant. Notice that deployment does not create the Microsoft External Configuration Tenant and it must be created separately if required

Platform Type	Redirect URI	Example URI
Single-page application	https://[fully qualified domain name]/	https://toolbox.contoso.com/
Single-page application	https://[fully qualified domain name]/redirect	https://toolbox.contoso.com/redirect

- How to add a redirect URI to your application

Option	Value
Access tokens (used for implicit flows)	Selected
ID tokens (used for implicit and hybrid flows)	Selected
Allow public client flows	Enabled

Create a new client secret and place value of the new secret into Azure Key Vault secret 'graphAppSecret'

- Add and manage application credentials in Microsoft Entra ID

Claim	Description	Token type	Optional settings
groups	Optional formatting for group claims	ID, Access, SAML	Default

Attribute	Value
Scope name	API.Access
Who can consent?	Admins and users
Admin consent display name	Access API
Admin consent description	Access API of application
User consent display name	Access API
User consent description	Access API of application
State	Enabled

Display name	Description	Allowed Member types	Value	State
User	Access to standard modules	Both (Users/Groups + Applications)	User	Enabled
Integration	Access to integration endpoints	Users/Groups,Applications	Integration	Enabled
Admin	Full access to all modules and administrative features	Both (Users/Groups + Applications)	Admin	Enabled
Unauthorized	Newly registered user that don't yet have any access to application.	Both (Users/Groups + Applications)	Unauthorized	Enabled

Notice that you require Unauthorized role's ID for Azure Key Vault secret 'defaultUnauthorizedRoleId'

Use Microsoft External Configuration Tenant or workforce tenant if below list contains permissions that are not allowed to be used with Microsoft Tenant

API / Permission name	Type	Description	Admin consent required
Microsoft Graph / offline_access	Delegated	Maintain access to data you have given it access to	-
Microsoft Graph / openid	Delegated	Sign users in	-
Microsoft Graph / profile	Delegated	View users' basic profile	-
Microsoft Graph / Application.Read.All	Application	Read all applications	Yes
Microsoft Graph / AppRoleAssignment.ReadWrite.All	Application	Manage app permission grants and app role assignments	Yes
Microsoft Graph / Group.Read.All	Application	Read all groups	Yes
Microsoft Graph / User.Read.All	Application	Read all users' full profiles	Yes

Grant admin consent for application type permissions so that there are no active warnings after permissions are configured

Secrets

Values for secrets are available from application registration that was completed on previous chapter.

• EntraClientId: Application registration > Essentials > Application (client) ID
• EntraInstance: Either https://login.microsoftonline.com/ for Entra tenant or https://[external tenant name].ciamlogin.com/ for external configuration tenant. See Application registration > Endpoints if unsure of format. Do not include tenant ID on this value
• EntraTenantId: Application registration > Essentials > Directory (tenant) ID
• graphAppId: Application (client) ID for Microsoft Graph access. Usually same as EntraClientId
• graphAppSecret: Client secret for Microsoft Graph access.
• graphEnterpriseAppId: Must match EntraClientId's corresponding enterprise app id: Application registration > Essentials > Managed application in local directory > properties > Object ID
• defaultUnauthorizedRoleId: Application registration > Manage > App roles > see ID value for role named as 'Unauthorized'

Notice that web application must be restarted before new configuration is active. The restart operation can take a few minutes