Skip to content

Steps to Configure AZURE using OAuth2.0 - PKCE with Confidential Client

  1. Register an Application in the Azure AD Portal:

    • Log into the Azure Portal.
    • Navigate to Azure Active Directory, App registrations, New registration.
    • Enter the following details to create an application:
    • Name: ApplicationName
    • Account types: Please select single/multi-tenant account types.
    • Redirect URI: Select the platform as web from the dropdown.

    • Click Register.

      Azure sso Registr

  2. Configure Application for PKCE with Confidential Client

    • After an application is registered, please note the Application’s Client Id and Directory (Tenant Id).

    • Click the “Redirect URIs” link to navigate to the platform configurations page.

      CopyRedirectURI

    • Click Add a platform and select Web under the Web applications.

      Configure platform

    • Enter the redirect URI of the application: https://{environment}.apisec.ai/auth2.0/{clientId}/redirect.

      • Here’s an example: https://cloud.apisec.ai/auth2.0/000008ee-c71d-4a6a-a53c-33f7eb1000000/redirect

    • Click Configure and Save the platform configurations.

  3. Enter the Homepage URL

    • Click Branding and properties under Manage.
    • Enter the Homepage URL, same as the redirect URI.

    • Click Save.

      Branding and properties HomePageURL

  4. Generate a Client Secret

    • Under the manage section:
      • Click certificates and secrets.
      • Click a new client secret.
      • Enter description and expiry.
      • Click Add.
      • Copy the Client Secret value.

  5. Create and Assign App Roles

    • Click App roles under the manage section.
    • Enter a display name such as “Admin”.
    • Select “Users/Groups” under Allowed member types.
    • Enter Value, Description.
    • Check the box “Do you want to enable this role?”.
    • Click Apply.

Step 6: Assign user/ groups with the Enterprise application

  • 6.1 Navigate to the Enterprise Application from the home page.

    Default directory enterprise app

    • Search and select the application registered in Step: 1

    All applications

    • Click “Assign users and groups” link on the Overview page.

    Assign users and groups

    • Click Add user group.

    Add assignment

    • Select the users.

    userslist

    • Select Roles & click on Assign.

    selectrole and assign

Note: Users associated with a role will be used to assign the same role in APIsec.

- 6.2 **Creating & assigning groups with the application**
     - Go to the home overview page.
     - Under manage click Groups.

OverviewUsersandgroups

     - Click New group & fill the details.
           - Select Group type as “Security”.
           - Enter Group name.
           - Enter Membership type as “Assigned”.

newgroupform

               - In members under users list select the users & click select.

userslistundermembers

               - Click create to successfully add members to that specific group.

Step 7: Assign permissions for the group's resource

Note: AD Groups support require the following configurations

- 7.1 **To assign Delegated permissions**
     - Go to Application registrations page & select the registered app.

appregistrations7 1new

     - Under manage click API Permissions.
     - Click Add a permission.
     - Under Microsoft APIs click Microsoft Graph.

APIpermission 7 1 2

     - Click Delegated permissions & search for Group under Select permissions search field.
     - Expand group & check the boxes.
     - Click on Add permissions.

RequestAPIpermissions7 1 3

  • 7.2 To Assign Application permissions - Follow the same steps as mentioned in 7.1 cc7 2

    Note: Under Microsoft Graph click Application permissions.

Step 8: Assign Groups with the Enterprise application - Navigate to the Enterprise Application from the home page. - Search and select the application registered in Step: 1. - Click “Assign users and groups” link on the Overview page. - Click Add user group. - Select Group & click on Assign. selectgropuandassign8 1new

- Select Roles & click on Assign.

selectroleandassign8 3

Step 9: Publish Application - Click properties under manage section. - Click the toggle to enable “Visible to users”. - Click Apply changes. properties9 1new.

Step 10: Configure SSO in APIsec - Login to APIsec application. - Click on configuration from APIsec dashboard. - Click on SSO and select sso type as Azure from dropdown. - Enter the secret code copied from step 4. - Enter the client Id and tenant Id copied from step 2. - Click the toggle to active. - Click Save.

Step 11: Confirm login with SSO using OAuth2.0 - PKCE with Confidential Client - Launch the URL https://myapps.microsoft.com/ and select the registered application which redirects the user to APIsec application dashboard. - Alternatively, the users may use the redirect link for the SP-initiated flow.

APIsecdashboard11