Microsoft Entra ID Configuration

It is necessary to create a new Application Registration within the Microsoft Entra ID tenant for your organisation.

Note: You must repeat these steps for each ebs website that you want to enable authentication for.

  1. Log in to the Azure portal (https://portal.azure.com/).

  1. Select Microsoft Entra ID.

  2. Select App Registrations.

  3. Click New registration.

  4. Enter an appropriate name in the Name field (for example: ontrack Hub). This is displayed when an end user is shown a Consent screen the first time they access the website.

  5. Set the Supported account types to 'Accounts' in this organisational directory only:

    • ontrack websites - the 'Redirect URI', which is optional, should be the URI (for example: https://ebsontrackhub-tribalcollege.ebs.tribalgroup.com/)

    • intel website - the 'Redirect URI' should be the URI with a suffix of /pi/auth/oAuthComplete (for example: https://ebsintel-tribalcollege.ebs.tribalgroup.com/pi/auth/oAuthComplete)

      Note: This URI must use https. Microsoft Entra ID authentication cannot be used on an http website.

    • ebs product suite (for example: ebs: central, ebs: shape and so on) - the redirect URI can be left blank

  6. Click Register to create the new registration.

  7. Select API Permissions from the App Registration menu.

    The API Permissions screen is displayed.

  8. Ensure that the User.Read Permission has been configured. If required, you can configure User.Read permissions in the following way:

    1. Select Add a permission.

    2. Select Microsoft Graph.

    3. Select Delegated Permissions.

    4. Select User.Read to enable the ebs website to sign in and read the user profile.

  1. Select Authentication from the App Registration menu.

    The Authentication screen is displayed.

  1. Configure the Authentication screen in the following ways:.

    For ontrack websites, select the ID tokens check-box in the Implicit grant section and click the Save button.

    For the ebs product suite (for example: ebs: central, ebs: shape and so on), select Add a platform and select Mobile and desktop application. Select the Redirect URI option - https://login.microsoftonline.com/common/oauth2/nativeclient)

  1. Select Certificates & secrets from the App Registration menu.

    Note: The Client Secret (steps 12 - 16) is not required to use Microsoft Entra ID authentication in Central or Shape– it is only necessary for ontrack website integration

    The Certificates & secrets screen is displayed.

  2. Click Create a New client secret.

  1. Enter an appropriate description in the Description field.

  1. Enter expiry details in the Expiry Details field.

  2. Copy the value stored in the Client Secret field.

    Note: You must copy the value stored in the Client Secret field as you will be unable to retrieve it later.

  3. Select the Overview screen.

    In the following sections you will need to use the following pieces of information:

    • The Application (client) ID

    • The Directory (tenant) ID

Further configuration steps include:

Microsoft Entra ID gives you several options for managing Consent for an application, including asking end users for consent at the first time of access, or triggering a consent workflow approval step.

Alternatively, it is possible to grant admin consent on behalf of users.

Select Grant admin consent for <tenant name> from the API Permissions menu.

Back to top

You can configure further optional branding steps for end users that are presented with consent dialogue.

To configure branding steps:

Select Branding from the App Registration menu.

The Branding screen is displayed, where you can:

  • Amend the name

  • Upload a logo

  • Add a home page URL

  • Publisher domain

Back to top

Note: You can further lock down access to an application in Microsoft Entra ID to provide another layer of security over and above the access controls already provided in ebs (for example: you could limit Microsoft Entra ID login to ontrack Hub to a select group of users, refer to Microsoft documentation for further information about these options).

Back to top