Guides

Microsoft Entra SSO

Suggest Edits

In the setup steps below, we will be filling out a json blob with the following contents pulled from your Microsoft Entra portal:

{
  "client_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "client_secret": "...",
  "tenant": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "scope": "https://graph.microsoft.com/.default"
}

This json will go into a secrets store for the Teleskope app to use as a reference, and enable authenticating through Microsoft Entra. It's a good idea to copy this blob somewhere locally before we get started.

Setup

  1. Navigate to https://entra.microsoft.com/ and sign into your enterprise's Microsoft dashboard.
  2. On the side navigation menu, select Overview. From here you should see a tenant id of the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, which you can copy into your json blob's "tenant" field.
  3. Next you will want to register a new application within Microsoft Entra, that will correspond to your Teleskope deployment. On the side navigation menu again, select the Applications dropdown and App registrations.
  4. Select New registration, and name your Teleskope app. There will be a few authentication options, we recommend Accounts in this organizational directory only (Single tenant) as the simplest option.

  5. Now under Applications/App registrations you should be able to navigate to our newly set up app. Go there next. In the Overview page you should see an Application (client) ID, which you should copy into the client_id section of our json blob.
  6. Under Certificates & Secrets in your app registration page, you will need to create a secret that will be used as part of the auth handshake. Select New client secret, and set a name and expiry. Afterwards, you can copy this secrets value and paste it into the client_secret section of our json blob.
  7. Still under your app registration page, select API Permissions and click Add a Permission. You will want to set up delegated permissions for Microsoft Graph, admin consent not required. You will need at least the email, openid and profile permissions set.
  8. We already had this value set in our json blob by default, but with those permissions set we now be able use the "scope": "https://graph.microsoft.com/.default"field set, as any logins will redirect to https://graph.microsoft.com to get user profile info.
  9. Still under your app registration page, select Manifest and change accessTokenAcceptedVersion to 2 within the corresponding json manifest
  10. As a final step in Microsoft Entra under your app registration page, select Authentication and add a redirect URI so that microsoft knows how to callback to your Teleskope instance on logins, as a part of the typical Oauth flow. This redirect uri should be https://teleskope-provided-uri/auth/microsoft/callback or something similar, depending on the url subdomains set up for your Teleskope instance.
  11. Finally this json blob will need to be entered into your teleskope deployment backend or secrets manager. A Teleskope resource can help you with this step or populate it for you.
  12. Clean Up
    1. Note that after this step, you'll want to assign users to your new Teleskope Entra app.
    2. A first/last name in Entra is required for any user logging into Teleskope.

Updated 3 months ago