> ## Documentation Index
> Fetch the complete documentation index at: https://cosmo-docs.wundergraph.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Entra

> Setting up SSO with Microsoft Entra

### Steps to set Entra as an OIDC identity provider:-

<Steps>
  <Step>
    Log in to Microsoft Entra and navigate to the **Identity/Applications/Enterprise applications** view within Microsoft Entra.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc/42uxo0ok5O8ITXRT/images/studio/sso/create-new-app-in-microsoft-entra.png?fit=max&auto=format&n=42uxo0ok5O8ITXRT&q=85&s=ad92403401a0ab846036eae1600db553" alt="Microsoft Entra admin center with Enterprise Applications and New Application button" title="Create new app in Microsoft Entra" width="2304" height="1255" data-path="images/studio/sso/create-new-app-in-microsoft-entra.png" />
    </Frame>
  </Step>

  <Step>
    Click on **New application.**
  </Step>

  <Step>
    Once navigated to a new page, click on **Create your own application**.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc/42uxo0ok5O8ITXRT/images/studio/sso/create-custom-application-in-entra.png?fit=max&auto=format&n=42uxo0ok5O8ITXRT&q=85&s=773a969ad98eb5693e6bb344866069d9" alt="Microsoft Entra admin center showing Create Your Own Application option" title="Create custom application in Entra" width="2304" height="1252" data-path="images/studio/sso/create-custom-application-in-entra.png" />
    </Frame>
  </Step>

  <Step>
    Provide a name to the application and select "**Register an application to integrate with Microsoft Entra ID (App you're developing)**" for the application purpose, then click on the **Create** button.
  </Step>

  <Step>
    Select who can use the application from the given options according to your needs and then click on **Register.**
  </Step>

  <Step>
    Now navigate to **Identity/Applications/App registrations.**
  </Step>

  <Step>
    In the **All applications tab,** select the application which we created.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc/42uxo0ok5O8ITXRT/images/studio/sso/app-registrations-list-in-entra.png?fit=max&auto=format&n=42uxo0ok5O8ITXRT&q=85&s=25f8da7aa92eadab39dc6622496c7576" alt="Microsoft Entra admin center listing registered apps “test” and “test2”" title="App registrations list in Entra" width="2304" height="1253" data-path="images/studio/sso/app-registrations-list-in-entra.png" />
    </Frame>
  </Step>

  <Step>
    Copy the Application(Client) ID, then click on **Endpoints** and then copy the **OpenID Connect metadata document**(Discovery Endpoint).

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc/42uxo0ok5O8ITXRT/images/studio/sso/openid-connect-metadata-in-entra.png?fit=max&auto=format&n=42uxo0ok5O8ITXRT&q=85&s=67b910b6eeb094b88e578428e0715738" alt="Endpoints section in Microsoft Entra highlighting OpenID Connect metadata document" title="OpenID Connect metadata in Entra" width="2304" height="1186" data-path="images/studio/sso/openid-connect-metadata-in-entra.png" />
    </Frame>
  </Step>

  <Step>
    Navigate to **Certificates and Secrets.**
  </Step>

  <Step>
    Click on  **New client secret,** give it a description and select the expiry according to your needs and then click on **Add**.
  </Step>

  <Step>
    Copy the **value(client secret)** and store it, as it won't be shown again.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc/42uxo0ok5O8ITXRT/images/studio/sso/certificates-secrets-with-new-client-secret.png?fit=max&auto=format&n=42uxo0ok5O8ITXRT&q=85&s=421c4db59b1d5c89e2a3863d373c120a" alt="Microsoft Entra Certificates & secrets showing new client secret created on March 14, 2024" title="Certificates & secrets with new client secret" width="2304" height="1240" data-path="images/studio/sso/certificates-secrets-with-new-client-secret.png" />
    </Frame>
  </Step>

  <Step>
    Navigate to the settings page on Cosmo.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc/42uxo0ok5O8ITXRT/images/studio/sso/organization-settings-with-ai-rbac-scim.png?fit=max&auto=format&n=42uxo0ok5O8ITXRT&q=85&s=0eb267c3aae7fa8077cf25a00dd86600" alt="Organization settings showing name, slug, and status of AI, RBAC, and SCIM features" title="Organization settings with AI, RBAC, SCIM" width="2796" height="1902" data-path="images/studio/sso/organization-settings-with-ai-rbac-scim.png" />
    </Frame>
  </Step>

  <Step>
    Give the connection a name, paste the **OpenID Connect metadata document** copied before, into the  **Discovery Endpoint,** paste the **Client ID** and  **Client secret** copied before into the **Client ID** and  **Client Secret fields respectively,** and then click on **Connect.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc/42uxo0ok5O8ITXRT/images/studio/sso/connect-openid-provider-for-organization.png?fit=max&auto=format&n=42uxo0ok5O8ITXRT&q=85&s=0dad92f93544f88a8d74d1a28190d770" alt="Connecting OpenID Connect provider for specific organization in Cosmo Docs" title="Connect OpenID provider for organization" width="1536" height="856" data-path="images/studio/sso/connect-openid-provider-for-organization.png" />
    </Frame>
  </Step>

  <Step>
    Configure the mapping between the roles in Cosmo and the groups in Microsoft Entra. The field **Group in the provider** should be populated with the **Object ID of a group from Entra.** Once all the mappers are configured, click on **Save**. Every member in those groups would get the respective role configured.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc/42uxo0ok5O8ITXRT/images/studio/sso/configure-group-mappers-for-roles.png?fit=max&auto=format&n=42uxo0ok5O8ITXRT&q=85&s=604565f0852e2c98b98f1cb71935554b" alt="Group mapper configuration showing Cosmo role and provider group fields" title="Configure group mappers for roles" width="1536" height="841" data-path="images/studio/sso/configure-group-mappers-for-roles.png" />
    </Frame>

    <br />

    <Frame caption="Object ID of the groups in Entra">
      <img src="https://mintcdn.com/wundergraphinc/42uxo0ok5O8ITXRT/images/studio/sso/groups-list-in-microsoft-entra.png?fit=max&auto=format&n=42uxo0ok5O8ITXRT&q=85&s=5066e63dd8e3171029001510904848b9" alt="Microsoft Entra admin center showing two groups with object IDs listed" title="Groups list in Microsoft Entra" width="2304" height="1254" data-path="images/studio/sso/groups-list-in-microsoft-entra.png" />
    </Frame>
  </Step>

  <Step>
    Copy the sign-in and sign-out redirect URIs displayed in the dialog.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc/42uxo0ok5O8ITXRT/images/studio/sso/oidc-provider-configuration-steps.png?fit=max&auto=format&n=42uxo0ok5O8ITXRT&q=85&s=d718f9c21acd7a37d4cc98740d77172e" alt="Steps to configure OIDC provider with sign-in and sign-out redirect URLs" title="OIDC provider configuration steps" width="2784" height="1848" data-path="images/studio/sso/oidc-provider-configuration-steps.png" />
    </Frame>
  </Step>

  <Step>
    Navigate back to the **App registrations** page, in the **All applications** tab select the app which we created.
  </Step>

  <Step>
    Click on **Add a redirect URI, and** now click on  **Add a platform,** select  **Web** and then paste the Sign-in and Sign-out redirect URIs in the **Redirect URIs** and  **Front-channel logout URL **respectively**.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc/42uxo0ok5O8ITXRT/images/studio/sso/add-redirect-uri-in-azure-ad-registration.png?fit=max&auto=format&n=42uxo0ok5O8ITXRT&q=85&s=c94b9786b31ce848932f1a624b651d5e" alt="Azure AD registration page highlighting Add Redirect URI button" title="Add Redirect URI in Azure AD registration" width="2304" height="1258" data-path="images/studio/sso/add-redirect-uri-in-azure-ad-registration.png" />
    </Frame>
  </Step>

  <Step>
    Select  **ID tokens** and then click on **Configure.**
  </Step>

  <Step>
    Now navigate to **Token configuration**, and click on **Add groups claim.**
  </Step>

  <Step>
    Select  **Security groups,** expand  **ID,** select  **Group ID** and click on **Add.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc/42uxo0ok5O8ITXRT/images/studio/sso/token-configuration-with-group-claims.png?fit=max&auto=format&n=42uxo0ok5O8ITXRT&q=85&s=2ba113210d5e024d60832f251d1b13eb" alt="Microsoft Entra Token configuration showing Security groups claim with Group ID option" title="Token configuration with group claims" width="2304" height="1188" data-path="images/studio/sso/token-configuration-with-group-claims.png" />
    </Frame>
  </Step>

  <Step>
    Navigate to **API Permissions**, and click on **Add a permission.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc/Izr6l8-Us4FS_rh8/images/studio/sso/add-microsoft-graph-api-permissions.png?fit=max&auto=format&n=Izr6l8-Us4FS_rh8&q=85&s=1126b1ec4a711e3df0981a112a5fbabd" alt="Microsoft Entra API permissions section for adding Microsoft Graph API access" title="Add Microsoft Graph API permissions" width="2304" height="1187" data-path="images/studio/sso/add-microsoft-graph-api-permissions.png" />
    </Frame>
  </Step>

  <Step>
    Click on **Microsoft Graph,** and then on  **Delegated permissions,** select  **email, openid and profile** and then click on **Add permissions.**
  </Step>

  <Step>
    Now you can assign users/groups to the application, and only those users will be able to log into Cosmo using the URL provided on setting up the provider.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc/42uxo0ok5O8ITXRT/images/studio/sso/add-user-or-group-in-entra.png?fit=max&auto=format&n=42uxo0ok5O8ITXRT&q=85&s=71fe8e8624012f3407c1e4c561ea029c" alt="Microsoft Entra Users and groups section showing Add user/group button" title="Add user or group in Entra" width="2304" height="1254" data-path="images/studio/sso/add-user-or-group-in-entra.png" />
    </Frame>
  </Step>
</Steps>

<Info>
  Please make sure that the users added to the application have an email.

  Steps to add a user:

  <Steps>
    <Step>
      Navigate to Users/All users, click on New User and then click on Create a new user.

      <Frame>
        <img src="https://mintcdn.com/wundergraphinc/42uxo0ok5O8ITXRT/images/studio/sso/create-new-user-in-entra.png?fit=max&auto=format&n=42uxo0ok5O8ITXRT&q=85&s=be00abc50a3428ec1230b9be14114d8d" alt="Microsoft Entra Users section highlighting Create new user option" title="Create new user in Entra" width="2304" height="1254" data-path="images/studio/sso/create-new-user-in-entra.png" />
      </Frame>
    </Step>

    <Step>
      Provide the user principal name, the display name and then click on **Next**.

      <Frame>
        <img src="https://mintcdn.com/wundergraphinc/42uxo0ok5O8ITXRT/images/studio/sso/create-new-user-form-in-entra.png?fit=max&auto=format&n=42uxo0ok5O8ITXRT&q=85&s=596cae7d9e5deca8e4f91d99aa66cfce" alt="Create new user dialog in Microsoft Entra with principal name and display fields" title="Create new user form in Entra" width="2304" height="1251" data-path="images/studio/sso/create-new-user-form-in-entra.png" />
      </Frame>
    </Step>

    <Step>
      Provide the first name(optional) and the last name(optional).
    </Step>

    <Step>
      Provide the email of the user(**Required**).

      <Frame>
        <img src="https://mintcdn.com/wundergraphinc/42uxo0ok5O8ITXRT/images/studio/sso/new-user-creation-form-in-entra.png?fit=max&auto=format&n=42uxo0ok5O8ITXRT&q=85&s=0c1d1ddec82e1f421931d2df71eb9d6b" alt="Microsoft Entra Identity section for new user creation with name and email fields" title="New user creation form in Entra" width="2304" height="1185" data-path="images/studio/sso/new-user-creation-form-in-entra.png" />
      </Frame>
    </Step>

    <Step>
      Then click on **Next** and assign the user to the groups according to your needs.
    </Step>
  </Steps>
</Info>
