This page guides you through the steps of how to set up an application in the Microsoft Azure portal and how to grant the necessary permissions to facilitate Single Sign-On and user synchronization via the Microsoft Graph API. To register a new application you need an account on Azure with enough permissions within your organization.

Set up an application

Step 1 – Register an application in the Azure AD portal

#1 — Go to portal.azure.com and sign in to the Azure portal #2 — Select 'App registrations' in the side menu > Click 'New registration' on top

#3 — Provide the required app information and click 'Register' at the bottom of the page:

1. Name: Enter a meaningful application name

2. Supported account types: Select 'Accounts in this organizational directory only'

3. Redirect URI: Select 'Web' and fill in the following redirect URI: https://spencerlogin.b2clogin.com/spencerlogin.onmicrosoft.com/oauth2/authresp

#4 — Share the Directory ID (orange) & Application ID (yellow) with Spencer

Troubleshooting:

In some cases it might be necessary to specifically add the optional claim UPN to the ID token. This is done by:

• going to App registrations

• Then token configuration

• Click on the button "Add optional claim"

• Select ID

• Select UPN and add claim

Step 2 – Add a certificate (for user sync)

🚨 This step is only required when setting up the user synchronization via the MS Graph API. #1 — Spencer will generate and share a certificate for you to upload to the Azure portal. Generating the certificate is done by the Spencer IT team.

To be fully transparent you can see how we generate the certificates below. Generate certificate — Generic openssl req -nodes -new -x509 -keyout {client}-{environment}.key -out {client}-{environment}.pem -days 365 Generate fingerprint — Generic openssl x509 -fingerprint -in {client}-{environment}.pem

1. Remove the ':' characters from the fingerprint and convert the hexadecimal bytes to Base64 using https://cryptii.com/base64-to-hex, using “Base64 (RFC 3548, RFC 4648)”.

2. The output of this conversion provides you with a Base64 certificate thumbprint that needs to be configured in the back office.

#2 — Upload the certificate provided by Spencer

Step 3 – Create a client secret

#1 — Go to the app's overview page and select 'Certificates & secrets' in the sidebar menu.

#2 — Click the 'New client secret' button. Add a description and select the maximum expiry period. Important: It is important you keep the end date of the expiry period in a shared calendar and provide the info to your Spencer contact as well because Azure will not notify you when this expires. Click 'Add'.

#3 — Copy the client secret and share it with Spencer Important: You can only copy the client secret right after the initial creation. You will not be able to do this later.

Grant the correct permissions Grant the following API permissions to the Spencer Azure application to sync users:

Make sure all Spencer test accounts are included in your Azure AD. Share a list of these test accounts with Spencer. At least one test account is required. We prefer two or more accounts for efficient development and testing (eg. in case of employee/manager).