This page guides you through the steps to set up an application in Azure AD Portal and grant the permissions to facilitate user sync and SSO-login. 


  • An account on Azure AD Portal with enough permissions to register applications


Register an application in the Azure AD portal

#1 - Sign in to the Azure AD portal

#2 - Select App registrations > New registration.
Register a new application

#3 Enter your Spencer registration information and click Register:

  1. Name: Enter a meaningful application name
  2. Supported account types: Select Accounts in this organizational directory only
  3. Redirect URI: Select Web - and fill in the redirect URI:

#4 Share Directory ID (orange) & Application ID (yellow) with Spencer

Add a certificate

This step is only required when setup a the user sync via Graph API

#1  Spencer will generate and share a certificate for the customer to install in the Azure AD portal.
Generating the certificate is done by Spencer, not by the Customer. These serve to illustrate in transparency how we generate the certificates.

  1. Generate certificate
    openssl req -nodes -new -x509 -keyout {client}-{environment}.key -out {client}-{environment}.pem -days 365

  2. Generate fingerprint
    openssl x509 -fingerprint -in {client}-{environment}.pem

      1. Remove the ':' characters from the fingerprint and convert the hexadecimal bytes to Base64 using, using “Base64 (RFC 3548, RFC 4648)”.

      2. The output of this conversion provides you with a Base64 certificate thumbprint that needs to be configured in the back-office

#2  Customer uploads the certificate provided by Spencer 

Note, Spencer will provide certificates for each required environment (staging, demo, production) – named {client}-{environment}.cert. Make sure you add the staging certificate to the staging Spencer Azure AD application and the production certificate to the production Azure AD application

Create a client secret

From the app's Overview page, select the Certificates & secrets section.

Click New client secret. Add a description. Select expires Never and click Add.

Copy the client secret and share it with Spencer
(Note, you won’t be able to copy the secret anymore after initial creation)

Grant Permissions

Grant the following API permissions to the Spencer Azure AD application to sync users.

Permissions type

User sync

Microsoft Graph API




Microsoft Graph API


Microsoft Graph API

Applicationemail or upn

Make sure all Spencer test accounts are included in your Azure AD directory. Share a list of these test accounts with Spencer.
(At minimum Spencer requires 1 test account. We prefer two or more accounts for efficient development & testing. In case Spencer end-users come in different types/roles, like employee/manager, please make sure to share at least 1 account per type/role