Introduction
This page guides you through the steps to set up an application in Azure AD Portal and grant the permissions to facilitate user sync and SSO-login.
- Requirements
- Setup
- Grant Permissions
- Which fields are synced
Requirements
- An account on Azure AD Portal with enough permissions to register applications
Setup
Register an application in the Azure AD portal
#1 - Sign in to the Azure AD portal
#2 - Select App registrations > New registration.
#3 Enter your Spencer registration information and click Register:
- Name: Enter a meaningful application name
- Supported account types: Select Accounts in this organizational directory only
- Redirect URI: Select Web - and fill in the redirect URI:
https://spencerlogin.b2clogin.com/spencerlogin.onmicrosoft.com/oauth2/authresp
#4 Share Directory ID (orange) & Application ID (yellow) with Spencer
Add a certificate
This step is only required when setup a the user sync via Graph API
#1 Spencer will generate and share a certificate for the customer to install in the Azure AD portal.
Generating the certificate is done by Spencer, not by the Customer. These serve to illustrate in transparency how we generate the certificates.
- Generate certificate
openssl req -nodes -new -x509 -keyout {client}-{environment}.key -out {client}-{environment}.pem -days 365 - Generate fingerprint
openssl x509 -fingerprint -in {client}-{environment}.pem
Remove the ':' characters from the fingerprint and convert the hexadecimal bytes to Base64 using https://cryptii.com/base64-to-hex, using “Base64 (RFC 3548, RFC 4648)”.
The output of this conversion provides you with a Base64 certificate thumbprint that needs to be configured in the back-office
#2 Customer uploads the certificate provided by Spencer
Note, Spencer will provide certificates for each required environment (staging, demo, production) – named {client}-{environment}.cert. Make sure you add the staging certificate to the staging Spencer Azure AD application and the production certificate to the production Azure AD application
Create a client secret
From the app's Overview page, select the Certificates & secrets section.
Click New client secret. Add a description. Select expires Never and click Add.
Copy the client secret and share it with Spencer
(Note, you won’t be able to copy the secret anymore after initial creation)
Grant Permissions
Grant the following API permissions to the Spencer Azure AD application to sync users.
| Feature | API | Permissions type | Permissions |
|---|---|---|---|
Make sure all Spencer test accounts are included in your Azure AD directory. Share a list of these test accounts with Spencer.
(At minimum Spencer requires 1 test account. We prefer two or more accounts for efficient development & testing. In case Spencer end-users come in different types/roles, like employee/manager, please make sure to share at least 1 account per type/role