Following the OAuth 2.0 standard, ModelOp Center requires the following Azure AD Microsoft Entra ID configurations for a successful integration:
AppsApp registrations*
gateway-service
internal-client
external-integration-client
go-cli
Scopes
custom_scope
App roles
modelop_client
Access token version: 2
| Note |
|---|
*When registering a new app, ensure you use the "App registrations" option under the “Applications” menu, and not the "Enterprise applications" option. Each option provides different settings, and selecting the wrong one will prevent you from completing the configuration successfully. |
Proposed | Platform Type | Client | Scopes & API Permissions | App Roles & API Permissions | Token Claims | Redirect URIs | ||
|---|---|---|---|---|---|---|---|---|
gateway-service |
| ✔ | Authorization | openid profile |
|
|
| |
internal-client | ✔ Client |
|
|
| ||||
external-integration-client |
Implicit AuthorizationCode with PKCE |
|
|
| ||||
go-cli | ✔ Password |
|
|
**The Group.Read.All permission for Microsoft Graph is necessary only if a customer is unable to include the group names, instead of group ids, as part of the access token. With Group.Read.All permission granted, ModelOp Center will be able to retrieve the group names from Microsoft Graph and display them instead of their ids throughout the platform. For details on how to grant permission Group.Read.All, please refer to Azure AD Microsoft Entra ID: How-to guide.
NOTE: Once the internal-client app has been created, please open the “Overview” tab for the app and click on:
"Add an Application ID URI"
“Set”
“Save” the suggested Application ID URI.
...
Microsoft Entra ID Guide
For instructions on how to create custom_scopeand modelop_client, and how to set the access token version, please follow the Azure AD Microsoft Entra ID: How-to guide.