/
Microsoft Entra ID (formerly Azure Active Directory)

Microsoft Entra ID (formerly Azure Active Directory)

Owned by Dave Trier
Last updated: Jun 17, 2025 by Blagica

Following the OAuth 2.0 standard, ModelOp Center requires the following Microsoft Entra ID configurations for a successful integration:

  1. App registrations*

    1. gateway-service

      1. Required app

    2. internal-client

      1. Required app

    3. external-integration-client

      1. Optional app

    4. go-cli

      1. Optional app

  2. Scopes

    1. custom_scope

  3. App roles

    1. modelop_client

  4. Access token version: 2

*When registering a new app, ensure you use the "App registrations" option under the “Applications” menu, and not the "Enterprise applications" option. Each option provides different settings, and selecting the wrong one will prevent you from completing the configuration successfully.

Proposed
Application Name

Platform
Type

Client
Secret
Required

Scopes &
API Permissions

App Roles &
API Permissions

Token
Claims

Redirect URIs

Token version

Other

Proposed
Application Name

Platform
Type

Client
Secret
Required

Scopes &
API Permissions

App Roles &
API Permissions

Token
Claims

Redirect URIs

Token version

Other

gateway-service

(Used in client-to-business authentication)

  1. Web

  • custom_scope

None

  • family_name

  • given_name

  • preferred_username

  • email

  • groups

(Enable the aforementioned claims for both ID and Access tokens)

  • https://<ModelOp Center URL>/login/oauth2/code/gateway-service

2

 

internal-client

(Used in business-to-business authentication)

None.
Leave it blank

  • Group.Read.All*

  • modelop_client

  • idtyp

None

2

*The Group.Read.All permission for Microsoft Graph is necessary only if a customer is unable to include the group names, instead of group ids, as part of the access token. With Group.Read.All permission granted, ModelOp Center will be able to retrieve the group names from Microsoft Graph and display them instead of their ids throughout the platform. For details on how to grant permission Group.Read.All, please refer to the Microsoft Entra ID: How-to guide.

Once the internal-client app has been created, please open the “Overview” tab for the app and click on:

  • "Application ID URI " (top center )

  • “Add”

  • “Save” the suggested Application ID URI.

external-integration-client

(Used in client-to-business authentication)

  1. Single-page application

  2. Mobile and desktop applications

  • custom_scope

None

  • family_name

  • given_name

  • preferred_username

  • email

  • groups

  1. Single-page application; Redirect URIs

    1. https://<ModelOp Center URL>/jupyterOauth2ImplicitGrant.html

    2. https://<ModelOp Center URL>/modelOpWDC.html

  2. Mobile and desktop applications; Redirect URIs

    1. https://oauth.powerbi.com/views/oauthredirect.html

2

Please open the “Authentication” tab, under “Implicit grant and hybrid flows”, please check these boxes:

Access tokens (used for implicit flows)

ID tokens (used for implicit and hybrid flows)

as the types of tokens that will be issued by the authorization endpoint for this particular app.

go-cli

(Used in client-to-business authentication)

None.
Leave it blank

  • custom_scope

None

  • family_name

  • given_name

  • preferred_username

  • email

  • groups

None

2

 

 

Microsoft Entra ID Guide

For instructions on how to create custom_scopeand modelop_client, and how to set the access token version, please follow the Microsoft Entra ID: How-to guide.