Microsoft Entra ID: How-to

Owned by Dave Trier
Last updated: Aug 02, 2024 by Blagica
1 min read

Create a custom scope

Normally, access tokens issued by Microsoft Entra ID are issued for Microsoft Graph. However, ModelOp Center requires that the access tokens requested with the following apps be issued for the apps themselves and not Microsoft Graph: gateway-service, internal-client, external-integration-client, and go-cli.

To have Microsoft Entra ID issue tokens for the aforementioned apps, each app needs a custom scope. For example, custom_scope as the name of the scope.

To create the custom scope, follow these steps for each app:

  1. Open the app registration

  2. Expand “Manage” menu

  3. Open “Expose an API” tab

  4. Click “Add a scope”

    1. Scope name: custom_scope

    2. Who can consent? Admins and users

    3. Admin consent display name: custom_scope

    4. Admin consent description: A custom ModelOp Center scope

    5. User consent display name:

    6. User consent description:

    7. State: Enabled

Once the custom scope is created, it has to be added as a permission on each ModelOp Center app, except for internal-client, and admin consent must be granted for the app to be able to use it:

  1. Open the app registration

  2. Expand “Manage” menu

  3. Open “API permissions” tab

  4. Click “Add a permission”

    1. Click “APIs my organization uses”

    2. Search for the app by name. For example, “gateway-service”. Select the app

    3. Click “Delegated permissions”

    4. Select custom_scope

  5. Click “Grant admin consent for _”

Create an app role

To create an app role for a given app, follow these steps:

  1. Open the app registration

  2. Expand “Manage” menu

  3. Click “App roles”

  4. Click “Create app role”

    1. Display name: modelop_client

    2. Allowed member types: Applications

    3. Value: modelop_client

    4. Description: This role is used to distinguish between OAuth2 clients and end users in ModelOp Center

Once the app role is created, it has to be added as a permission on the internal-client app, and admin consent must be granted for the app to be able to use it:

  1. Open the app registration

  2. Expand “Manage” menu

  3. Open “API permissions” tab

  4. Click “Add a permission”

    1. Click “APIs my organization uses”

    2. Search for the app by name. For example, “internal-client”. Select the app

    3. Click “Application permissions”

    4. Select modelop_client

  5. Click “Grant admin consent for _”

Set the access token version

To set the version of the access token, follow these steps for each app:

  1. Open the app registration

  2. Expand “Manage” menu

  3. Open “Manifest” tab

  4. Ensure field "accessTokenAcceptedVersion" is set to 2. For example: "accessTokenAcceptedVersion": 2

  5. Click “Save”

Grant Group.Read.All permission for Microsoft Graph

In case ModelOp Center needs to display users' group names, permission Group.Read.All must be granted by following these steps:

  1. Open the internal-client app registration

  2. Expand “Manage” menu

  3. Open “API permissions” tab

  4. Click “Add a permission”

    1. Click “Microsoft APIs” and select “Microsoft Graph”

    2. Click “Application permissions”

    3. For the “Group” dropdown menu, select “Group.Read.All”

    4. Click “Add permissions”