Microsoft Entra ID Integration
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service. This guide walks you through setting up Microsoft Entra ID as your Identity Provider with the Tailor Platform Auth service using OIDC.
Prerequisites
- An active Microsoft Entra ID tenant with admin privileges
- A Tailor Platform workspace with Auth service enabled
- Basic understanding of OIDC protocols
Setting up Microsoft Entra ID for OIDC
Step 1: Register an Application in Entra ID
- Sign in to the Microsoft Entra admin center
- Navigate to App registrations
- Click New registration
- Configure your application:
- Name: Your application name (e.g., "Tailor Platform App")
- Supported account types: Choose based on your requirements
- Accounts in this organizational directory only (Single tenant)
- Accounts in any organizational directory (Multi-tenant)
- Redirect URI: Select Web and add:
https://{your-app-domain}/oauth2/callback
- Click Register
Step 2: Configure Application Settings
After registration, configure the following settings:
Authentication:
- Go to Authentication in the left menu
- Under Redirect URIs, ensure your callback URL is correctly configured
- Select Settings tab, for Implicit grant and hybrid flows, enable:
- ID tokens (used for sign-in)
- Click Save
Certificates & secrets:
- Go to Certificates & secrets in the left menu
- Click New client secret
- Add a description and choose expiration period
- Click Add and copy the secret value immediately
Step 3: Get Application Information
Note down the following information from the Overview page:
- Application (client) ID: Your client ID
- Directory (tenant) ID: Your tenant ID
- Client secret: The secret value you created
Step 4: Configure API Permissions (Optional)
If you need additional user information:
- Go to API permissions
- Click Add a permission
- Select Microsoft Graph
- Choose Delegated permissions
- Add permissions like:
User.Read
(to read user profile)email
(to access email address)profile
(to access basic profile information)
- Click Grant admin consent if required
Configuring Auth Service
Once your Entra ID application is set up, configure the Auth service in your Tailor Platform application:
<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> "tailor_auth" "main_auth" {</span></span>
<span><span style="color: var(--shiki-color-text)"> workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> var.workspace_id</span></span>
<span><span style="color: var(--shiki-color-text)"> namespace </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"main-auth"</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
<span><span style="color: var(--shiki-token-comment)"># OIDC Configuration for Microsoft Entra ID</span></span>
<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> "tailor_auth_idp_config" "entra_id_oidc" {</span></span>
<span><span style="color: var(--shiki-color-text)"> workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> var.workspace_id</span></span>
<span><span style="color: var(--shiki-color-text)"> namespace </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_auth.main_auth.namespace</span></span>
<span><span style="color: var(--shiki-color-text)"> name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"entra-id-oidc"</span></span>
<span><span style="color: var(--shiki-color-text)"> </span></span>
<span><span style="color: var(--shiki-color-text)"> oidc_config </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> client_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> var.entra_id_client_id</span></span>
<span><span style="color: var(--shiki-color-text)"> client_secret </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> vault_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_vault.default.name</span></span>
<span><span style="color: var(--shiki-color-text)"> secret_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_secret.entra_id_client_secret.secret_name</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> provider_url </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"https://login.microsoftonline.com/{tenant-id}/v2.0"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
<span><span style="color: var(--shiki-token-comment)"># Secret for storing Entra ID client secret</span></span>
<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> "tailor_secretmanager_secret" "entra_id_client_secret" {</span></span>
<span><span style="color: var(--shiki-color-text)"> workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> var.workspace_id</span></span>
<span><span style="color: var(--shiki-color-text)"> vault_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_vault.default.name</span></span>
<span><span style="color: var(--shiki-color-text)"> name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"entra-id-client-secret"</span></span>
<span><span style="color: var(--shiki-color-text)"> value_wo </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> var.entra_id_client_secret</span></span>
<span><span style="color: var(--shiki-color-text)"> value_wo_version </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-constant)">1</span><span style="color: var(--shiki-color-text)"> </span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
Testing the Integration
After configuring both Entra ID and the Auth service:
- Deploy your Tailor Platform application
- Create users in Entra ID and add them to the Tailor platform
- Login to your application using the Tailor CLI
- You should be redirected to Microsoft Entra ID for authentication
- After successful authentication, you'll be redirected back to your application
Troubleshooting
Common Issues
Invalid Redirect URI
- Ensure the redirect URI in Entra ID matches exactly what's configured in your Auth service
- Check for trailing slashes and protocol mismatches (http vs https)
Invalid Client Credentials
- Verify your client ID and client secret are correct
- Ensure the client secret hasn't expired
- Check that the secret is properly stored in your secret manager
Tenant Configuration Issues
- Verify the tenant ID in your provider URL is correct
- For multi-tenant apps, ensure you're using the correct tenant endpoint
- Check that the application is properly registered in the correct tenant
User Profile Not Created
- Check that your TailorDB User type has the correct username field configured
- Verify that the email claim is being passed from Entra ID
- Ensure the user has the necessary permissions in Entra ID
Token Validation Errors
- Verify the audience claim in the token matches your application
- Check that the issuer claim matches the expected Entra ID issuer
- Ensure your application's clock is synchronized
For production deployments, ensure you're using HTTPS URLs and have proper SSL certificates configured. Also, consider implementing proper token caching and refresh mechanisms.
Next Steps
- Log in to your app - Guide for user creation and login
- Configure user roles and permissions
- Set up machine users for API access
- Learn about Auth as a subgraph