Microsoft Entra ID provider

An Microsoft Entra ID provider allows you to connect a Web API tile to any Azure application's API that uses Microsoft Entra ID for authentication. This can be an Azure API that Microsoft provides (for example, Microsoft Graph) or one you yourself have built. The authentication details needed for accessing the application's API are stored in the Microsoft Entra ID provider.

Note: For Azure Log Analytics and Azure Application Insights there are dedicated tiles and providers. If you want to use those applications, you should use the dedicated tiles and providers. For any other Azure application, use the Microsoft Entra ID provider and the Web API tile.

What are Integrations and Providers

For an example of an Microsoft Entra ID provider being configured to connect to the Microsoft Graph API see:

How to build insightful M365 Analytics Dashboards with SquaredUp and Microsoft Graph API (Part 1)

Prerequisites

• If you use a proxy server you may need to configure the proxy to allow communication with Microsoft Entra ID (How to configure SquaredUp DS to use a proxy)
• A Microsoft Entra ID workspace.
• Access to your Azure portal with the following roles:
  • Azure subscription administrator role
  • Microsoft Entra ID User administrator role

Creating an Microsoft Entra ID provider

There are two environments involved when you are creating an Microsoft Entra ID provider:

1. You need to enable access for SquaredUp DS in your Azure portal. You only need to do this once, regardless of the number of SquaredUp DS instances you have.
   How to enable access for SquaredUp DS in your Azure portal

   Note: The following steps are done in your Azure portal. Please refer to the Azure documentation if you need help with any of the steps.

   1. Create a new AD application in your Azure portal to connect with SquaredUp DS.
      The application needs a platform of type web with a Redirect URI in the following format:

      https://FQDNofYourSquaredUpServer/YourSquaredUpVersion/ext-core-webapi/callback/NameOfYourMSEntraIDProvider

      FQDNofYourSquaredUpServer	For example yoursquaredupserver.yourdomain.name
      YourSquaredUpVersion	For example squaredupv5
      NameOfYourMSEntraIDProvider	The name you'll give the Microsoft Entra ID provider when you create it in SquaredUp DS

   2. Configure the settings for the application.
      • Configure the appropriate settings for authentication and permissions, see Microsoft: Quickstart: Configure a client application to access a web API
      • Create a client secret for the Microsoft Entra ID provider

2. You need to create an Microsoft Entra ID provider in SquaredUp DS to connect to Microsoft Entra ID. You can add as many providers as you want.
   How to create a Microsoft Entra ID provider in SquaredUp DS

   1. In SquaredUp browse to System > Administration > Integrations.
   2. Click Microsoft Entra ID.
      
      
      Settings:

      Name	Enter a name for your provider. Note: The name must match the name you used as part of the Redirect URI in your Azure portal. Where is the provider name used in the Redirect URI in Azure? The Redirect URI in Azure has to following format: https://FQDNofYourSquaredUpServer/YourSquaredUpVersion/ext-core-webapi/callback/NameOfYourMSEntraIDProvider FQDNofYourSquaredUpServer For example yoursquaredupserver.yourdomain.name YourSquaredUpVersion For example squaredupv5 NameOfYourMSEntraIDProvider The name you'll give the Microsoft Entra ID provider when you create it in SquaredUp DS
      Base URL	Enter the base URL for all API requests for this provider. This URL will be prepended to all requests a tile that uses this provider makes. Example: https://graph.microsoft.com/
      Tenant Id	Enter your Microsoft Entra ID Tenant ID. How to find your Microsoft Entra ID Tenant ID Open the Microsoft Entra ID application you created for connecting with SquaredUp DS in the Azure portal > Microsoft Entra ID > App Registrations > <App name> Click on Overview page for your application, under Essentials, you can now see your Application (client) ID and Directory (tenant) ID. The reason these ID names are named like this here is that this is how the Azure UI displays the names. It's easier for users to figure out that "Directory (tenant) ID" in the UI means what we call "Microsoft Entra ID tenant ID" than sticking to our name and ignoring their UI. Alternatively: In the Azure portal, open your Microsoft Entra ID resource. Take note or copy the Tenant ID displayed in the main panel under Overview > Basic Information.
      Resource URL	Enter the resource or API root URL you want to access. This URL can be identical to the Base URL, depending on which API you are using. What's the difference of the base URL and the resource URL? Adam: It’s kind of like “context” or “scope” for the authentication request. You’re always authenticating with Azure AD but in making that authentication request, you need to let it know the scope/context/purpose for your request. The base URL field is just an internal thing for our tiles and in most cases it’ll be the same, but not always. Azure Key Vault’s are a decent example. The base URL might be something like https://adamskeyvault.keyvaults.azure.com, but the resource URI might be https://kvs.azuremanagement.com. The tile is making a direct call to the specific key vault, but the authentication request is made to the key vault management server. Dear Azure, I want an authentication token for the key vault service. Dear key vault, I have a token from the big boss key vault people, can I get some data The resource might have a specific/direct URL to query i.e. a key vault with a unique URL. But the key vault API uses the overall key vault service for authentication. Authentication session is created to the master key vault resource URI, and that token is then used to authenticate with a specific resource. So the authentication request always goes to azure active directory, but with some context in the form of a resource URI. You get a token that you can only use for the resource you’ve listed. Rather than a token that lets you do anything anywhere
      Application Id	Enter your Microsoft Entra ID Application ID. How to find your Microsoft Entra ID application ID Open the Microsoft Entra ID application you created for connecting with SquaredUp DS in the Azure portal > Microsoft Entra ID > App Registrations > <App name> Click on Overview page for your application, under Essentials, you can now see your Application (client) ID and Directory (tenant) ID. The reason these ID names are named like this here is that this is how the Azure UI displays the names. It's easier for users to figure out that "Directory (tenant) ID" in the UI means what we call "Microsoft Entra ID tenant ID" than sticking to our name and ignoring their UI.
      Application Key	The client secret you created in Azure. If you followed the steps for configure settings for an application in Azure, the client secret should still be in your clipboard or in your password manager. If you don't have your client secret or your client secret expired, you need to create a new one. How to create a new client secret Creating a secret is already part of the description how to configure settings for an AD application. But secrets can expire, which is why users might have to create a new one. They also might have forgotten to copy the secret which means they need to create a new one. This is why I decided to have a dedicated snippet with just creating the secret in addition to the other one. This snippet is only used for internal KB purposes since it describes external software in detail. In your Azure portal, go to the application you created for connecting to SquaredUp DS and click on Certificates & secrets in the left-hand menu. Add a new client secret with the following settings: Description Add a description that helps you identify this client secret. Expires Set an appropriate expiry date for the secret. Copy the value of the new client secret to your clipboard. You'll need the client secret later when you add the provider in SquaredUp DS. You won't be able to retrieve the client secret later again, so you might want to store it in a secure place like a password manager.
      Authorization Scope (Optional)	Adam: Scope makes it more granular, so as an example, you want to get data from a key vault but only read only GET requests and only to specific parts of the key vault. Scope prevents the tile from doing more than you want it to, as your auth token is hard limited to certain actions Here you can limit the tiles that use this provider to perform only certain actions. For example, you can narrow down the scope to read only GET requests or to specific parts of the API. Please refer to the API documentation of the API you are using for details about how to enter the authorization scope.

   3. Click Save.
   4. Once the provider is created, the final step is to authorize it within Microsoft Entra ID. These credentials are sent to Microsoft Entra ID and are not stored anywhere within SquaredUp DS.
      Add Reply URL to Microsoft Entra ID Application and authorize provider

      1. Note down the reply url listed under the newly created provider in SquaredUp DS.
      2. In the Azure portal, click on the Microsoft Entra ID resource and under the App registrations page, find your SquaredUp DS app, and click on it to open it's Overview page.
      3. Click on Authentication.
      4. Add the URL from step 1 to the list of Redirect URIs.
      5. Wait a few minutes for the Microsoft Entra ID to process the update, then back in SquaredUp DS click perform authorization under the newly created provider.
         If you do not want to repeatedly add a reply URL to the application for each new provider, you can specify a wildcard when configuring the reply URL using a * (e.g. https://server.local/*).

Use the provider you have created with the Web API tile, see How to use the Web API tile

For an example of the steps for using an Microsoft Entra ID provider for Microsoft Graph API with the Web API tile see:

How to build insightful M365 Analytics Dashboards with SquaredUp and Microsoft Graph API (Part 1)

Was this article helpful?