# Microsoft Entra IDP Setup

### Register an OIDC App in Microsoft Entra ID

Here's how to register an application in Microsoft Entra ID for OpenID Connect (OIDC):

1. **Log in to Azure Portal:** Navigate to <https://portal.azure.com> and sign in with your Azure account.
2. **Navigate to App Registrations:**\
   Go to **Microsoft Entra ID** > **App registrations** > **+ New registration**.
3. **Register the Application:**
   * **Name:** Enter a descriptive name for your application (e.g., `Telmai-OIDC-App`).
   * **Supported account types:** Choose the option that aligns with your organization's policies. Typically, **"Accounts in this organizational directory only"** is selected.
   * **Redirect URI:** Enter the redirect URI provided by Telmai. This will likely follow the format: `https://<your-telmai-instance>.okta.com/oauth2/v1/authorize/callback`. **Please confirm the exact redirect URL with Telmai.**
4. **Post Registration Configuration:** Once the app is created, open its overview page.
   * **Retrieve Application (client) ID and Directory (tenant) ID:** Copy and securely store these IDs. You will need them later.
   * **Create a Client Secret:**
     * Go to **Certificates & Secrets** > **+ New client secret**.
     * Add a description for the secret and choose an expiration timeframe.
     * Click **Add**.
     * **Copy the Value** of the newly created client secret immediately. This value will not be shown again.
5. **Construct the Well-known Configuration URL:** Use the following format, replacing `<TENANT_ID>` with the Directory (tenant) ID you copied earlier:

   ```
   https://login.microsoftonline.com/<tenant_id>/v2.0/.well-known/openid-configuration
   ```
6. **Open the open-id configuration URL in browser and retrieve the following from the open-id configuration**
   1. Issuer
   2. authorization\_endpoint
   3. token\_endpoint
   4. jwks\_uri
   5. userinfo\_endpoint
7. **Assign API Permissions to the App:**
   * Under **API permissions**, click **+ Add a permission**.
   * Select **Microsoft Graph** > **Delegated permissions**.
   * Search for and add the following permissions:
     * `openid`
     * `profile`
     * `offline_access`
   * Click **Add permissions**.
   * Finally, click **Grant admin consent for your tenant**.