Configuring Entra ID for Open ID Connect (OIDC)

Review and complete the following sections before configuring the iMIS OIDC settings.

⚠️

IMPORTANT

Each user must have a first and last name in Entra ID. This is the name that is synchronized with iMIS after OIDC is enabled. The user’s first and last names cannot be updated in iMIS after OIDC is enabled, since the name is being pulled from the external directory.

(New apps only) Add a platform

If you created a new app registration, you must populate the Redirect URI:

  1. From the navigation, select App registrations, then choose the application.
  2. From the navigation, select Authentication.
  3. Click Add a platform.
  4. Click Web.
  5. Redirect URIs - Enter the iMIS website (for example, https://example.imiscloud.com/staff).
  6. From-channel logout URL - Enter the iMIS website (for example, https://example.imiscloud.com/staff).
  7. Enable Access tokens (used for implicit flows) and ID tokens (used for implicit flows and hybrid flows).
  8. Click Configure.

(Existing apps only) Ensure access tokens & ID tokens are enabled for the application

If you are using an existing app registration and did not create a new one, ensure the application has access tokens and ID tokens enabled:

  1. From the navigation, select App registrations then choose the application.
  2. From the navigation, select Authentication.
  3. Scroll down to the Implicit grant and hybrid flows section.
  4. Enable Access tokens (used for implicit flows) and ID tokens (used for implicit flows and hybrid flows).
📘

Note

These options will not appear if there is no platform defined. See Add a platform.

  1. Click Save.
Ensuring access tokens and ID token are enabled for the application

Create a new role & assign the role to users

The iMIS setup requires a Claim value, which is a Role defined in Entra ID. You can use any role, but ASI recommends creating a new role for the iMIS OIDC connection.

Creating the app role

Do the following to create the role:

  1. From the navigation, select App registrations then choose the application.
  2. From the navigation, select App roles.
  3. Click Create app role:
    1. Display name - iMIS OIDC Access
    2. Allowed member types - Users/Groups
    3. Value - iMIS_OIDC_Access
    4. Description - Role used for iMIS Open ID Connect
    5. Do you want to enable this app role - Checked
  4. Click Apply.
Creating an app role

Assigning the role

Do the following to assign the role to the required users or groups:

  1. From the navigation, select Enterprise applications then choose the application.
👍

Tip

Make sure you are working in the Enterprise applications navigation and not the App registrations navigation.

  1. Select Users and groups.
Selecting users and groups
  1. Select the checkbox next to the users and/or groups.
  2. Click Edit assignment.
  3. Under Select a role, click None Selected.
Selecting a role
  1. Choose the iMIS OIDC Access role, then click Select.
Selecting the iMIS OIDC Access role
  1. Click Assign.

Adding the required claims

⚠️

IMPORTANT

To use OIDC for both staff and public users, you must have claims for each group. A claim for staff users is required. Creating a claim for public users is optional but is recommended as a best practice. For more information, see Configure optional claims. We recommend setting up claims per group. See Configure groups optional claims for more information.

Do the following to add the required claims:

  1. From the navigation, select App registrations then choose the application.
  2. From the navigation, select Token configuration.
  3. Click Add optional claim.
  4. From the Token type, choose ID.
  5. Enable the required tokens:
    • email
    • family_name
    • given_name
    • login_hint(only required if Set login hint is enabled in the iMIS OIDC settings)
    • upn (only required if Set login hint is enabled in the iMIS OIDC settings)
  6. Click Add.
📘

Note

Be sure to create claims for System Administrators, regular Staff users, and public users. For more information, see Configure optional claims.

Updating the API permissions

Do the following to add the required API permissions:

  1. From the navigation, select App registrations then choose the application.
  2. From the navigation, select API permissions.
  3. Click Add a permission.
  4. Click Microsoft Graph.
Clicking Microsoft Graph
  1. Click Delegated permissions.
Clicking Delegated permissions
  1. Enable the following:
    • email
    • openid
    • profile
    • User.Read.
  2. Click Add permissions.

Obtaining the Client ID and Tenant

iMIS requires a Client ID and Tenant from Entra ID. Do the following to obtain these values from Entra ID:

  1. From the navigation, select App registrations then choose the application.
Selecting App registrations
  1. From Overview, copy the following:

    • Application (client) ID - The Client ID required for the iMIS configuration.
    • Directory (tenant) ID - The Tenant required for the iMIS configuration.

    Copying the Application ID and Directory ID

  2. Paste the values in iMIS or in a safe location where you will have access to them later when you configure iMIS.

Configuring iMIS for OIDC settings

After configuring Entra ID, review and follow Configuring and troubleshooting OIDC settings in iMIS.