Configure MS Online App Service for EntraID Authentication

The MS Online PowerShell microservice interfaces with EmpowerID and Azure to execute EntraID operations in response to your actions in EmpowerID. For this to occur, the App Service hosting the microservice needs to be configured so that it can authenticate to EntraID and receive identity and access tokens with the necessary permissions to call the relevant Graph API endpoints on your behalf.

Procedure

1. Log in to your Azure portal as a user with the necessary permissions to configure the MS Online App service you created earlier.
2. In Azure, navigate to the App Service.
3. Under Settings in the navbar, select Authentication / Authorization.
4. Turn on App Service Authentication.
5. Under Action to take when request is not authenticated, select Log in with Azure Active Directory.
   
6. Under Authentication Providers, click Azure Active Directory.
7. Under Management mode, select Advanced.
8. Enter the following information for the Advanced mode settings:
   • Client ID — Enter the Client ID for the service principal you registered earlier.
   • Issuer Url — Enter https://login.microsoftonline.com/TenantID, where TenantID is the TenantID of the application you registered in EntraID.
   • Client Secret — Enter the client secret for the application you registered in EntraID for EmpowerID.
   • Allowed Token Audience — Enter the App Service URL.The settings should look similar to the below image:
     
9. Click OK to close the Active Directory Authentication dialog.
10. Back in the main Authentication / Authorization page, click Save.
    
11. Under Settings, select Identity.
12. Turn on System assigned managed identity and click Save. This registers the App Service in EntraID.
    
13. Click Yes to confirm that you want to enable System assigned managed identity.
14. Back in the Overview blade for the App Service, click Get Publish Profile. You will need this file when you publish the MS Online Microservice to Azure to Azure.