Microsoft Entra ID¶
Client registration¶
Register FMR as an application Microsoft Entra ID¶
The FMR installation must be registered as an application in Microsoft Entra ID before this can be used as an OIDC identity provider.
Follow the guidance provided by Microsoft taking into account the following:
- Register the FMR installation as a 'web' application - this defines it as a 'confidential client'
- Ensure the redirect URI points to the FMR installation's
/ws/fusion/oauth/callbackweb service Microsoft reference - Add a client secret Microsoft reference
- Configure Entra ID to emit the
groupsclaim for groups assigned to the application Microsoft reference
Example Entra app manifest¶
The following provides an example Entra app manifest.
{
"id": "dde567d8fd-a8e7-4868-fcba-2267cd603a02",
"deletedDateTime": null,
"appId": "d01f68cab28-920d-239b-fc66-d07fa733576013",
"applicationTemplateId": null,
"disabledByMicrosoftStatus": null,
"createdByAppId": "d645a7667-8d34-bb5e-87c4-d65f8af2a36e",
"createdDateTime": "2026-03-26T12:26:59Z",
"displayName": "FMR",
"description": null,
"groupMembershipClaims": "ApplicationGroup", // (1)!
"identifierUris": [],
"isDeviceOnlyAuthSupported": null,
"isDisabled": null,
"isFallbackPublicClient": false,
"nativeAuthenticationApisEnabled": null,
"notes": null,
"publisherDomain": "mydomain.onmicrosoft.com", // (2)!
"serviceManagementReference": null,
"signInAudience": "AzureADMyOrg",
"tags": [],
"tokenEncryptionKeyId": null,
"samlMetadataUrl": null,
"defaultRedirectUri": null,
"certification": null,
"requestSignatureVerification": null,
"addIns": [],
"api": {
"acceptMappedClaims": null,
"knownClientApplications": [],
"requestedAccessTokenVersion": null,
"oauth2PermissionScopes": [],
"preAuthorizedApplications": []
},
"appRoles": [], // (3)!
"info": {
"logoUrl": null,
"marketingUrl": null,
"privacyStatementUrl": null,
"supportUrl": null,
"termsOfServiceUrl": null
},
"keyCredentials": [],
"optionalClaims": { // (4)!
"accessToken": [
{
"additionalProperties": [
"cloud_displayname"
],
"essential": false,
"name": "groups",
"source": null
}
],
"idToken": [
{
"additionalProperties": [
"cloud_displayname"
],
"essential": false,
"name": "groups",
"source": null
}
],
"saml2Token": [
{
"additionalProperties": [
"cloud_displayname"
],
"essential": false,
"name": "groups",
"source": null
}
]
},
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"displayName": "Fusion Metadata Registry",
"endDateTime": "2026-09-22T13:19:12.843Z",
"hint": "TQO",
"keyId": "7c43993e-4955-44c8-b070-1451382e10e7",
"secretText": null,
"startDateTime": "2026-03-26T14:19:12.843Z"
}
],
"publicClient": {
},
"requiredResourceAccess": [
{
"resourceAppId": "00000004-0000-0000-d000-000000000000",
"resourceAccess": [
{
"id": "e1fe665fc-f7bc-d8a5-6628-5fadb8e54683d",
"type": "Scope"
}
]
}
],
"verifiedPublisher": {
"displayName": null,
"verifiedPublisherId": null,
"addedDateTime": null
},
"web": {
"homePageUrl": null,
"logoutUrl": null,
"redirectUris": [
"https://registry.mydomain.org/ws/fusion/oauth/callback" // (5)!
],
"implicitGrantSettings": {
"enableAccessTokenIssuance": false,
"enableIdTokenIssuance": false
},
"redirectUriSettings": [
{
"uri": "https://registry.mydomain.org/ws/fusion/oauth/callback", // (6)!
"index": null
}
]
},
"servicePrincipalLockConfiguration": {
"isEnabled": true,
"allProperties": true,
"credentialsWithUsageVerify": true,
"credentialsWithUsageSign": true,
"identifierUris": false,
"tokenEncryptionKeyId": true
},
"spa": {
"redirectUris": []
}
}
- Emit only the groups that are explicitly assigned to the application and that the user is a member of
- The
publisherDomainis specific to the organisation - Entra ID App Roles are not used - FMR uses group membership for its role based access control
- Configure Entra ID to emit the
groupsclaim Microsoft reference - The redirect URI must be the FMR installation's
/ws/fusion/oauth/callbackURL - The redirect URI must be the FMR installation's
/ws/fusion/oauth/callbackURL