Authentication — Microsoft Entra ID
In Entra mode the SPA signs users in with "Sign in with Microsoft" (OIDC authorization-code + PKCE) and the API validates Entra access tokens directly — no Keycloak. Users and roles live in your Entra tenant.
App registration
Create one app registration in Entra ID → App registrations; the SPA and API share it.
- Platform → Single-page application. Add your SPA redirect URI:
https://edgentia.acme.com(yourAPP_BASE_URL). - Expose an API. Set the Application ID URI to
api://<client-id>and add a scopeaccess_as_user. - App roles. Define two app roles (assignable to Users/Groups):
platform-admin— full platform administration.user— a regular consumer user.
- Enterprise application → Users and groups. Assign each person the
platform-adminoruserrole. Roles arrive in the token and drive access.
Sign-in itself needs no client secret (public SPA + public-key token validation).
Configuration
| Variable | Required | Notes |
|---|---|---|
Auth__Mode | ✅ Entra | Selects Entra mode. |
Auth__Entra__TenantId | ✅ | Your tenant (directory) GUID. App won't start without it. |
Auth__Entra__ClientId | ✅ | The app registration's application (client) id. App won't start without it. |
Auth__Entra__ClientSecret | optional | Only for the directory "add member" picker (queries Microsoft Graph — also needs the Graph application permission User.Read.All, admin-consented). Omit to add members by Entra object id (oid). |
Auth__Entra__ApiScope | optional | Defaults to api://<clientId>/access_as_user. |
Auth__RequireHttpsMetadata | optional (true) | Leave true in production. |
Helm equivalents: auth.mode=entra, auth.entra.tenantId, auth.entra.clientId,
auth.entra.clientSecret. Compose: AUTH_MODE=Entra, ENTRA_TENANT_ID,
ENTRA_CLIENT_ID, ENTRA_CLIENT_SECRET.
What it accepts
The API accepts tokens whose audience is the client id or api://<clientId>, and
both Entra token versions (v1 sts.windows.net/{tid}/ and v2
login.microsoftonline.com/{tid}/v2.0). The canonical user id is the oid claim —
a token missing it is rejected. App roles in the roles array become role claims.
User management
In Entra mode, accounts and platform roles are managed in Entra. The
user-management level caps at 1 (directory search + members verified against the
Entra directory); there's no in-app invite flow. ISA-95 catalogue groups (scope)
are still managed in the edgentia admin UI, keyed by each user's oid.
No realm files are needed in Entra mode — Entra is the identity provider directly. If you self-host identity instead, use Keycloak.