USER MANUALS

Entra ID Configuration

Microsoft Entra ID can be configured as the Identity Provider (IdP) to use in Agora. Before configuring the IdP in Agora, you must create and configure an Entra ID application.

To create a Microsoft Entra ID application:

  1. Log in to the Azure portal as an administrator.

  2. Navigate to the Microsoft Entra ID service panel.

    Microsoft Entra ID Azure service

  3. Select the option to Add a new App registration.

  4. Enter the application name.

  5. For Supported account types select the Accounts in this organizational directory only option.

  6. Leave the Redirect URI empty for now, as it will be set in a later step.

  7. Click Register.

  8. Once created, configure the App:

    1. Navigate to Manage > Certificates & secrets and click New client secret.

    2. Enter a description and choose an expiration, click Add and copy the secret value generated. This value can only be viewed immediately after creation, therefore save the secret when created before leaving the page.

    3. Go to Manage > Manifest and enter the value 2 for the element requestedAccessTokenVersion under the api section. Add the element if it does not exist:

      "api": {
   "requestedAccessTokenVersion": 2,
   ...
}

    4. Navigate to Manage > Token configuration and click Add optional claim.

    5. Select ID as the Token type and select the email claim. Click Add.

    6. Select the option to Turn on the Microsoft Graph email permission (required for claims to appear in token). Click Add.

      Microsoft Entra ID Claim Modal

    7. Configure the Access claim by repeating the steps above to configure the email claim. In this case, select Access as Token type.

      Note

      User defintions in the IdP must have their email property completed for Agora to successfully authenticate them.

  9. Gather the required information from the Microsoft Entra ID application:

    • The Application (client) ID.

    • The Directory (tenant) ID.

    • The secret value created above.

  10. In Agora, navigate to the Organization admin panel > IdP and enter the discovery endpoint URL using the URL template below and replacing {tenant} with your Directory (tenant) ID:

    https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

    Agora discovery endpoint URL

  11. Click on the Fetch and fill button.

  12. Change the Token claim with the user’s login to email.

  13. Use the Application (client) ID and the secret value created above to fill the Client ID and Client secret.

  14. Click Submit, this will generate a redirect URI.

  15. In Azure, return to the app and open it in another browser tab. Navigate to Manage > Authentication, click Add a platform and select Web. Enter the Redirect URI specified in the Agora IdP configuration and click Configure.

    Agora redirect URI

  16. Finally, return to Agora and logout to ensure the required changes are applied for the current user session.

    Important

    You must restart Execution Plane after any Identity Provider configuration change. Please see the Restart a Cluster section of the Solution Manager Administration Guide.

    Note

    With the Identity Provider configured, use the Direct access to organization link to log in. The users defined in Microsoft Entra ID must exist in the Agora Organization to be successfully authenticated, please see How to Log into Agora After Configuring an Identity Provider.

Add feedback