If missed, please refer to the Azure Credential Generation and Configuration guide here.
This guide will walk you through the creation of a separate 'App registration' that can be referenced by Microsoft OAuth to log into an On Prem VSA installation and will need to be completed once per VSA instance.
NOTE: This guide is NOT required for SaaS-based VSA installations but this functionality is not generally available until the release of VSA 9.5.12.
1. Log into Azure (https://portal.azure.com)
2. In the administrative ribbon called 'Azure services' open 'Azure Active Directory'
3. Select ‘App registrations’ on the left navigation bar.
4. Register an entry for VSA and select the option “Accounts in any organization directory (Any Azure AD directory + Multitenant). NOTE: The name of the newly created entry will be required for later use.
5. After registration has occurred, the page will display:
- Application (client) ID
- Directory (tenant) ID
NOTE: Both of these ID will be required for later use within VSA.
6. Navigate back to 'App registrations' on the left navigation bar and search for the App Registration that you just completed creating and select it
7.Select 'Authentication' in the left navigation bar, click 'Add a platform' and select 'Web'
8. In the Redirect URIs, provide the following:
For example, if your VSA instance URL is 'https://My.VSA' it would be: https://My.VSA/api/v2.0/auth/oidc/aad/signin-oidc
9. Make sure to select 'ID tokens' within the bottom of the administrative pane before clicking 'Configure'
10. Change 'Allow public client flows' from No to Yes and click Save
11. Log into your VSA instance using 'Master' role and navigate to System>Server Management>Logon Policy
12. Locate the 'Microsoft Azure AD Single Sign-On Settings portion and provide your newly created Directory ID/Application ID on behalf of your App Registration.
13. Select enable and click 'Update' to apply your changes
14. The 'Sign in with Microsoft' button should now be automatically displayed on the VSA instance login page as soon as at least one user account has been added to VSA via Domain Watch user policy
Note: when logging in using the OAuth method, a 'unverified' warning will be displayed on first login per user unless 'Branding & properties' are defined within Azure on behalf of the newly created application.