Please refer to the Azure Credential Generation and Configuration guide here if missed.
Note: This guide will walk you through creating a separate 'App registration' that can be referenced by Microsoft OAuth to log into an On-Prem VSA installation and will need to be completed once per VSA instance.
Note: The additional configuration described in this guide is only required to support 'Sign in with Microsoft' for VSA on-prem deployments. As of VSA 9.5.12, SaaS-based VSA deployments automatically activate this feature when a Domain Watch policy has been applied to at least one Azure-sourced User account.
1. Log into Azure (https://portal.azure.com)
2. In the administrative ribbon called 'Azure services' open 'Azure Active Directory'
3. Select ‘App registrations’ on the left navigation bar.
4. Register an entry for VSA and select the option “Accounts in any organization directory (Any Azure AD directory + Multitenant). NOTE: The name of the newly created entry will be required for later use.
5. After registration has occurred, the page will display:
- Application (client) ID
- Directory (tenant) ID
NOTE: Both IDs will be required for later use within VSA.
6. Navigate back to 'App registrations' on the left navigation bar and search for the App Registration that you just completed creating and select it
7. Select 'Authentication' in the left navigation bar, click 'Add a platform' and select 'Web'
8. In the Redirect URIs, provide the following:
For example, if your VSA instance URL is 'https://My.VSA' it would be: https://My.VSA/api/v2.0/auth/oidc/aad/signin-oidc
9. Make sure to select 'ID tokens' at the bottom of the administrative pane before clicking 'Configure'
10. Change 'Allow public client flows' from No to Yes and click Save
11. Log into your VSA instance using the 'Master' role and navigate to System>Server Management>Logon Policy
12. Locate the 'Microsoft Azure AD Single Sign-On Settings portion and provide your newly created Directory ID/Application ID on behalf of your App Registration.
13. Select enable and click 'Update' to apply your changes
14. The 'Sign in with Microsoft' button should now be automatically displayed on the VSA instance login page as soon as at least one user account has been added to VSA via Domain Watch user policy
Note: when logging in using the OAuth method, an 'unverified' warning will be displayed on the first login per user unless 'Branding & properties' are defined within Azure on behalf of the newly created application.