1. Create Azure Application

  • Login as Administrator in Azure portal. 
  • Go /Azure Active Directory/App registration/New registraton

  • Press register.
  • Copy clientID in User.Authentication.OAuth2.ClientsID mandant parameter(Clients parameters table)
  • Add tenant Id to the end of  https://login.microsoftonline.com/ and set User.Authentication.Oauth2.Authority mandant parameter

It should be somethin like:

 2. Create secret key

  • Go Certificates & secrets/New client secrets

Please note that the secret value is accessible only after creation.

copy secret value in User.Authentication.OAuth2.Secret mandant parameter


 3. Prevention of the consent dialog by first login

To prevent the following dialog by first login

First Login

the following API permissions must be set

See: https://learn.microsoft.com/en-us/azure/active-directory/develop/application-consent-experience

"The Administrator grants consent through the API permissions page of the application registration in the Azure portal."

4. Expose an API

On the left panel, go to Expose an API.

the Application ID URI  should be https://$acd_domain where $acd_domain is the portal domain.


Add a scope: access_as_user.

  • Who can consent? Admins and users
  • Admin consent display name: Access as a User.
  • Admin consent description: Access as a User.
  • User consent display name: Access as a User.
  • Admin consent description: Access as a User.
  • Make sure it is enabled.

In the "Authorized client applications" part. Add the IDs of Teams app (Web and Desktop) by clicking on the plus button "Add a client application"

Here are the IDs:

1fec8e78-bce4-4aaf-ab1b-5451cc387264

5e3ce6c0-2b1f-4285-8d4b-75ee78787346


Go back to API Permission

Add a new permission for the new scope.

  • Click "Add a permission".
  • Select "My APIs".
  • Choose the API application.
  • Select "Delegated permissions."
  • Check the access_as_user permission.
  • Click "Add permissions."
  • (Optional) Click "Grant admin consent" if necessary.

5. Login with Microsoft Entra ID configuration

  • The following client properties must be configured: 

    ParameterValue
    User.Authentication.Azure.ClientsIDClient ID of the application
    User.Authentication.Azure.AuthorityLogin URL with tenant ID
    User.Authentication.Azure.SecretApplication secret
    User.Authentication.Azure.ForceOnly Azure login is posssible for the client.

  • Optionaly can be set resorce portal.Login.Azure.Force to enforce using Entra ID only
  • No labels