220.127.116.11.Configuring Office 365 login provider
The Office 365 login provider supports both API versions (v1.0 and v2.0). German cloud (dedicated and isolated Microsoft Azure version for Germany) unfortunately does not support v2.0, only v1.0. Here are the differences between versions:
- The login application for API version 1.0 is registered through the Azure management portal (requires Microsoft Azure subscription) and does not support logins through Microsoft personal accounts, only Work and School accounts.
- The login application for API version 2.0 is registered through apps.dev.microsoft.com and supports all Microsoft logins (Personal, Work and School).
API version 1.0 registration
When configuring Office 365 login provider, if Germany is selected in the Region dropdown list, version 1 is automatically preselected in the API version dropdown list. Do not change it, as the German cloud does not support API v2.0.
Here is how to register the API version 1.0:
- On the Microsoft Azure portal, click on Azure Active Directory -> App registrations -> New application registration.
- Enter the name, application type (API) and sign-on URL (https://SERVER_NAME/contentACCESSLogin).
- Select the created app.
- Copy the necessary IDs and enter them to the respective fields in Settings -> Properties. Set the app as multi-tenanted.
- In Settings -> Reply URLs, enter the reply URL (https://SERVER_NAME/contentACCESSLogin/LoginOAuth2.aspx/oauth2callback). This URL can also be found in contentACCESS Central administration -> System -> Login providers -> Office 365 -> Authorized redirect URL.
- In Required permissions, click on +Add -> Select an API -> Microsoft Graph.
- Click on Select permissions and check the options Sign in and read user profile and Read all users’ basic profiles.
- In Settings -> Keys, add the key name/description and select the option Never expires. Click Save.
- Copy the key value and save it somewhere, because you won’t be able to retrieve it afterwards. This value must be entered in the Office 365 login provider as the ClientSecret.
API version 2.0 registration
contentACCESS supports log in using your Microsoft account. The first thing you need to do is to register an application (contentACCESS) under your Microsoft account.
- Log in to Azure portal: https://portal.azure.com
- Go to Azure Active Directory -> App registrations
- Create a new application registration
1. Name the application (this will be displayed for users while approving the access to their details on first login)
2. Select the preferred account types to allow logging in
3. Enter the redirect URL (this info is provided in contentACCESS in O365 login provider configuration)
- Go to Certificates & secrets and generate a new client secret
- Copy the client secret
- Go to Overview and copy the Application ID
- Enter the Application ID and Client Secret into O365 login provider configuration in Central Administration