CS

Configuring user login via MS Entra

Home / Support / Manuals / Administrator Guide /

Configuring user login via MS Entra

CS

NET Genium supports user login using accounts managed in Microsoft Entra ID (formerly Azure Active Directory). To use this functionality, manual configuration in the Microsoft Entra ID environment is required.

1. Microsoft Entra ID configuration

  • Application registration “NET Genium” at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
    • portal.azure.com / App registrations
    • NET Genium as the application name
    • Finding Application (client) ID which is automatically created when the application is registered
      • Application (client) ID
    • Setting NET Genium URL to https://{netgenium_url}/LoginByMicrosoft.aspx
      • portal.azure.com / App registrations / NET Genium / Authentication / Redirect URIs
    • Authorization access tokens
      • portal.azure.com / App registrations / NET Genium / Authentication / Implicit grant and hybrid flows / Access tokens (used for implicit flows)
    • Authorization Token ID
      • portal.azure.com / App registrations / NET Genium / Authentication / Implicit grant and hybrid flows / ID tokens (used for implicit and hybrid flows)
    • Creation client secret code
      • portal.azure.com / App registrations / NET Genium / Certificates & secrets / New client secret
    • Setting API permissions for Microsoft Graph
      • portal.azure.com / App registrations / NET Genium / API permissions / Add a permission / Microsoft Graph
      • API name “Microsoft Graph – User.Read”, type “Delegated

Obrázek.png

2. NET Genium configuration

  • Create a configuration file “NETGenium\Config\MicrosoftOAuth.json
    • Set the contents of the file to: “{"web":{"client_id":"Application (client) ID ","auth_uri":"https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize","token_uri":"https://login.microsoftonline.com/organizations/oauth2/v2.0/token","client_secret":"client secret code"}}”

3. Debugging errors or in case of broken login

3.1. General

  • Enable "To disk" or "To database and to disk" logging
  • Try logging in
  • Parse the contents of the log file "NETGenium\Logs\Anonymous\{yyyy-dd-MM}\loginbymicrosoft.log"
  • According to the type of error described in the log file "loginbymicrosoft.log"
    • Change the contents of the configuration file "MicrosoftOAuth.json"
    • Change settings in Azure (typically client_secret expiration)

3.2. Response status code does not indicate success: 401 (Unauthorized)

  • Search for the login attempt in the Auth.log log file.
  • Search for the entry by the login date and time and user account.
  • If there is no login entry in the Auth.log file, authentication on the Microsoft service side was not successful. In this case, you need to check the application configuration, client login details and OAuth settings in the service environment.
  • If there is an entry, proceed according to the error message in the log and adjust the configuration in the NetGenium system or in the provider identity settings.

3.3. Sorry, but we're having trouble with signing you in

  • Verify that all redirect endpoint variants (with www and without www) are specified in the MS Entra configuration.
  • Check the exact match of URL addresses, including case.
  • If there is no record of a login attempt in the Auth.log log, the authentication process has already been completed on the Microsoft service side.