Skip to main content

Configure Microsoft Entra ID (OIDC) for ept AI

Enable Single Sign-On (SSO) so your users can sign in to ept AI with their Microsoft Entra ID accounts using OpenID Connect (OIDC).

Back to Integrations Overview

Overview

This guide walks administrators through creating an OIDC application in Microsoft Entra ID, connecting it to ept AI, assigning access, and testing SSO. Images can be added later where indicated.

SSO flow at a glance:

  • ept AI initiates OIDC with Microsoft as the identity provider
  • Users authenticate in Microsoft Entra ID
  • Microsoft returns an ID token to ept AI at the callback URL

Before you begin

  • You will receive a unique SSO setup URL from the ept AI team. Keep this page open during the setup. It shows the exact callback URL your tenant must use.
  • Microsoft Entra admin permissions: Application Administrator, Cloud Application Administrator, or equivalent
  • Decide which users/groups should be allowed to sign in

Values you will need

  • Callback URL: shown on your ept AI SSO setup page (for production this is https://login.ept.ai/login/callback)
  • Microsoft Entra ID domain: your tenant’s primary domain (for example, abcd.onmicrosoft.com)

Step 1 — Create the application in Microsoft Entra ID

  1. In the Azure portal, go to Microsoft Entra ID > App registrations and select New registration.

    App registration - New registration

    Register application screen

  2. Name: ept AI (any recognizable name is fine).

  3. Supported account types: Accounts in this organizational directory only (Single tenant).

  4. Redirect URI:

    • Platform: Web
    • Redirect URI: use the Callback URL from your ept AI SSO setup page (for production: https://login.ept.ai/login/callback).

    Add a platform - Web

    Configure Web platform

    Add Redirect URI

  5. Select Register.

  6. Copy the Application (client) ID. You will paste this into ept AI.

  7. Create a client secret:

    • Go to Certificates & secrets > New client secret.
    • Add a description and expiration.
    • Select Add, then immediately copy the Value. You will paste this into ept AI.

    Create client secret and copy value

Notes:

  • Do not expose an API or add permissions—no Graph permissions are required for standard sign-in.
  • If you maintain separate staging environments, add their callback URLs as additional Web redirect URIs.

Step 2 — Configure the connection in ept AI

Open your unique SSO setup URL from ept AI and fill in the fields:

  • Microsoft Entra ID Domain: your tenant domain (for example, abcd.onmicrosoft.com).
  • Client ID: paste the Application (client) ID from the app registration.
  • Client Secret: paste the client secret Value you created.
  • Callback URL: verify it matches the value you added in Step 1.

Save the configuration.

Step 3 — Assign access

Restrict who can sign in by assigning users or groups to the service principal:

  1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications.

  2. Find the application you created (the service principal for your app registration) and open it.

  3. Optional but recommended: under Properties, set User assignment required? to Yes if you want only assigned users/groups to access ept AI.

  4. Go to Users and groups > Add user/group.

  5. Select the users and/or groups you want to grant access, then Assign.

    Add user or group assignment

    Select users - step 1

    Select users - step 2

Step 4 — Test SSO

  • In ept AI, use the Test SSO action on the setup page—or open an incognito window and go to your ept AI login page and choose the Microsoft Entra ID option.
  • Sign in as a user you assigned in Step 3 and verify you land back in ept AI.

Troubleshooting

  • redirect_uri_mismatch or AADSTS50011:
    • Ensure the Redirect URI in App registrations > Authentication exactly matches the Callback URL shown on your ept AI setup page.
  • invalid_client or AADSTS7000215:
    • The client secret is missing, expired, or incorrect. Create a new secret and update it in ept AI.
  • User not authorized:
    • If User assignment required? is set to Yes, ensure the user or their group is assigned under Enterprise applications > Users and groups.
  • Domain/tenant confusion:
    • Use your primary tenant domain (for example, abcd.onmicrosoft.com) in the ept AI connection form. You can find it under Microsoft Entra ID > Overview.

Security and maintenance

  • Rotate client secrets before expiry and update the value in ept AI.
  • Use Conditional Access and MFA as required by your security policies.
  • Remove users/groups from the Enterprise application to revoke access.

FAQ

  • What scopes/claims does ept AI require?
    • Standard OIDC scopes: openid, profile, email. No Graph permissions are required.
  • Do I need to upload certificates?
    • No. OIDC discovery and JWKS are handled automatically by Microsoft.
  • Can I limit access to a subset of users?
    • Yes. Set User assignment required? to Yes on the Enterprise application and assign only the users/groups who should sign in.