Covers registration and configuration of an OAuth App on Microsoft Azure Portal
It is possible to register an OAuth app for the Microsoft Graph API from the . This document covers the steps required to register an app on the Azure Active Directory and configure permissions for it.
Input all data as per this document. Naming conventions are critical for this function to work successfully!
1. Go to the Microsoft Azure Portal home page at https://portal.azure.com.
2. Click on the icon in the top left of the page to open the side menu.
3. In the side menu, select Azure Active Directory.
4. In the Azure Active Directory window, click on App Registrations and then select New Registration.
5. In the Register an Application screen, enter the following information:
Name: ICPAPI
Supported Account Types: Accounts in this organizational directory only
Under the Redirect URL (optional section) enter the following:
Select a Platform: Web
Sign-On URL: Not required
Then click on the Register button at the bottom of the page.
6. On the newly created Overview page for the app take a copy of the Application (client) ID and the Directory (tenant) ID. Hover over each code and select the Copy to Clipboard option when it appears. Save these IDs in a secure location.
7. Create a new Client Secret: On the left of the page click on Certificates & Secrets. Then click on Client Secrets and New Client Secret.
8. In the window that opens on the right, enter the following:
Name (description): ICPAPI_Handshake
Expires: Choose an expiry date that suits you.
Click Add- A new Client Secret will be generated for you. This will be the only time you will see the Client Secret Value, so you better copy it to a secured location otherwise you won't be able to retrieve it again! Click on the Copy to Clipboard icon to the right of the Client Secret Value to copy it.
Note: These steps require the user to have admin permissions in their organisation’s Azure Portal.
If the user has navigated away from the App Overview page, they can return to it by clicking on the icon in the top left of the page to open the side menu. Then select Azure Active Directory. In the Azure Active Directory select App registrations from the menu on the left and then select ICPAPI from the list.
1. From the App Overview page, select API Permissions and then Add a Permission.
2. In the window that opens on the right, click on Microsoft Graph.
3. Click on Delegated Permissions. To select a permission, search for it in the search bar and then click on the check box to the left of its name. Select these two permissions:
User.Read.All
Application.Read.All
Click on the Add Permissions button to add the selected permissions.
4. In the API Permissions window, click on Grant admin consent for Innova Drilling & Intervention.
5. In the menu on the left, click on Expose an API and then Add a Scope
6. In the window that opens on the right, click on Save and Continue.
7. On the next page enter the following information and then click on Add Scope:
Scope name: allow_user
Who can consent: Admins and users
The display name and description entries are optional. Enter a name/description that you want admins and users to see when the consent to the scope later.
State: Enabled.
8. In the menu on the left click on API Permissions and then Add a permission.
9. In the window that opens on the right, select My APIs and then click on your App/API.
10. Select the scope you just created by ticking the check box next to it, and then click on Add Permissions.
If your organization wishes to have MFA logins turned on for the Innova Web Portal, Mobile App and Well Seeker Pro server database logins, then they must first follow the below steps within Azure Active Directory. In addition to these steps, the system admin will require to turn on MFA for the organization, or for individual users within Azure Active Directory. For that process the user should refer to Azure Active Directory documentation.
1. Once logged on to Azure Active Directory select Home > App registration > ICPAPI > Authentication.
2. Use the call back URI for the single page web app. In the Single-page application section add the below URIs by selecting Add URI.
https://www.icpwebportal.com
https://icpwebportal.com
https://eu.icpwebportal.com
3. In the Mobile and desktop applications section ensure that the URI below is available, if not add it. Check the selection box to select it.
https://login.microsoftonline.com/common/oauth2/nativeclient
4. In the Mobile and desktop applications section add the below URI.
com.icds-innova-dan://auth
5. Scroll down to the Implicit grant and hybrid flows section. This is to turn on access tokens for authorization endpoint. Select the check boxes for the Access tokens and ID tokens options.
6. Select the Expose an API section.
7. Select Add a scope and input the below details and then select Add scope.
Scope Name: icpapi_read
Who can consent: Admins and users
Admin consent display name: Read icp api
User consent display name: icpapi read
State: Enabled