Configure Entra ID as an OIDC IdP

Overview

Use this guide to configure Microsoft Entra ID as an OpenID Connect (OIDC) identity provider for Atria. This is the recommended method for Atria 15.31 and newer, replacing the legacy Azure AD login configuration path. The outcome is a standards-based SSO integration that can be used for single-customer or inherited reseller models.

Visual Walkthrough

For a full picture-based walkthrough, see: Atria Configuration - Configure Entra ID as an iDP provider (Scribe)

Before You Start

Prepare the following before configuration:

• Access to Microsoft Entra admin center (https://entra.microsoft.com)
• Atria URL for your environment
• Target customer/reseller context in Atria where the provider will be created
• Secure storage location for client secret

You will need both callback URIs:

• https://<atria-host>/oidc/callback
• https://<atria-host>/oidc/link/callback

Step 1: Create the Entra App Registration

1. In Entra ID, go to App registrations > New registration.
2. Set a name (for example: Atria OIDC Connection).
3. Set supported account type based on your design:
   • Multi-tenant/shared model: organizational directories (multi-tenant)
   • Single-tenant/customer-specific model: this directory only
4. Add an initial Web redirect URI:
   • https://<atria-host>/oidc/link/callback
5. Click Register.

Step 2: Configure Redirect URIs

1. Open the app registration and go to Authentication.
2. Add the second Web redirect URI:
   • https://<atria-host>/oidc/callback
3. Confirm both redirect URIs are listed and saved.

Step 3: Create a Client Secret

1. Go to Certificates & secrets.
2. Click New client secret.
3. Add description and expiry.
4. Save both values immediately:
   • Secret value
   • Secret ID (for reference)

The secret value is only shown once.

Step 4: Configure API Permissions

1. Go to API permissions > Add a permission > Microsoft Graph > Delegated permissions.
2. Add required permissions:
   • openid
   • email
   • User.Read
3. Grant admin consent for the tenant.

Step 5: Capture App Values

From the app Overview, record:

• Application (client) ID
• Tenant context (single-tenant issuer or multi-tenant issuer model)

From Entra metadata, use this well-known endpoint pattern:

• https://login.microsoftonline.com/<tenant-id-or-organizations>/v2.0/.well-known/openid-configuration

Step 6: Add the Provider in Atria

1. In Atria, navigate to Customer > Identity Provider Configurations.
2. Click Add and complete:
   • Display Name
   • Client ID
   • Client Secret
   • Wellknown Endpoint
   • Access Level (Current Customer or Current and All Sub-Customers)
3. Optional: set as Default if this should enforce SSO for that scope.
4. For auto-linking, recommended mapping for Entra ID:
   • OIDC Claim: preferred_username
   • User Property: UPN
5. Save the provider.

Validation

After saving, validate:

1. Well-known endpoint validation succeeds in Atria.
2. Provider appears for expected customer scope.
3. Login redirects to Entra ID and returns successfully to Atria.
4. First successful login creates/uses expected user linking behavior.

Reference

Scribe walkthrough:

• Atria Configuration - Configure Entra ID as an iDP provider

Related Pages

• SSO Integration with OpenID Connect (OIDC)
• OIDC IDP Provider Setup
• Managing OIDC IDP Providers for Customers and Users
• Troubleshooting OIDC IDP Integration Issues