Admin Site
      Back to home
      1. OmniByte Self-Help
      2. FormsPro
      3. Admin Site

      Using Azure Entra ID for SSO

      How to use Azure Entra ID as the authentication method for single sign-on (SSO)

      Users can be added directly, or they can be synchronized from an app registration in Azure. The following walks you through creating an app registration. You need admin privileges in Azure to create an app registration. 

      Creating the App Registration for Single Sign-On

      1. In Azure, search for the App registrations menu.
      2. Click + New registration.

      3. Complete the application details.
      4. Enter a name for the app registration. For example, "FormsPro Azure Active Directory Service."
      5. From the Supported account types list, leave Accounts in this organizational directory only marked.
      6.  Click Register.

      Adding Redirect URIs 

      Once a user is authenticated, Entra ID provides a token to the user to access the application. This token is provided by the redirect URI. For security reasons, you must create a redirect URI for your app registration to allow users to log into your application. 

      The app registration needs to be configured for each platform you will deploy in your environment. The following table provides more details about the apps and platforms to configure in the app registration.

      App

      Description

      Azure Platform

      Configuration Value

      Admin App

      The FormsPro admin application to create forms and manage users.

      SPA

      https://[FORMS_PRO_INSTANCE].com/login

       

      Web App

      App used in the browser to create submissions.

      SPA

      https://[FORMS_PRO_INSTANCE].com/login

      iOS App

      iOS app installed on devices to create submissions.

      iOS App

      Package name: com.omnibyte.forms

      Redirect URI: msauth.com.omnibyte.forms://auth

      Android App

      Android app installed on devices to create submissions.

      Android App

      Package name: com.omnibyte.forms

      Signature hash: ga0RGNYHvNM5d0SLGQfpQWAPGJ8=
      1. On the Overview tab for your app registration, click the Add a Redirect URI link.
      2. Click + Add a platform.
      3. Select the applicable platform to create a redirect URI.
      4. Enter the redirect URI of the application.
      5. Click Configure.

      Creating Client Secrets

      A client secret is used to ensure the application requesting the token created earlier, is the application that originated the request. This is required for the client to authenticate with the server.

      1. Click the Certificates & secrets blade.
      2. Click the Client secrets tab.
      3. Click + New client secret.
      4. Enter a description for the client secret. This field should describe what the client secret is. For example, "FormsPro SSO."
      5. From the Expires list, select the duration of the certificate. The default is 180 days. This may vary depending on your organization’s security requirements.
      6. Click Add.
        ⚠️ Once you’ve created the client secret you have one chance to copy and paste the Value and Secret ID. After you refresh or navigate away from this page, you will not be able to see these keys again. Copy and paste these values into your password manager so they can be used in the future. The Value key is what will be used to configure SSO in FormsPro.
        ⚠️ You must create a new client secret before the current client secret expires. You will also need to update this client secret in the FormsPro or Advanced Forms. Not doing so may cause service interruptions to your application.

      Assigning Permissions to the App Registration

      Configure the necessary permissions for your app registration.

      1. Click the API permissions blade for your app registration.
      2. Click + Add a permission.
      3. Click Microsoft Graph.
      4. Click Application permissions.
      5. Select the following permissions by either searching for the permissions or selecting them in each Permission menu.

        Permission

        Application

        Reference

        Group.Read.All

        This permission is to read the groups in an Entra ID environment.

        Group.Read.All

        Mail.ReadWrite

        This permission is used to read and write messages for user accounts. It is not used to send messages.

        Mail.ReadWrite

        Mail.Send

        This permission goes along with Mail.ReadWrite, but explicitly provides the ability to send messages.

        Mail.Send

        Team.ReadBasic.All

        This permission is for reading teams from Microsoft Teams, rather than groups in Azure Entra ID

        Team.ReadBasic.All

        TeamMember.Read.All

        This permission is for team members that may only exist in Microsoft Teams.

        TeamMember.Read.All

        User.Read

        This permission allows the application to read basic information about the signed in user.

        User.Read

        User.Read.All

        This permission allows the application to read the full profile of a signed-in user. It is needed for syncing specific users.

        User.Read.All
      6. Click Add permissions.

      Granting Administrator Consent to Use Microsoft Graph APIs

      The last part of the app registration is to grant administrator consent to use the Microsoft Graph APIs for the application.

      1. Click the API permissions blade of your app registration. You will see the list of permissions from the previous steps.  
      2. Click Grant admin consent for your Azure tenant ID. Notice in the following illustration the status is Granted.
      3. Your app registration is complete. You can continue by configuring single-sign on settings.