Entra ID Configuration Manual

Configuring Entra ID/Azure AD for MOPS 4.0

MOPS 4.0 offers several solutions of authenticating applications/APIs and authorizing users. The MOPS 4.0 IDP is specifically built for these tasks and runs in a Docker container on a Windows Server, it can use both configured users and AD-users, AD FS is another local solution that is supported. If the preferred choice is the cloud-based Entra ID/Azure AD, this document has the instructions to configure it.

 

App Registration

  1. In Azure Portal, select “Microsoft Entra ID” (formerly Azure AD) under Azure Services or search for it in the search box at the top.

  2. Select “App Registrations” in the menu on the left.

 

  1. Click “New Registration”.

  2. Register the application filling in the form as below, you will need to add the following redirect URL:

  • https://<your_MOPS_installation>/callback

It should be of the type Single-page application (SPA).

 

Token Configuration

  1. MOPS 4.0 needs some more information than Entra ID/Azure AD sends by default, to configure this, navigate to “Token Configuration” in the menu on the left.

 

  1. Click “Add optional claim”, select “Access” and select the following claims below:

 

  1. Some OpenID Connect scopes (or “permissions” as Microsoft calls it) need to be exposed, this information comes from Microsoft Graph API. To do this, navigate to “API permissions”.

 

  1. Under “Configured permissions” click “Add permission”, a new window will open to the right, select “Microsoft Graph”. Next, select “Delegated permissions” and check the following permissions under “OpenId permissions”:

 

Telling Entra ID/Azure AD to create tokens for MOPS 4.0

By default, Entra ID/Azure AD generates tokens made for Microsoft Graph API, no client application that is registered in Entra ID/Azure AD that uses these access tokens for custom APIs will be able to use them unless a custom scope is exposed. Luckily it is easy to setup.

  1. Navigate to “Expose an API” in the left-hand menu:

 

  1. Set the “Application ID URI” by clicking “Add”, a window to the right will contain api://<Application (client) ID>, click “Save”.

  1. On the same page, select “Add Scope” and fill in the following:

Configuring correct token version for MOPS 4.0

Default behaviour of Entra ID/Azure AD is to send version 1 tokens which is becoming obsolete and version 2 is recommended, currently however Entra ID/Azure AD both defaults to version 1 and there is also no GUI for configuring this on Entra ID/Azure AD portal, it needs to be done in the manifest.

Navigate to the manifest:

Change the default configuration:

"requestedAccessTokenVersion": null

to following:

"requestedAccessTokenVersion": 2

 

Condition Monitoring System (CMS)

If CMS was installed with MOPS 4.0, it’s services will also need to be authenticated. Since these services are not interactive users in the UI of MOPS 4.0 they will need to setup to use the client_credentials OIDC flow. In Entra ID/Azure AD the client used for MOPS 4.0 can also be used for this purpose, the configuration to add client_credentials is therefore quite simple.

 

  1. In Azure Portal, select “Microsoft Entra ID” (formerly Azure AD) under Azure Services or search for it in the search box at the top.

  2. Select “§p Registrations” in the menu on the left and select the client “MOPS”

 

  1. Click on “Certificates & secrets” and then on “New client secret”

  1. Description could any value, like simply “secret”, Expiration could also be set to any date but the longest value is probably the best

 

  1. The secret will appear in the list, the value will only be displayed once as shown in the screenshot below, copy the value by clicking on “Copy to clipboard”. This value will be required for CMS to fetch tokens as a client_credentials client and should be given to those who configure MOPS 4.0 CMS.