Azure AD federation setup


For lager organizations especially, it may be inefficient to create and manage users though, particularly to remove uses when they leave the organization.  It can be more efficient to use your Azure AD identity provider to authenticate users. 

After the setup is complete the work flow for a user is they type their organization email into the login page, and they will be redirected the Microsoft Azure AD login page, and they login using their Azure AD/Office365 credentials.  Hence no need to remember yet another username and password.  Users would be automatically added to the Organization Employee group in upon initial login.


This document describes how to configure your Microsoft Azure AD (AAD) as an identity provider that is used by for authenticating users. The process where your organization identity provider is used as a central source of identity for connected applications is called federation.

This document gives step-by-step instructions for AAD federation configuration.  You will need to inform Datgel Support of some parameters to allow Datgel to configure to work with your AAD.

Please note that it is required that users in Azure AD have first name, last name and email address (in contact info) specified.

Setup in Azure management portal (

From the Azure AD perspective, will work as a client application. Setup in Azure management portal must be done first, and the following pieces of information need to be carried over to in order to configure the side of the AAD connection:

  • Application (client) ID: This will be used as “Client key” value in Sysadmin
  • Client secret value: “Client secret” in Sysadmin
  • OAuth 2.0 authorization endpoint (v2): “Authorization token URL” in Sysadmin
  • OAuth 2.0 token endpoint (v2): “Access token URL” in Sysadmin

In this chapter, the values that are needed on the side are bolded.

First step is to register the application in Azure. Open AAD management portal and select “App registrations”, and select New registration.

Set the Name:

Under Redirect URI, select Web and set the text box to: . Then click “Register".

On the screen that follows you’ll see basic details of the created application registration. The “Application (client) ID” will be needed later when configuring connection to AAD in

Select Endpoints.

The first two values, “OAuth 2.0 authorization endpoint (v2)” and “OAuth 2.0 token endpoint (v2)” will be needed later when configuring the service.

Now click on the X to return to the previous screen.

Select “Add a certificate or secret”.

On the next screen, click “New client secret”:

Next, give a description for the client secret to create, select your preferred expiration for the client secret, and click “Add”:

You’ll see the created client secret.  “Value” and “Secret ID” are available here for copying. “Value” will be needed later when configuring the service, copy it now because later it will not be visible.

Next, Select “API permissions” in the menu ion the left

Initially created API permissions are displayed, click “Add a permission”:

Then select “Microsoft Graph”:

Select “Delegated permissions”.

You will see “OpenId permissions” listed on the screen. Select “email”, “openid” and “profile”, and click “Add permissions”:

These permissions allow to get basic user information (email address, user id and name) from Azure AD. Next, let’s tell Azure AD that when an end user authenticates, a separate consent will not be required from each user. Click “Grant admin consent for YourOrganisationName”, and on next screen press Yes.

Now everything is ready in AAD.

Please email the following information to and request Datgel support configure AAD federation for your organization in  

  • Application (client) ID
  • Client secret value
  • OAuth 2.0 authorization endpoint (v2)
  • OAuth 2.0 token endpoint (v2)
  • The name of the organization to federate with, which is visible in


Note at this time users can be added to one organization automatically.  However, some Datgel clients have two or more organizations in, one for international licenses and one for each country that has licenses. The work around is Datgel can programmatically add users in one organization to another, one off/periodically upon request.  We should automatically add users to country based organizations and copy them to the international organization.

There is no content with the specified labels