Admin EntraId auth integration

Page summary

EntraId auth integration


To be able to authenticate users in Betterez using the EntraId system, we need to do some configurations in both EntraId and Betterez.To authenticate users in Betterez using EntraId, you need to configure both EntraId and Betterez.

EntraID configuration

1. Configure the EntraId system to allow Betterez SSO login

In order to properly configure an EntraId SSO connection with betterez we need to configure both systems. After creating an application in EntraId associated to Betterez client connection, we will need to take note and save the following parameters that will be needed to properly configure Betterez's connection:

  • Directory ID: The Directory or tenant identifier
  • Application ID: The Application's client identifier
  • Secret Value: The client Id secret value

These fields will be needed to be used later in Betterez admin site.

2. Configure EntraId integration in Betterez

Go to /admin/integrations and select Open Id, once there you will need to complete the form. Notice that you would need to have read, create and update permissions to enter to this OpenId admin site and save the configuration. The related needed permissions are:

  • "/admin/integrations/"
  • "/admin/integrations/open-id"

Here you will need to set the parameters that were generated on step 1. Let's see how to set them:

  • Provider: Select EntraId
  • Issuer: The Issuer URL. This Url is constructed with the proper domain, and then adding the Directory or tenant Id obtained from EntraId, followed by v2.0 endpoint (It is important to use v2.0 endpoint). So the URL would look something like "https://login.microsoftonline.com/7124e463-2734-41bf-bddb-3e475374f94c/v2.0"
  • Client Id: This is the public key issued by the EntraId, so this field relates to the Application Id from EntraId
  • Client secret: This is a key required to exchange information with the external system. We will use the secret value generated from EntraId configuration.
  • Default role: If the user does not exist in Betterez, it will be created with the selected role
  • Disable email and password login: If Yes, users will only be authenticated by EntraId
  • Callback URL: The return URL to configure in EntraId (copy this URL and use it in the EntraId configuration as well. See Step #3)
  • Enable: If Yes, single sign-on with EntraId is enabled

EntraId configuration in Betterez

3. Configure the redirect URL in EntraId

Once you have saved the configuration in Betterez, you will need to copy the Callback URL that appears in the Betterez form and add it to EntraId configuration as the expected redirectURL or callbackURL. Otherwise, if both callback urls do not match, the login restrictions won't let the user to successfully login.

4. Assign users

Once everything is configured, you need to assign or create the users you want to be authenticated in Betterez, in EntraId system. After this, users will be able to login through SSO with EntraId from the Betterez login site. Read the next step on how to login.

5. Log in with EntraId

If your domain supports SSO with EntraId, you will see the following login screen:

Login page with EntraId

Users will be able to click on the Sign in with EntraId button to be redirected to the EntraId authentication portal. Once successfully authenticated in EntraId, they will be automatically redirected back to Betterez with their session started.

If you enabled the Disable email and password login option, the email and password fields will not be available and users will only be able to authenticate through EntraId.