---
title: "Configure Azure Entra as an OpenID Provider — Spiff Arena 0.1 documentation"
description: "Sign in to the Microsoft Entra admin center ."
source_url: https://spiff.works/docs/spiff-arena/how_to_guides/deployment/configure_azure_as_an_openid_provider.html
---

☰ Menu

# Configure Azure Entra as an OpenID Provider[](#configure-azure-entra-as-an-openid-provider "Link to this heading")

## Register your app[](#register-your-app "Link to this heading")

1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).
2. Browse to *Applications > App registrations* using the sidebar.
3. Enter the name of your application, like `spiffworkflow-backend`.
4. Under *supported account types,* you will likely want “Accounts in this organizational directory only”
5. Skip the redirect URL. We will do that later.
6. Click *Register.*
7. In the new view, copy and note the following:

   - *Application (client) ID.* It is your **Client ID.**
   - *Directory (tenant) ID.* This is part of your server URL.

### Configure your app[](#configure-your-app "Link to this heading")

1. Select *Authentication* from the sidebar.
2. Under *Platform configurations,* select “+ Add a platform”
3. In the pane that opens, select *Web*.
4. Under *Redirect URIs,* add `http://localhost:8000/v1.0/login_return`
5. Leave *Front-channel logout URL* blank.
6. Leave the checkboxes unchecked under *Implicit grant and hybrid flows.*
7. Click *Configure.*

### Add additional Redirect URLs[](#add-additional-redirect-urls "Link to this heading")

You will need to add more redirect URLs.

Follow these instructions for the following URL patterns:

- `https://<domainname>/v1.0/login_return`

1. Under *Web > Redirect URIs,* click *Add URI.*
2. Type in the URL pattern.

### Create a Client Secret[](#create-a-client-secret "Link to this heading")

1. Select *Certificates & Secrets* from the sidebar.
2. Click *+ New client secret*
3. In the pane that opens, enter a description and expiration, then click *Add.*
4. Copy the *Value* using the icon after the string and note this value. This is your **Client Secret Key.**

### Add groups claim to the token[](#add-groups-claim-to-the-token "Link to this heading")

The basic steps are:

1. Select *Token configuration* from the sidebar.
2. Select *Add groups claim.*
3. Select the group types to return (Security groups, or Directory roles, All groups, and/or Groups assigned to the application)
4. Select *Save.*

For more information about these settings read the [Microsoft documentation](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=appui#configure-groups-optional-claims)

## Configure SpiffWorkflow Backend[](#configure-spiffworkflow-backend "Link to this heading")

Set the following environment variables on your SpiffWorkflow backend server to connect with your Azure Entra instance:

```
# OpenID Server URL
SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL=https://login.microsoftonline.com/<YOUR_DIRECTORY_(TENANT)_ID>

# Client ID and Secret Key from Azure Entra
SPIFFWORKFLOW_BACKEND_OPEN_ID_CLIENT_ID=<YOUR_CLIENT_ID>
SPIFFWORKFLOW_BACKEND_OPEN_ID_CLIENT_SECRET_KEY=<YOUR_CLIENT_SECRET_KEY>

# Additional valid issuers (don't forget the trailing slash)
SPIFFWORKFLOW_BACKEND_OPEN_ID_ADDITIONAL_VALID_ISSUERS: "https://sts.windows.net/<YOUR_DIRECTORY_(TENANT)_ID>/"

# OpenID Scopes (includes groups)
SPIFFWORKFLOW_BACKEND_OPENID_SCOPE="openid profile email groups"

# Allow OpenID Provider to manage user groups
SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS: true
```