Entra SSO Setup (Azure AD)
This guide explains how to configure Microsoft Entra ID (formerly Azure Active Directory) as the identity provider for Nected.
The process requires creating an application in Entra ID, configuring redirect URIs, generating credentials, and updating your nected-values.yaml for both Konark and Nalanda services.
Prerequisites
Before starting, confirm the following:
You have administrator access to the Azure Portal.
You have access to edit and deploy your Helm-managed Nected environment.
You know your Nected UI domain (example:
https://nected-ui.example.com).
1. Open Microsoft Entra ID in Azure Portal
Log in to the Azure Portal. Use the global search bar and type Microsoft Entra ID.
This opens the identity management panel where you will register your SSO application.
2. Open App Registrations
On the left sidebar, under Manage, select App registrations. This is where all new identity apps are created.
Once the page loads, click New registration.
3. Register a New Application
You will now configure the core SSO app that Nected will use for authentication.
Application Name
Enter a descriptive name such as:
Supported Account Types
Choose the access level:
For most organizations: Accounts in this organizational directory only (Single tenant)
For multi-tenant use cases: Accounts in any organizational directory (Any Entra ID tenant)
The access type depends on how broad your user base is. Internal deployments typically use single-tenant.
Redirect URI
Set the redirect URI at the same time to avoid configuration drift.
Platform: Single-page application (SPA)
Redirect URI:
https://<your-nected-ui-domain>/signin
Example:
When done, click Register.
Azure will now create your application and assign a unique Application (client) ID.
4. Create API permissions
Now grant the application the Microsoft Graph permissions it needs to read user identity information.
Navigate to API Permissions:
In the left sidebar, click API permissions
Click + Add a permission
Search for and select each of the following:
email
Delegated
View users' email address
profile
Delegated
View users' basic profile
User.Read
Delegated
Sign in and read user profile
Click Add permissions to save.
Grant Admin Consent:
Back on the API permissions page, click Grant admin consent for <your directory>
Confirm when prompted
Once granted, all three permissions should show a green checkmark with status Granted for <Default Directory>.
Admin consent must be granted by a Global Administrator or Privileged Role Administrator. Without it, users will be prompted individually to consent on first sign-in.
5. Configure Nected (Konark + Nalanda)
The next step is passing the Entra SSO configuration into Nected’s services.
Your Helm chart controls these values through nected-values.yaml.
Open the file in your deployment environment.
5.1. Update Konark Environment Variables
Konark handles the frontend application (Nected UI). Add the following values under:
Insert:
Notes:
VITE_ENABLE_MS_LOGINtoggles the Microsoft login button in the UI.commonallows logins across Entra tenants.Replace values with your own IDs.
5.2. Update Nalanda Environment Variables
Nalanda is responsible for backend authentication. Scroll to:
Insert:
6. Apply the Configuration
Upgrade your Helm release:
Restart the relevant deployments:
This ensures both services load the updated environment variables.
7. Validate SSO
After deployments restart:
Open your Nected UI in the browser.
You should now see the "Continue with Microsoft" login option.
Authenticate using an Entra ID account allowed by your app settings.
If authentication works, your SSO is fully functional.
In case you need any kind of assistance while setting up the SSO, please contact us at [email protected]
8. Troubleshooting Guide
1. Redirect URI mismatch
Ensure the URI in Azure matches exactly with the domain configured in Konark.
2. Invalid client or secret
Verify the following environment variables inside Nalanda:
MICROSOFT_CLIENT_IDMICROSOFT_CLIENT_SECRET
3. Token authorization failures
Confirm the app is set to Single-page application (SPA) and not Web or Native.
You now have a fully configured Microsoft Entra ID integration with Nected—allowing your organization to authenticate users using secure enterprise-grade identity controls.
If you later extend access to multiple tenants, change redirect URIs, or enforce conditional access policies, these will propagate seamlessly through this setup.
Last updated