# Entra SSO Setup (Azure AD)

This guide explains how to configure Microsoft Entra ID (formerly Azure Active Directory) as the identity provider for Nected.\
The process requires creating an application in Entra ID, configuring redirect URIs, generating credentials, and updating your `nected-values.yaml` for both **Konark** and **Nalanda** services.

### **Prerequisites**

Before starting, confirm the following:

* You have administrator access to the Azure Portal.
* You have access to edit and deploy your Helm-managed Nected environment.
* You know your Nected UI domain (example: `https://nected-ui.example.com`).

### **1. Open Microsoft Entra ID in Azure Portal**

Log in to the Azure Portal.\
Use the global search bar and type **Microsoft Entra ID**.

This opens the identity management panel where you will register your SSO application.

<figure><img src="https://4290782554-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLg716fCfV8IUwXQygkTG%2Fuploads%2Fzl0iKRtj4Y3FpXdzMXQr%2Fimage.png?alt=media&#x26;token=fa03eb34-3578-4758-8eee-6f60b471b02f" alt=""><figcaption></figcaption></figure>

### **2. Open App Registrations**

On the left sidebar, under **Manage**, select **App registrations**.\
This is where all new identity apps are created.

Once the page loads, click **New registration**.

<figure><img src="https://4290782554-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLg716fCfV8IUwXQygkTG%2Fuploads%2F4MYNQPMeYdChbHdmEqex%2Fimage.png?alt=media&#x26;token=d9b8c188-2813-4c6f-9476-297bd43cab1c" alt=""><figcaption></figcaption></figure>

### **3. Register a New Application**

You will now configure the core SSO app that Nected will use for authentication.

<figure><img src="https://4290782554-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLg716fCfV8IUwXQygkTG%2Fuploads%2FR9xvoZHriVV0ENJ2T3og%2Fimage.png?alt=media&#x26;token=d7519e4f-2025-4c64-94dc-8d1a95ae1d4a" alt=""><figcaption></figcaption></figure>

#### **Application Name**

Enter a descriptive name such as:

```
nected-ui-sso
```

#### **Supported Account Types**

Choose the access level:

* For most organizations:\
  **Accounts in this organizational directory only (Single tenant)**
* For multi-tenant use cases:\
  **Accounts in any organizational directory (Any Entra ID tenant)**

The access type depends on how broad your user base is. Internal deployments typically use single-tenant.

#### **Redirect URI**

Set the redirect URI at the same time to avoid configuration drift.

* **Platform**: Single-page application (SPA)
* **Redirect URI**:\
  `https://<your-nected-ui-domain>/signin`

Example:

```
https://nected-ui.example.com/signin
```

When done, click **Register**.

Azure will now create your application and assign a unique **Application (client) ID**.

### **4. Create API permissions**

Now grant the application the Microsoft Graph permissions it needs to read user identity information.

**Navigate to API Permissions:**

* In the left sidebar, click **API permissions**
* Click **+ Add a permission**
* Search for and select each of the following:

| Permission  | Type      | Description                   |
| ----------- | --------- | ----------------------------- |
| `email`     | Delegated | View users' email address     |
| `profile`   | Delegated | View users' basic profile     |
| `User.Read` | Delegated | Sign in and read user profile |

<figure><img src="https://4290782554-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLg716fCfV8IUwXQygkTG%2Fuploads%2FDDXBnI5uf1Q7Q3a4R1H2%2Fimage.png?alt=media&#x26;token=01e0d9ad-c75b-4dc3-bdc1-1ef5799e4bf2" alt=""><figcaption></figcaption></figure>

Click **Add permissions** to save.

**Grant Admin Consent:**

* Back on the API permissions page, click **Grant admin consent for \<your directory>**
* Confirm when prompted

Once granted, all three permissions should show a green checkmark with status **Granted for \<Default Directory>**.

> Admin consent must be granted by a Global Administrator or Privileged Role Administrator. Without it, users will be prompted individually to consent on first sign-in.

### **5. Configure Nected (Konark + Nalanda)**

The next step is passing the Entra SSO configuration into Nected’s services.\
Your Helm chart controls these values through `nected-values.yaml`.

Open the file in your deployment environment.

#### **5.1. Update Konark Environment Variables**

Konark handles the frontend application (Nected UI).\
Add the following values under:

```
Konark:
  envVars:
```

Insert:

```yaml
# Authentication Configuration
VITE_ENABLE_MS_LOGIN: true
VITE_MICROSOFT_CLIENT_ID: "<Application (client) ID>"
VITE_MICROSOFT_TENANT_ID: "<Application (tenant) ID>"
```

Notes:

* `VITE_ENABLE_MS_LOGIN` toggles the Microsoft login button in the UI.
* `common` allows logins across Entra tenants.
* Replace values with your own IDs.

#### **5.2. Update Nalanda Environment Variables**

Nalanda is responsible for backend authentication.\
Scroll to:

```
Nalanda:
  envVars:
```

Insert:

```yaml
# mslogin
MICROSOFT_AUTH_ENABLED: "true"
MICROSOFT_CLIENT_ID: "<Application (client) ID>"
MICROSOFT_TENANT_ID: "<Application (tenant) ID>"
```

### **6. Apply the Configuration**

Upgrade your Helm release:

```bash
helm upgrade -i nected nected/nected -f nected-values.yaml
```

Restart the relevant deployments:

```bash
kubectl rollout restart deploy nected-konark nected-nalanda
```

This ensures both services load the updated environment variables.

### **7. Validate SSO**

After deployments restart:

1. Open your Nected UI in the browser.
2. You should now see the **"Continue with Microsoft"** login option.
3. Authenticate using an Entra ID account allowed by your app settings.

If authentication works, your SSO is fully functional.

{% hint style="warning" %}
In case you need any kind of assistance while setting up the SSO, please contact us at [**support@nected.ai**](mailto:support@nected.ai)
{% endhint %}

### **8. Troubleshooting Guide**

#### 1. Redirect URI mismatch

Ensure the URI in Azure matches exactly with the domain configured in Konark.

#### 2. Invalid client or secret

Verify the following environment variables inside Nalanda:

* `MICROSOFT_CLIENT_ID`
* `MICROSOFT_CLIENT_SECRET`

#### 3. Token authorization failures

Confirm the app is set to *Single-page application (SPA)* and not Web or Native.

You now have a fully configured Microsoft Entra ID integration with Nected—allowing your organization to authenticate users using secure enterprise-grade identity controls.

If you later extend access to multiple tenants, change redirect URIs, or enforce conditional access policies, these will propagate seamlessly through this setup.