OneConnect supports multiple authentication options to connect to Entra ID.
Please review the options available and choose the best option for your company, before beginning the integration setup.
Please ensure the person enabling the integration permissions has the necessary administrative rights to do so.
An Entra Application must be available to connect to Entra ID. Clients can choose the default OnePlan Application, or can create their own.
Default OnePlan Application
To authenticate to Entra ID, provide the Tenant Domain URL, and authenticate the integration via the Authorize button.
Pros of using this option:
- Quick to set up.
Cons of using this option:
- Customers cannot customize scopes or limit permissions beyond what is predefined by OnePlan.
Authorize Button (Default OnePlan Application)
Within the Microsoft Entra ID connector, a Microsoft tenant administrator must click the Authorize button within the connector. This will prompt a login screen where the tenant administrator will need to enter their credentials.
That will add an Entra Application named OneConnect Azure AD Integration to your tenant.
The OneConnect Azure AD Integration application will have the following application permissions:
- Microsoft Graph: Group.Read.All
- Microsoft Graph: User.Read.All
- Microsoft Graph: GroupMember.Read.All
Please note that this integration does not update data in Entra. It only loads data from Entra.
Custom Entra Application
You can also create your own Entra Application to connect to Entra. In this scenario, all communication is done using an Entra Application that you created.
To authenticate to Entra ID, provide the Tenant Domain URL, Client Id and Client Secret fields.
Pros of using this option:
- Customer is in control of the Entra Application that is used to access Entra ID.
- Meets strict security/governance requirements where use of third-party-owned apps is restricted.
Cons of using this option:
- More involved process to set up.
- Customer responsible for maintaining the client secret for the Entra Application (update it when expires).
Register the Application
- While logged in as ta tenant or application administrator for your tenant, log into portal.azure.com.
- Navigate to Microsoft Entra Admin Center.
- Within the left navigation bar, click on App registrations.
- On the top left of the page, create a New registration.
- Name: Enter a descriptive name.
- Supported Account Types: Choose Accounts in this organizational directory only (Single Tenant).
- Redirect URI (Optional):
- Dropdown should be set to "Web".
- URL: https://my.oneconnect.ai or https://eu.oneconnect.ai depending on which OneConnect site you are using.
- Click Register. The App Registration page will load. Within the Essentials section, the Application (Client) ID can be found.
Generate a Client Secret
- Go to Manage > Certificates and Secrets.
- Click + New Client Secret.
- Provide:
- A description.
- An expiration period (up to 24 months).
- Click Add.
- Save the Client Secret Value displayed under the Value column. You'll need this later.
Note: Please note that this value will only appear once, it is encouraged to save this value in a secure location should you need it a second time. Otherwise, best practice is to create a whole new client secret each time one is needed.