Configuration
/
Authentication
/
Azure Entra External ID
Last updated

Azure Entra External ID

Prerequisites

  • Azure account with appropriate permissions
  • Azure External ID tenant created

Configuration Steps

Step 1: Access Azure Portal

  1. Navigate to Azure Portal (https://portal.azure.com)
  2. Search for Microsoft Entra External ID or External Identities
  3. Select your External ID directory

Step 2: Select or Register Application

  1. In left sidebar, navigate to App registrations
  2. If you have an existing app registration: Click on it to open settings, then skip to Step 4 (or Step 3 if you need a new secret)
    • If registering new: Click New registration

Step 3: Configure Application Registration (New Apps Only)

  1. Configure application:
    • Name: Enter "Frontegg AgentLink"
    • Supported account types: Select appropriate option:
      • Accounts in this organizational directory only (Single tenant)
    • Redirect URI:
      • Platform: Web
      • URI: https://[YOUR-FRONTEGG-DOMAIN]/oauth/callback
  2. Click Register

Step 4: Create or Verify Client Secret

  1. In app registration page, navigate to Certificates & secrets in left sidebar
  2. Click Client secrets tab
  3. If you have an existing valid secret: You can use it (if you have it saved), otherwise create new
    • If creating new: Click New client secret
      • Description: Enter "Frontegg AgentLink Secret"
      • Expires: Select expiration period (recommended: 12-24 months)
      • Click Add
  4. IMPORTANT: Immediately copy the Value - it won't be shown again

Step 5: Obtain Application Credentials

  1. Navigate to Overview page of your app registration
  2. Copy Application (client) ID
  3. Copy Directory (tenant) ID

Step 6: Configure API Permissions (Required if not already configured)

  1. Navigate to API permissions in left sidebar
  2. Verify required permissions exist. If not, click Add a permission
  3. Select Microsoft Graph
  4. Select Delegated permissions
  5. Ensure these permissions are added:
    • openid
    • profile
    • email
    • User.Read
  6. Click Add permissions (if adding new)
  7. Click Grant admin consent for [Directory] (if you have permissions and consent not yet granted)

Step 7: Configure Authentication Settings (Verify redirect URIs)

  1. Navigate to Authentication in left sidebar
  2. Under Platform configurationsWeb:
    • Verify (or add) Frontegg redirect URI:
      https://[YOUR-FRONTEGG-DOMAIN]/oauth/callback
  3. Under Implicit grant and hybrid flows, optionally enable:
    • ID tokens (for implicit flows, if needed)
  4. Click Save if changes made

Configuration Values for Frontegg

provider: azure-external-id
issuer_url: https://login.microsoftonline.com/[tenant-id]/v2.0
client_id: [Application (client) ID]
client_secret: [Client secret Value]

Alternative Issuer URLs:

  • For External ID specific endpoint: https://[tenant-name].ciamlogin.com/[tenant-id]/v2.0
  • For Azure AD B2C: https://[tenant-name].b2clogin.com/[tenant-id]/v2.0