## Azure Entra External ID

### Prerequisites

- Azure account with appropriate permissions
- Azure External ID tenant created


### Configuration Steps

#### Step 1: Access Azure Portal

1. Navigate to **Azure Portal** (https://portal.azure.com)
2. Search for **Microsoft Entra External ID** or **External Identities**
3. Select your External ID directory


#### Step 2: Select or Register Application

1. In left sidebar, navigate to **App registrations**
2. **If you have an existing app registration**: Click on it to open settings, then skip to Step 4 (or Step 3 if you need a new secret)
  - **If registering new**: Click **New registration**


#### Step 3: Configure Application Registration (New Apps Only)

1. Configure application:
  - **Name**: Enter "Frontegg AgentLink"
  - **Supported account types**: Select appropriate option:
    - `Accounts in this organizational directory only` (Single tenant)
  - **Redirect URI**:
    - Platform: `Web`
    - URI: `https://[YOUR-FRONTEGG-DOMAIN]/oauth/callback`
2. Click **Register**


#### Step 4: Create or Verify Client Secret

1. In app registration page, navigate to **Certificates & secrets** in left sidebar
2. Click **Client secrets** tab
3. **If you have an existing valid secret**: You can use it (if you have it saved), otherwise create new
  - **If creating new**: Click **New client secret**
    - **Description**: Enter "Frontegg AgentLink Secret"
    - **Expires**: Select expiration period (recommended: 12-24 months)
    - Click **Add**
4. **IMPORTANT**: Immediately copy the **Value** - it won't be shown again


#### Step 5: Obtain Application Credentials

1. Navigate to **Overview** page of your app registration
2. Copy **Application (client) ID**
3. Copy **Directory (tenant) ID**


#### Step 6: Configure API Permissions (Required if not already configured)

1. Navigate to **API permissions** in left sidebar
2. Verify required permissions exist. If not, click **Add a permission**
3. Select **Microsoft Graph**
4. Select **Delegated permissions**
5. Ensure these permissions are added:
  - `openid`
  - `profile`
  - `email`
  - `User.Read`
6. Click **Add permissions** (if adding new)
7. Click **Grant admin consent for [Directory]** (if you have permissions and consent not yet granted)


#### Step 7: Configure Authentication Settings (Verify redirect URIs)

1. Navigate to **Authentication** in left sidebar
2. Under **Platform configurations** → **Web**:
  - Verify (or add) Frontegg redirect URI:

```
https://[YOUR-FRONTEGG-DOMAIN]/oauth/callback
```
3. Under **Implicit grant and hybrid flows**, optionally enable:
  - ID tokens (for implicit flows, if needed)
4. Click **Save** if changes made


#### Configuration Values for Frontegg


```yaml
provider: azure-external-id
issuer_url: https://login.microsoftonline.com/[tenant-id]/v2.0
client_id: [Application (client) ID]
client_secret: [Client secret Value]
```

**Alternative Issuer URLs:**

- For External ID specific endpoint: `https://[tenant-name].ciamlogin.com/[tenant-id]/v2.0`
- For Azure AD B2C: `https://[tenant-name].b2clogin.com/[tenant-id]/v2.0`