# Microsoft Entra ID (previously Azure Active Directory)

Use these instructions to set up Microsoft Entra ID as your SSO provider for Tonic Structural.

## Entra ID configuration

### Register Structural as an application

in the [Entra ID Portal](https://aad.portal.azure.com/), to register Structural as an application:

1. In the portal, navigate to **Microsoft Entra ID -> App registrations**, then click **New registration**.

![New registration option on App registrations](https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2F1TW9RMoMiM1rQApmZRJy%2FEntraIDNewRegistrations.png?alt=media\&token=51e72a4d-4ce5-4617-9f11-de6532cabf00)

2. Register Structural and create a new web redirect URI that points to your Structural instance's address and the path `/sso/callback.`
3. Take note of the values for client ID and tenant ID. You will need them later.

![Client ID and tenant ID values for the application](https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FfWkDlZMzL7COZ84CY7Yh%2FEntraIDDetailsClientTenantIDs.png?alt=media\&token=0d4cce72-8d8c-4b3b-bb0d-a1404f6a408c)

### Create a client secret

1. Click **New client secret**.

![Option to add a new client secret](https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FK5F3T5MW3c1xsfGsbfXU%2FEntraIDClientSecretsAddSecret.png?alt=media\&token=f106822f-fde6-425a-ad8f-eb52c4aed480)

2. Create a new client secret.

<figure><img src="https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FcSTtFhwzziTjN8uBRqup%2FEntraIDClientSecretFields.png?alt=media&#x26;token=463e5e5b-a8d9-4fdf-b8b6-7d008dda384b" alt=""><figcaption><p>Fields for a new client secret</p></figcaption></figure>

3. Take note of the secret value. You will need this later.

![Client secret value](https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2Foiwwj054t5iyLNGQVbj5%2FEntraIDClientSecretValue.png?alt=media\&token=f061ba6d-04d8-4685-a236-add2af822147)

### Add permissions

Navigate to the **API permissions** page, then add the following permissions for the Microsoft Graph API:

* OpenId permissions
  * email
  * openid
  * profile
* GroupMember
  * GroupMember.Read.All
* User
  * User.Read

![Request API permissions panel](https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FkhG7EWyBPoPtW6gbkQkb%2FEntraIDRequestAPIPermissions.png?alt=media\&token=6fc3bf48-65c7-4249-b7fe-c998ab181b92)

After you add the permissions, click **Grant admin consent for Tonic AI**. This allows the application to read the user and group information from your organization.

![Grand admin content option for the application](https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FXSeo7TaDf5No4cfPNccu%2FEntraIDGrantAdminConsent.png?alt=media\&token=2038b0d9-356c-494d-8550-367ece0dde4e)

When permissions are granted, the status should change to **Granted for Tonic AI**.

### Grant user and group access to Structural

Navigate to **Enterprise applications** and then select **Tonic Structural**.

From here, you can assign the users or groups that should have access to Structural.

![](https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2F8EEz799GGw9f3aO9XavY%2FEntraIDAppProperties.png?alt=media\&token=7d86f428-0eb0-4402-b3b4-7233112502df)

## (Optional) Using service principals for Structural authentication <a href="#entra-id-config-service-principal" id="entra-id-config-service-principal"></a>

You can optionally configure Entra ID to use service principals for Structural authentication:

### Update the Structural app registration <a href="#entra-id-service-principal-app-registration" id="entra-id-service-principal-app-registration"></a>

1. From the [EntraID portal](https://aad.portal.azure.com/), to navigate to the Tonic Structural app registration page, click

   **Microsoft EntraID** → **App Registrations** → **\[Your Tonic Structural App]**.
2. If your application registration doesn't already have an application ID URI, then under **Essentials**:

   1. Click **Add an Application ID URI**.
   2. At the top of the **Expose an API** page, click **Add**.

   You can use the default suggestion of **api://\<application-client-id>.**
3. To navigate to the **App roles** configuration page, click **Manage →** **App roles**.
4. Click **Create app role**, then configure the role:
   * **Display Name**: Can be any value, but we recommend `Service Principal`
   * **Allowed Member types**: `Application`
   * **Value**: `Structural.ServicePrincipal`
   * **Description**: Can be any value, but it should describe the service principal role.
5. To navigate to the **Manifest** configuration page, click **Manage →** **Manifest**.
6. Set the value for `accessTokenAcceptedVersion` to `2`, then click **Save**.

   \
   This ensures that the EntraID access tokens that are created using the Structural application scope are version 2.0.
7. To navigate to the **API permissions** configuration page, click **Manage →** **API permissions**.
8. Click **Add a permission**.

   \
   For the Microsoft Graph API, add the following application permissions:

   * `Application.Read.All` - Required to fetch information about Service Principals.
   * `GroupMember.Read.All`  Required to sync the Service Principal group membership.\
     \
     Note that your Tonic Structural registration should already contain a delegated permission for `GroupMember.Read.All`. This application permission is an additional, separate permission.

   Before they can take effect, application permissions require Admin consent.

Structural is now set up to authenticate application service principals using access tokens that are acquired from the EntraID OAuth 2.0 client credentials flow.

To use the client credentials flow to retrieve an access token, follow [these instructions](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#get-a-token).

Set the `scope` parameter on the token request to `<your-application-id-uri>/.default`. For example, `api://22d90d9d-f5e4-4242-8989-9af9ac80608f/.default`.

### Assign application permissions for client applications <a href="#entra-id-service-principal-app-permissions" id="entra-id-service-principal-app-permissions"></a>

{% hint style="info" %}
You must complete these permission assignment steps for each client application that needs access to Structural.
{% endhint %}

For the Structural API to successfully authorize an application service principal, you must grant the `Structural.ServicePrincipal` role to the application service principal.

1. For an application that requires access to Structural, to navigate to the **App Registration** page, click **Microsoft EntraID** → **App Registration →** **\[Your Application]**.
2. To navigate to the **API permissions** configuration page, click **Manage** → **API permissions**.
3. Click **Add a permission.**
   1. On the **APIs my organization uses** tab, search for your Structural app registration.
   2. Add the `Structural.ServicePrincipal` application permission.

Before they can take effect, application permissions require Admin consent.

The required role should be present in the access tokens that are acquired using the client credentials flow.

To use your application service principal to make Structural API calls, in the HTTP `Authorization` header, use the following format:

```
EntraID <token>
```

`EntraID` replaces the typical `Bearer` prefix.

## Structural configuration

In the Structural web server container, set the following [Structural environment settings](https://docs.tonic.ai/app/admin/environment-variables-setting):

* `TONIC_SSO_PROVIDER`: `Azure`
* `TONIC_SSO_CLIENT_ID`: \<Microsoft Entra ID Client ID>
* `TONIC_SSO_CLIENT_SECRET`: \<Microsoft Entra ID Client Secret>
* `TONIC_SSO_TENANT_ID`: \<Microsoft Entra ID Tenant ID>
* `TONIC_SSO_GROUP_FILTER_REGEX`: Identifies the allowed groups for Structural. For details, go to [sso-limit-groups](https://docs.tonic.ai/app/admin/tonic-user-access/single-sign-on/sso-limit-groups "mention").

{% hint style="info" %}
For Kubernetes, `TONIC_SSO_CLIENT_SECRET` can be provided through the `tonic-sso-client-secret` secret
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tonic.ai/app/admin/tonic-user-access/single-sign-on/azure.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.