Azure Active Directory OIDC Instructions
- Former user (Deleted)
To enable the authentication and user creation for defender from AzureAD, we need to have an application registered on the client AzureAD instance with the appropriate permissions to query the MS Graph API for access to the user information both for authentication and for provisioning the user account within Arcmail Defender.
The permissions needed are on the MS Graph API with the openid, email, profile delegated permissions for authentication and the User.Read.All application permission so we can pull the user’s email alias info.
In order to do this, you will need to create an application registration in AzureAD. You can name it anything you want, we would suggest calling it “Arcmail Defender”. You will then want to allow access only to your directory. You will then need to add a redirect URI for the DNS name for your Arcmail defender (the address that people use to access, e.g. https://archive.mycompany.com/) followed by “/defender/login/oidc/auth” (e.g. https://archive.mycompany.com/defender/login/oidc/auth)
You can create an application in the Application Registrations menu item:
You will need to register an application:
You will then need to grant this application the appropriate API permissions:
Make sure to grant admin consent for the permissions, such that you see the checkboxes next to the permissions
Finally, you will need to create a client secret. You can set this to expire per your internal policy, or set for it to never expire. Note that if this expires, you will need to notify us and send an updated secret. When you create the secret, you will only be able to view it the one time to copy it.
Once this is done, you will want to send us the following information from the application you created:
Your tenant ID
The application ID
The client secret you created above
You can get the first 2 from the overview page of the application you created:
