Entra ID with Microsoft Graph setup
Microsoft has renamed Azure Active Directory (Azure AD) to Microsoft Entra ID for the following reasons: (1) to communicate the multicloud, multiplatform functionality of the products, (2) to alleviate confusion with Windows Server Active Directory, and (3) to unify the Microsoft Entra product family.
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/new-name
Azure Application Configuration
Log in to the Microsoft Azure portal and go to App registrations.
Click New registration to create a new application or select an existing application.
If you are creating a new application, set the Name and in Supported account types select Accounts in this organizational directory only ({Tenant name} only - Single tenant) option if all your users are members of your tenant. Multitenant application can also be used if required, depending on the target audience of the application.
You can skip the Redirect URI settings for now (described in step 7). Click Register to create the application.
From the application’s Overview screen, go to API Permissions and select Microsoft Graph API and the required type of permission (Delegated or Application) as illustrated below. The required permissions are:
Microsoft Graph \ Group.Read.All, Microsoft Graph \ User.Read, Microsoft Graph \ User.Read.All
The status "Granted for Default Directory" needs to be set on all permissions that require them. All needed permissions can be added and configured with the buttons at the top of the list of permissions.
Use "Add a permission" to add new permission.
Use "Grant admin consent for Default Directory" to set the status of the permission as "Granted for Default Directory".Go to the Authentication settings, and under Platform configurations, click Add a platform. Then select Web, and list all redirect URLs for your Azure application. For the actual URLs, use the hostname (and port) of your server in the following format:
https://{hostname:port}/auth
and click Configure.In the application’s overview page, save the Application (client) ID and the Directory (tenant) ID, as they are needed for the MyQ configuration.
Click Add a certificate or secret next to Client credentials and complete the following steps:
Click New client secret.
Add a Description.
Set the expiration for the key.
Click Add.
Save the client secret key Value, because you need it for the configuration in MyQ and you cannot retrieve it later.
Configuration in MyQ
Go to MyQ, Settings, Connections to connect MyQ to Entra ID. Click Add and select Entra ID from the list. In the pop-up window, fill in the required information:
Title: Add a title for the connection.
Tenant ID: Add the Directory (tenant) ID you saved from Azure.
Client ID: Add the Application (client) ID you saved from Azure.
Security key: Add the (secret) Value you saved from Azure.
Click Save and your Entra ID connection is now complete.
Microsoft single sign-on
To use Microsoft single sign-on:
Enable "Use as an authentication server" in Entra ID synchronization source - Users tab prior to synchronizing users or enable Entra as an authentication server manually for selected users in their details on the Users main page.
In the Entra authentication server settings, enable displaying the 'Sign in with Microsoft' login method.
When Microsoft single sign-on is enabled, the Sign in with Microsoft button is always displayed on the MyQ Web UI login page, but only users who use Entra ID as their authentication server can use it to log in. Any attempt to use Microsoft single sign-on by a user who does not use the Entra ID authentication system will end with an error.
What happens when a user tries to sign in with Microsoft in the MyQ Web UI:
The user clicks the single sign-on button.
If the user is not signed in to Microsoft in the browser, they are forwarded to the Microsoft login page to sign in, and then logged into MyQ with the provided account.
If the user is signed in to Microsoft with one account only, they are automatically logged into MyQ with this account (limitation).
If the user is signed into two Microsoft accounts, they are forwarded to the Microsoft login page and are given a choice to select the account to continue with.
Logout in MyQ Web UI signs out the user only locally, not from Microsoft.
Limitations
If a user uses the Sign in with Microsoft button and they are currently signed into one Microsoft account in the browser, they are automatically logged into MyQ with this account. There is no option to switch to another account. To use another account, the user has to sign out on any Microsoft services first, and upon the next use of the single-sign-on button, they will be asked for a new login.
Users using Entra ID authentication server cannot sign in on the MyQ Web User Interface with a PIN. However, they can use their PIN on the MyQ Embedded terminals or in MyQ Desktop Client.
Synchronization and authentication through an Entra ID with Microsoft Graph can now be used via the following steps:
Adding an Entra ID authentication server in MyQ, Settings, Authentication Servers.
Adding an Entra ID synchronization source in MyQ, Settings, User Synchronization.