Bragi Docs Help

Entra (Azure Active Directory)

Entra (Azure Active Directory) can be used to authenticate users for Bragi.

Configuration

Configuring Entra (Azure Active Directory) for Bragi requires multiple steps to enable secure authentication and role-based access.

These procedures are designed for technical staff responsible for infrastructure, identity, or Bragi deployment.

App Registration

  1. Open the Azure Portal on the tenant hosting your Entra instance.

  2. Navigate to App Registrations.

    The Azure dropdown search bar with the text "app registrations" and the "App registrations" item selected

  3. Select New Registration.

    The App registrations page in Azure, with "New registration" selected

  4. Complete the registration details.

    The Register an application page in Azure with the name for the new app registration set to "Bragi"

    • Name: Choose a recognisable and environment-specific name (e.g. Bragi-Production).

    • Supported account types: Select Accounts in this organisational directory only (Single tenant).

    • Redirect URI: Optional at this stage; consult the "Redirect URIs" section below for guidance.

  5. Once submitted, you will see your new app registration.

    A screenshot of the Azure page for the created Bragi App registration

  6. Collect the configuration values needed for Bragi integration (example below):

    { "ConnectionStrings": { "BragiMetaData": "" }, "IdentityProvider": "AzureAd", "AzureAd": { "Instance": "https://login.microsoftonline.com", "Domain": "CompanyName.com", "ClientId": "bfe431f8-6b47-4dfd-a9b5-f99a72a649b1", "TenantId": "18065655-4e82-4410-9c4c-0e5547768b96", "CallbackPath": "/signin-oidc", "ClientSecret": "" } }

    • Add these details to your appsettings.json, then restart Bragi for the changes to take effect.

  7. Generate a client secret separately; see "Client Credentials" below.

Redirect URIs

Redirect URIs enforce security by ensuring Azure only directs authentication results to permitted endpoints.

  1. In the created app registration, locate and select Add a Redirect URI.

    A screenshot of a link in Azure titled "Add a Redirect URI"

  2. Choose Add a platform.

    A screenshot of Azure, specifically the "Platform configurations" section where "Add a platform" is highlighted

  3. Select Web.

    A screenshot of Azure with a section titled "Configure platforms", with "Web" selected

  4. Configure:

    • Redirect URI: Use the fully-qualified domain or IP for your Bragi install, including port (if used) and /signin-oidc suffix.
      Example: https://bragi.internal:8080/signin-oidc

    • Enable Access tokens (for implicit flows).

    • Enable ID tokens (for implicit and hybrid flows).

    A screenshot of the "Configure web" panel in Azure where "Redirect URIs" is set to "https://bragi.internal:8080/signin-oidc"

Client Credentials

A client secret is required for Bragi to authenticate requests.

  1. From your app registration, click Add a certificate or secret.

    A screenshot of a link in Azure titled "Add a certificate or secret"

  2. Click New client secret.

    A screenshot of the client secret page in Azure with "New client secret" highlighted

  3. Enter a descriptive name and choose an expiry to suit operational/security policies.

  4. For security, scope secrets narrowly and manage lifecycle actively.

  5. Copy the "Value" immediately—it is only visible once and is required for integration.
    Store securely (ideally in an approved secrets manager).

  6. Insert the value into appsettings.json under ClientSecret, as shown earlier.

Permissions

Using Active Directory Groups to Control Permissions

To control permissions within Bragi using Active Directory, ensure that logical groups are created in Active Directory representing different user roles or access levels. These groups will be used to determine the corresponding Bragi roles.

Once the Active Directory groups are set up, you can create app roles in Bragi which map users from a given Active Directory group to specific permission sets in Bragi. When configuring an app role in Bragi, the Active Directory Group field must contain the unique name of the group as defined in Active Directory.

This mapping allows Bragi to enforce permissions according to group membership managed externally via Active Directory, simplifying administration and maintaining consistent access policies.

Assigning Roles

Bragi leverages Entra roles (Azure AD App Roles) mapped to app roles for granular permission control.

  1. Open your app registration.

  2. Select App roles.

  3. Click Create app role.

  4. Complete the app role configuration:

    • Display name and Description are shown to users.

    • Value is used for permission matching. Ensure it corresponds to Active Directory group names or your team’s mapped convention.

    The "Create app role" panel in Azure displaying a role being created

  5. Navigate to Enterprise Applications.

    The Azure dropdown search bar with the text "Enterprise Applications" and the "Enterprise applications" item selected

  6. Select your registered application.

  7. Open Users and groups.

  8. Choose Add user/group.

  9. Assign the roles to relevant users or groups.
    Note: Group assignments may be restricted by your Entra subscription plan.

  10. Click Assign to finalise.

For role updates, users may need to sign out and back in for changes to take effect.

09 March 2026
Externally ManagedIdentity