II. In Microsoft Entra ID: Set up Teams SSO configuration
Prepare App registration, Client ID and Client Secret
Log into Microsoft Entra ID with an administrator account. Search in top bar for
App registrations
and navigate to this page. During these next steps you should create and copy the valuesClient ID
,Client Secret
andAPI url
to use in later sections.If you have an existing Entra ID OIDC client application set up in Kantega SSO you may use this. See where to find Client IDs in the below screenshot:
You may search for the Client ID in the search bar of Entra ID. Open your existing client application and skip to point 6. If you do not have an existing OIDC client application continue to step 3.
Press New registration, set a name for your new client application and press Register. You do not have to fill any of the other fields on this page.
Copy Client ID to use in later steps.
Click left menu to
Certificates & secrets
and clickNew client secret
. Type a suitable description, set appropriate expiry, and click Add. Copy the Secret Value of the new secret for later steps, and not the Secret ID.
Prepare API Permissions
Click into API permissions and Add permissions.
Click
Microsoft Graph
image andDelegated permissions
. Select all four OpenId permissions:
1.email
2.offline_access
3.openid
4.profile
.User.Read
should already be selected from before. PressAdd Permissions
button.Grant admin consent for <your tenant name>
button and pressYes
. This is necessary to allow users to log in via the new Teams SSO app into the Atlassian application.
Expose API and give Microsoft Teams access
Click
Expose and API
in left menu. ClickApplication ID URI Add
button on top. TheApp ID URI
should be set to this address:api://
<your-atlassian-server-name-without-portnumber>
-<Client ID value-from-step-4>
Please note the “-” between the two values above. Copy the api address for later use and pressSave
.
Press
Add a scope
and insert the following scope values in the panel that appears:
Enter
access_as_user
as the Scope name.Set Who can consent? to
Admins and users
.To configure the admin and user consent prompts with appropriate values for
access_as_user
scope, provide the following information in the fields:Enter
Teams can access the user’s profile
as Admin consent display name.Enter
Allows Teams to call the app’s web APIs as the current user
as Admin consent description.Enter
Teams can access the user profile and make requests on the user’s behalf
as User consent display name.Enter
Enable Teams to call this app’s APIs with the same rights as the user
as User consent description.Ensure that State is set to Enabled.
Add Microsoft Teams client application IDs by pressing Add a client application
and using the below values:1fec8e78-bce4-4aaf-ab1b-5451cc387264
(Teams mobile or desktop application)
5e3ce6c0-2b1f-4285-8d4b-75ee78787346
(Teams web application)
Make sure to select Authorized scopes before you press Add application
for the two values:
Afterwards this section should look like this:
12. Then go to the Manifest
left menu page, set value "accessTokenAcceptedVersion": 2, and press Save
.