Skip to main content
Star us on GitHub Star

Microsoft Entra ID for BrowZer

How to configure Microsoft Entra ID for OpenZiti BrowZer

Get an Entra ID Account

If you don't already have an account you can sign up at https://entra.microsoft.com/

Add a new Application

Once you have an Azure account, click on the "Entra" icon in the navbar:

Entra icon


Then click on the "App Registrations" item in the left navbar:

Entra App Registrations


Then Click "New registration":

Entra New registration

Now Register an Application:

For the Name of the application, enter the URL where you will be hosting your browZer bootstrapper. For the example used in this documentation, we will use https://entra-demo.ziti.netfoundry.io

For the Supported account types, click the top option (single tenant)

For the Redirect URI, make sure to select SPA and then enter the URL where you will be hosting your browZer bootstrapper. For the example used in this documentation, we will use https://entra-demo.ziti.netfoundry.io

For example:

Entra Register an Application

Once all the above fields have been filled in, click the Register button at the bottom of the form.

Token configuration

Then click on the "Token configuration" item in the left navbar:

Entra icon


Then click "Add optional claim":

Entra icon


Then select Access as the token type, and select email from the list of claims.

Then click the Add button at the bottom of the form.

For example:

Entra icon


A form will appear. Select the checkbox Microsoft Graph email permission, Then click the Add button.

For example:

Entra icon


Expose an API

Then click on the "Expose an API" item in the left navbar:

Entra icon


Click Add a scope

Entra icon


For the Application ID URI, Entra will default to api://<YOUR_CLIENT_ID>. You should accept this default value and not alter it.

For example:

Entra icon


Click Save and continue.

Then, on the next form:

For the Scope name, enter OpenZiti.BrowZer.

For Who can consent, choose Admins and users.

Enter what you like for the descriptions.

Make sure the State is Enabled.

Then click the Add scope button at the borrom of the form.

For example:

Entra icon


Owners

Then click on the "Owners" item in the left navbar:

Entra icon


Add yourself as an owner of the application:

Entra icon


API permissions

Then click on the "API permissions" item in the left navbar:

Entra icon


The User.Read permission is not needed for browZer, so you may use the 3-dot menu on the right side to remove it.

Entra icon


Now click Add a permission.

Entra icon


Now click My APIs.

Entra icon


Now click the item representing the URL where you will be hosting your browZer bootstrapper. For the example used in this documentation, we will use https://entra-demo.ziti.netfoundry.io

Entra icon


Select the checkbox for OpenZiti.BrowZer, then click the Add permissions button at the bottom of the form.

Entra icon


Manifest

Then click on the "Manifest" item in the left navbar:

Now click Microsoft Graph App Manifest, then scroll the JSON down to line 31 where you see requestedAccessTokenVersion. This field defaults to null. Change the value to 2. This is extremely important. Failure to complete this step will results in invalid access_token's being produced by Entra during the PKCE process performed between browZer and Entra when a user authenticates.

Then click Save

For example:

Entra icon


Gather IdP Information

Your OpenZiti network must be configured to become aware of your Entra identity provider. OpenZiti refers to the identity provider as an External JWT Signer. Before you can set up the new JWT signer, you must gather some information from the new Entra Application that you just created:

  • the clientId
  • the issuer
  • the jwks_uri

Gather clientId

The clientID value can be found in the Overview tab of the Application you Registered above:

Auth0 clientId


Gather issuer

The issuer can be found via the openid-configuration endpoint that all OIDC-compliant identity providers expose.

The openid-configuration endpoint URL for Entra looks like this:

https://login.microsoftonline.com/<YOUR_TENANT_ID>/v2.0/.well-known/openid-configuration

where the value for <YOUR_TENANT_ID> can be found in the Overview tab of the Application you Registered above:

Auth0 Domain

When you enter the openid-configuration endpoint URL (https://login.microsoftonline.com/<YOUR_TENANT_ID>/v2.0/.well-known/openid-configuration) into a browser, you will receive a response resembling the following:

Auth0 OIDC config


Take note of the issuer value.


Gather jwks_uri

Take note of the jwks_uri value returned from the above openid-configuration endpoint URL.


Create External JWT Signer

Using the values described above, use the ziti CLI to configure an external JWT signer that represents your Auth0 identity provider. You can find details on how to do this in the BrowZer Quickstart documentation