Skip to content

OIDC setup for Microsoft Azure/AD

Creating and configuring a new app registration in Azure

  1. Open the Azure Portal.
  2. Select Microsoft Entra ID -> App registrations.

  3. Select + New Registration to start creating a new application.

    • Name: Enter a display name for the new app registration in Azure. You can chose any name.
    • Supported account types: Select Accounts in this organizational directory only.
    • Redirect URI: Copy the URI from the OIDC binding dialog on your octoplant server.

  4. Select Register to create a new app registration. An Overview of your new app registration is displayed.

  5. Copy the Application (client) ID to add it in the OIDC binding dialog.

  6. Enable the following mobile and desktop flows.

  7. Go to API permissions.

  8. Select + Add a permission.
  9. Select Microsoft Graph under Microsoft APIs.

  10. Select Delegated permissions and select email, openid and profile under OpenId permissions.

  11. Select Token configuration -> Add group claims -> Select: Security groups -> ID, then enable Group ID.

Using OAuth with LDAP sync

  1. Select Token configuration -> Add optional claims -> Select : Token Type == ID, then enable onprem_sid.
  2. Select Token configuration -> Add group claims -> Select: Security groups -> ID, then enable On Premises Group Security Identifier.

Having LDAP enabled changes the way OAuth login works.

  • To log in with an LDAP user, first run LDAP synchronization. The user must already be synced with Azure AD.
  • For users with onprem_sid, only groups that include OnPrem SID will be assigned. All other groups are ignored.

Info

We don't recommend enabling LDAP after OAuth.

octoplant can map LDAP users to OAuth users using SID and token claims — but it cannot map existing OAuth users to newly added LDAP users.

If you enable LDAP after OAuth:

  • LDAP synchronization will create duplicate users if matching OAuth users already exist in the database.
  • On the next login, octoplant will associate users with their LDAP identities, not the original OAuth accounts — causing loss of any previously configured permissions.

If you need to enable LDAP after OAuth and can't avoid it, contact our support team. We’ll assist with manual data migration.