Microsoft Entra ID Support

Microsoft Entra ID Support

1. Overview 

The Microsoft Entra ID (formerly Azure Active Directory) support feature allows organizations to integrate their EvolveIT application with Microsoft's cloud-based identity and access management service. This integration enables: 

  • Single Sign-On (SSO) authentication for users 

  • Automatic user synchronization from Entra ID to EvolveIT 

  • Group-based access control 

  • Centralized user management through Microsoft Entra ID 

Authentication Modes Available 

  • Mode 0: EvolveIT (Built-in authentication) 

  • Mode 1: Active Directory (On-premises AD) 

  • Mode 2: Microsoft Entra ID (Cloud-based authentication) 

2. Prerequisites 

Technical Requirements 

  • HTTPS deployment: Microsoft Entra ID authentication requires the application to be deployed over HTTPS 

  • Administrator privileges: Configuration requires ActiveDirectoryManagement and ConfigurationManagement permissions 

  • Microsoft Entra ID tenant: An active Microsoft 365 or Azure subscription with Entra ID 

Required Information from Microsoft Entra ID 

  1. Tenant ID: Your organization's unique identifier in Microsoft Entra ID 

  1. Client ID (Web App): Application ID for web-based authentication 

  1. Client ID (Desktop App): Application ID for desktop application authentication 

  1. Client Secret: Secure key for server-to-server authentication 

  1. Groups (optional): Specific Entra ID groups to synchronize 

3. Configuration Setup 

 

Step 1: Access Authentication Settings 

  1. Navigate to Administrator → Settings → Authentication 

  1. Ensure you have the required permissions to access this section 

Step 2: Configure Authentication Mode 

  1. In the Authentication Mode dropdown, select "Microsoft Entra ID" (Mode 2) 

  1. The system will display the Microsoft Entra ID configuration form 

Step 3: Microsoft Entra ID Configuration 

Fill in the following required fields: 

Core Configuration 

  • Tenant ID: Enter your Microsoft Entra ID tenant identifier 

  • Format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 

  • Can be found in Azure Portal → Azure Active Directory → Overview 

  • Client ID: Enter the Application (client) ID for web authentication 

  • Obtained from App registrations in Azure Portal 

  • Client ID - Desktop App: Enter the Application (client) ID for desktop authentication 

  • Separate registration may be required for desktop applications 

  • Client Secret: Enter the client secret value 

  • Security Note: This field is masked for security 

  • Generate from App registrations → Certificates & secrets 

Advanced Configuration 

  • Filter: Optional OData filter to limit which users are synchronized 

  • Examples: 

  • department eq 'IT' - Only IT department users 

  • accountEnabled eq true - Only enabled accounts 

  • startsWith(displayName, 'John') - Users whose display name starts with "John" 

 

  • Groups: Select specific Entra ID groups to synchronize 

  • Uses a tag field interface for multi-selection 

  • Groups are automatically loaded when valid credentials are provided.


Step 4: Test Configuration 

  1. Click "Check Microsoft Entra ID" button 

  1. The system will validate: 

  • Connection to Microsoft Entra ID 

  • Authentication credentials 

  • Filter effectiveness 

  • Group accessibility 

  1. Review the test results in the "Check Microsoft Entra ID Configuration Result" section 

  • Success: Shows user count and sample user data 

  • Failure: Displays error messages for troubleshooting 


Step 5: Save Configuration 

  1. After successful testing, click "Save" to apply the configuration 

  1. Confirm the success message: "Updated authentication mode successfully" 


4. User Authentication Process 

Automatic Authentication Flow 

When Entra ID authentication is enabled: 

  1. User Access: User navigates to the application URL 

  1. Authentication Check: System detects Entra ID mode (Mode 2) 

  1. HTTPS Verification: System verifies HTTPS deployment 

  1. Redirect to Microsoft: User is redirected to Microsoft login page 

  1. Authentication: User enters Microsoft credentials 

  1. Token Exchange: System exchanges authorization code for access token 

  1. User Verification: System validates user against configured filters/groups 

  1. Application Access: User gains access to EvolveIT with appropriate permissions 

Manual Login Fallback 

If automatic authentication fails: 

  • System displays warning about HTTPS requirement 

  • Users are redirected to standard login page 

  • Manual credential entry may be required 

Administrator login page 

In case users need to login using user/password 

<app-domain>/#login 

Example: https://evolveitqa1.cmfirsttech.com/#login 


5. User Management 

User Synchronization 

Manual Synchronization 

  1. Navigate to Administrator → User Management 

  1. Click "Sync Users from MS Entra ID" button 

  1. System will process synchronization in the background 

  1. Check notifications for completion status 

Synchronized User Data 

The following user attributes are synchronized: 

  • User ID: Unique identifier from Entra ID 

  • First Name: Given name 

  • Middle Name: Middle name (if available) 

  • Last Name: Surname 

  • Email: Primary email address 

  • Groups: Group memberships (if configured) 

User Status Management 

  • Active Status: Based on accountEnabled property in Entra ID 

  • Password Management: Handled by Microsoft Entra ID 

  • Group Memberships: Automatically updated during synchronization 


6. Troubleshooting 

Common Issues and Solutions 

1. "To use Entra ID login. Need to deploy with HTTPS." 

  • Cause: Application is deployed over HTTP 

  • Solution: Configure HTTPS/SSL for the application deployment 

2. "Failed to establish Microsoft Entra ID Server" 

  • Cause: Invalid credentials or network connectivity issues 

  • Solutions: 

  • Verify Tenant ID, Client ID, and Client Secret 

  • Check network connectivity to Microsoft services 

  • Ensure firewall allows outbound HTTPS connections 

3. "No item was hit by this setting" 

  • Cause: Filter is too restrictive or users don't match criteria 

  • Solutions: 

  • Review and adjust the OData filter 

  • Test with a simpler filter or no filter 

  • Verify users exist in the specified groups 

4. Authentication redirects but fails to complete 

  • Cause: Incorrect redirect URI configuration in Entra ID 

  • Solutions: 

  • Verify redirect URI in App registration matches application URL 

  • Ensure redirect URI uses HTTPS protocol 

Error Messages Reference 

Error 

Possible Causes 

Resolution 

Invalid Microsoft Entra ID configuration 

Wrong credentials 

Verify Tenant ID, Client ID, and Client Secret 

Token was not saved properly 

Browser/session issues 

Clear browser cache and retry 

Empty response from LoginWithEntraID 

API communication failure 

Check server logs and network connectivity 

 

    • Related Articles

    • CM evolveIT v11.8 Release Note

      CM evolveIT v11.8 Release Note AI Summary Create source code summary based on AI Allow user to view/add(request) custom AI summary Allow admin can approve/reject/review AI summary request from user AI Analysis Playground Ask analyzing source code ...
    • Support Policies

      Supported Versions Previous major version is supported for one year of mainstream support after current version is released. Extended support is available for one additional year, at a 50% premium. Version 10 - Limited Release, GA expected 10/16. End ...
    • How to get WebClient generator id

      1. Download and unzip the ZIP file GetGeneratorID containing the adcls.jar and cmwebclientmachineidgen.jar files attached to this article to a temporary directory. 2. You would need to have a Java installed in the machine to run the jar file. 3. Open ...
    • CM First Support Dropbox

      Please use this link to upload large files to our secure Customer Support dropbox. The limit is 2GB, for larger files you can use compression software that will split the file into multiple zip files. CM First Customer Support Dropbox ...
    • Support for VMWare Environments

      CM First is a member of VMware TAP, and provides the following support statement for VMware Customers: CM First Group confirms that we will support customers running CM MetaAnalytics on supported Operating Systems in a VMware virtual machine ...