Microsoft Entra ID Support
1. Overview
The Microsoft Entra ID (formerly Azure Active Directory) support feature allows organizations to integrate their EvolveIT application with Microsoft's cloud-based identity and access management service. This integration enables:
Single Sign-On (SSO) authentication for users
Automatic user synchronization from Entra ID to EvolveIT
Group-based access control
Centralized user management through Microsoft Entra ID
Authentication Modes Available
Mode 0: EvolveIT (Built-in authentication)
Mode 1: Active Directory (On-premises AD)
Mode 2: Microsoft Entra ID (Cloud-based authentication)
2. Prerequisites
Technical Requirements
HTTPS deployment: Microsoft Entra ID authentication requires the application to be deployed over HTTPS
Administrator privileges: Configuration requires ActiveDirectoryManagement and ConfigurationManagement permissions
Microsoft Entra ID tenant: An active Microsoft 365 or Azure subscription with Entra ID
Required Information from Microsoft Entra ID
Tenant ID: Your organization's unique identifier in Microsoft Entra ID
Client ID (Web App): Application ID for web-based authentication
Client ID (Desktop App): Application ID for desktop application authentication
Client Secret: Secure key for server-to-server authentication
Groups (optional): Specific Entra ID groups to synchronize
3. Configuration Setup
Step 1: Access Authentication Settings
Navigate to Administrator → Settings → Authentication
Ensure you have the required permissions to access this section
Step 2: Configure Authentication Mode
In the Authentication Mode dropdown, select "Microsoft Entra ID" (Mode 2)
The system will display the Microsoft Entra ID configuration form
Step 3: Microsoft Entra ID Configuration
Fill in the following required fields:
Core Configuration
Tenant ID: Enter your Microsoft Entra ID tenant identifier
Format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Can be found in Azure Portal → Azure Active Directory → Overview
Client ID: Enter the Application (client) ID for web authentication
Obtained from App registrations in Azure Portal
Client ID - Desktop App: Enter the Application (client) ID for desktop authentication
Separate registration may be required for desktop applications
Client Secret: Enter the client secret value
Security Note: This field is masked for security
Generate from App registrations → Certificates & secrets
Advanced Configuration
Filter: Optional OData filter to limit which users are synchronized
Examples:
department eq 'IT' - Only IT department users
accountEnabled eq true - Only enabled accounts
startsWith(displayName, 'John') - Users whose display name starts with "John"
Groups: Select specific Entra ID groups to synchronize
Uses a tag field interface for multi-selection
Groups are automatically loaded when valid credentials are provided.
Step 4: Test Configuration
Click "Check Microsoft Entra ID" button
The system will validate:
Connection to Microsoft Entra ID
Authentication credentials
Filter effectiveness
Group accessibility
Review the test results in the "Check Microsoft Entra ID Configuration Result" section
Success: Shows user count and sample user data
Failure: Displays error messages for troubleshooting
Step 5: Save Configuration
After successful testing, click "Save" to apply the configuration
Confirm the success message: "Updated authentication mode successfully"
4. User Authentication Process
Automatic Authentication Flow
When Entra ID authentication is enabled:
User Access: User navigates to the application URL
Authentication Check: System detects Entra ID mode (Mode 2)
HTTPS Verification: System verifies HTTPS deployment
Redirect to Microsoft: User is redirected to Microsoft login page
Authentication: User enters Microsoft credentials
Token Exchange: System exchanges authorization code for access token
User Verification: System validates user against configured filters/groups
Application Access: User gains access to EvolveIT with appropriate permissions
Manual Login Fallback
If automatic authentication fails:
System displays warning about HTTPS requirement
Users are redirected to standard login page
Manual credential entry may be required
Administrator login page
In case users need to login using user/password
<app-domain>/#login
Manual Synchronization
Navigate to Administrator → User Management
Click "Sync Users from MS Entra ID" button
System will process synchronization in the background
Check notifications for completion status
Synchronized User Data
The following user attributes are synchronized:
User ID: Unique identifier from Entra ID
First Name: Given name
Middle Name: Middle name (if available)
Last Name: Surname
Email: Primary email address
Groups: Group memberships (if configured)
User Status Management
Active Status: Based on accountEnabled property in Entra ID
Password Management: Handled by Microsoft Entra ID
Group Memberships: Automatically updated during synchronization
6. Troubleshooting
Common Issues and Solutions
1. "To use Entra ID login. Need to deploy with HTTPS."
Cause: Application is deployed over HTTP
Solution: Configure HTTPS/SSL for the application deployment
2. "Failed to establish Microsoft Entra ID Server"
Cause: Invalid credentials or network connectivity issues
Solutions:
Verify Tenant ID, Client ID, and Client Secret
Check network connectivity to Microsoft services
Ensure firewall allows outbound HTTPS connections
3. "No item was hit by this setting"
Cause: Filter is too restrictive or users don't match criteria
Solutions:
Review and adjust the OData filter
Test with a simpler filter or no filter
Verify users exist in the specified groups
4. Authentication redirects but fails to complete
Cause: Incorrect redirect URI configuration in Entra ID
Solutions:
Verify redirect URI in App registration matches application URL
Ensure redirect URI uses HTTPS protocol
Error Messages Reference
Error | Possible Causes | Resolution |
Invalid Microsoft Entra ID configuration | Wrong credentials | Verify Tenant ID, Client ID, and Client Secret |
Token was not saved properly | Browser/session issues | Clear browser cache and retry |
Empty response from LoginWithEntraID | API communication failure | Check server logs and network connectivity |
Related Articles
CM evolveIT v11.8 Release Note
CM evolveIT v11.8 Release Note AI Summary Create source code summary based on AI Allow user to view/add(request) custom AI summary Allow admin can approve/reject/review AI summary request from user AI Analysis Playground Ask analyzing source code ...Support Policies
Supported Versions Previous major version is supported for one year of mainstream support after current version is released. Extended support is available for one additional year, at a 50% premium. Version 10 - Limited Release, GA expected 10/16. End ...How to get WebClient generator id
1. Download and unzip the ZIP file GetGeneratorID containing the adcls.jar and cmwebclientmachineidgen.jar files attached to this article to a temporary directory. 2. You would need to have a Java installed in the machine to run the jar file. 3. Open ...CM First Support Dropbox
Please use this link to upload large files to our secure Customer Support dropbox. The limit is 2GB, for larger files you can use compression software that will split the file into multiple zip files. CM First Customer Support Dropbox ...Support for VMWare Environments
CM First is a member of VMware TAP, and provides the following support statement for VMware Customers: CM First Group confirms that we will support customers running CM MetaAnalytics on supported Operating Systems in a VMware virtual machine ...