Azure Entra ID
Feature availability
Section titled “Feature availability”| Feature | Support |
|---|---|
| OAuth2/OIDC clients | ✅ Full |
| SAML clients | ✅ Full |
| Resource servers | ❌ Not supported |
| Client cloning | ✅ Full |
-
Register an application in Entra ID
In the Microsoft Entra admin center, go to App registrations → New registration.
- Name:
Taco Management(or any name you prefer) - Supported account types: Accounts in this organizational directory only
- Click Register
Note the Application (client) ID and Directory (tenant) ID from the overview page.
- Name:
-
Create a client secret
Go to the app registration → Certificates & secrets → New client secret. Enter a description and expiration period, then copy the Value immediately — it is only shown once.
-
Grant API permissions
Go to API permissions → Add a permission → Microsoft Graph → Application permissions and grant:
Application.ReadWrite.All— create, update, and delete app registrations (OAuth2/OIDC clients)Application.ReadWrite.OwnedBy— alternative, narrower scope if you restrict Taco to apps it created itself
After adding permissions, click Grant admin consent for your tenant.
-
Set environment variables
Terminal window OPENID_PROVIDER=entraENTRA_TENANT_ID=your-tenant-idENTRA_CLIENT_ID=your-client-idENTRA_CLIENT_SECRET=your-client-secret# Default: AzureADMyOrgENTRA_SIGN_IN_AUDIENCE=AzureADMyOrg
Client management notes
Section titled “Client management notes”- Grant types map to Entra’s OAuth2 permission grants and app manifest flags; Taco tags each client with
taco:grant:*tags to track the mapping since Entra does not model grant types as a first-class field. - SAML clients are represented as an Entra enterprise application (service principal) linked to the app registration, using a fixed SAML gallery template (
SAML_TEMPLATE_ID). - Resource servers are not modeled by Taco for this provider — manage API exposure (
identifierUris, app roles, exposed scopes) directly in the Entra portal.
OIDC login (optional)
Section titled “OIDC login (optional)”To protect the Taco dashboard with Entra ID SSO, register a separate application (web platform, authorization code flow):
AUTH_CLIENT_OPENID_CONFIGURATION_URL=https://login.microsoftonline.com/{tenant-id}/v2.0AUTH_CLIENT_ID=your-oidc-app-client-idAUTH_CLIENT_SECRET=your-oidc-app-client-secretAdd <BASE_URL>/api/auth/callback/oidc to the application’s Redirect URIs.